Analysis Overview
SHA256
a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffb
Threat Level: Shows suspicious behavior
The file a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:25
Reported
2024-11-09 22:27
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotVT\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVT\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCC\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotVT\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe
"C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotVT\devoptiec.exe
C:\UserDotVT\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 988238cec2910d4cbe2c23a58ed84704 |
| SHA1 | 908adef8d7dd2d864427abc7ab57434b56b83eaa |
| SHA256 | 69a1694ce86407fb63fc16dbff0ab64b0060a64c94e699eb7cbba5a358142704 |
| SHA512 | 12b8bebfb8c2009c684f2e3d864ed996d400addad7e90a543c5576aa05ebcc5a461757fdcc3276d62c3d8ba35509e1ee2d079f6bc8bd415effe77bc7bef8d47f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cd99aa6bee79499b7d8057557821b1d4 |
| SHA1 | d2a0b59180bc34f89e0c636803a7bbd89b2f85f1 |
| SHA256 | 39147b9f95c137a5191bbbe0f497270e218f66d8a1df65afc58d7274085f3316 |
| SHA512 | 675fd155a6770f5f16fdd24673e597194575f2232fc2f96be86dae5f3494f9cd2755e9768cb75411bba33b0a556b10c8425e4b7a9016b907f3be92643c512304 |
C:\UserDotVT\devoptiec.exe
| MD5 | 636630995a7f5f5f670f0a0aa8eab3d6 |
| SHA1 | 8c743db4e9ae9d74c041cbe07728d7247bc9255a |
| SHA256 | 10a4972cfd6f5828af515760fb2cf0040943616fd1b6121a7ad88ec82413b1c5 |
| SHA512 | e183bc36c995292675cf2d62cc7581bc66bd3b406e87f71c88bae116b7e6bd10bdc8c5499db3809bf2278ffb49f7385d48b350554deb40d5f2394404f9c9a9cd |
C:\VidCC\bodxloc.exe
| MD5 | 550ec5e8318f6d7b6b09738f663133bc |
| SHA1 | bad2b12728b242f359aa749ca0e763723dff68d8 |
| SHA256 | 9c5648d2223d2b60f05a5d2dfa5f66f16ef101f480c826123d28ba42e3aebc4c |
| SHA512 | 242248f52e1ed826b0adaf7eb9430b6b17b927e3fb5a0fe491c16a3f6e49d4d710d779c38621975cdd88d99166d92bc7c47633c738fc9426a311da9eba9eee54 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | da60d968c941b287d3c3732e0b29717d |
| SHA1 | fef291f9729db6bd1c6619dbd1e0d25030983859 |
| SHA256 | b029b4eddf4a05c12b256a3d85ac8d987cb95cc93402e99f58eb6099c7bdadd4 |
| SHA512 | 35fb73465e94936630faca9d1dd90a310974bd6e0eb4fe5ea0829fca8e5a86064e60a94e2d3d10becbfc0e1df6a08b13ec226805a44357fe3f3e829597a9f1c2 |
C:\VidCC\bodxloc.exe
| MD5 | 48f88535a4a34a1ec0d374e407d95ae1 |
| SHA1 | 6e00abc0953a958c845c82aa579b633b1937f469 |
| SHA256 | c37133591e8fe1a8c618c79cd2f84ed05b3bb1bc3e9fe49ed71f990a1a2f1579 |
| SHA512 | 14481946e2ab62713da05227a47ad703cf247d5df74a771cd08c89b3ea348c42ac8fbc833732572b76eb0c326a69e6a3aafd84f6d90f7110ae8d483f0b807283 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:25
Reported
2024-11-09 22:27
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\UserDotKY\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKY\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXL\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotKY\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe
"C:\Users\Admin\AppData\Local\Temp\a0297986fb5bde80ac5da55eb988235bac0770c9dd62e7d76474e511115d6ffbN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\UserDotKY\devbodec.exe
C:\UserDotKY\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | fa5f629a0d0d69ee11dbc52d98a882f6 |
| SHA1 | e95eac2567c31bccdcdeb96bd9bde91ac68ee5c9 |
| SHA256 | 5169ecb1edfc98e0da7246e7f478317fdb75ad408ac986c2a2583d3717308418 |
| SHA512 | 5ecd8499183bd80650cb192fdea0bffb986f07f3482f8c9a7ec83a340b596d34d767f38a6d3d19bc35c80099199f5b90f13b67b82d68cf8f8859c826142d14bf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3f49e354fb9ba49d2827a731aebe900 |
| SHA1 | 1b6677e7b905e4a15c65eea17f40d8d4e84ec762 |
| SHA256 | e81e514f31cf47b0e3d1be89d12262e1ef1fce3f50c46d651ab56212d4a155cb |
| SHA512 | 8eeee947ea34c236b60f30e9cc035e472ffd87940183e0db15fc71eb2c7e55ed324736484f93211978b87b833a1267683844a657b9593d3b2aee286b8917a141 |
C:\UserDotKY\devbodec.exe
| MD5 | 9ad1403bef214842c3dcd2d0f1a19978 |
| SHA1 | 61227341a282624856abe3ce21bc25be1a1e4b42 |
| SHA256 | f5d4ab9f731da9b7ec4d4420cc38f746e0cc52c4bcf604e6b47b3b072f531e23 |
| SHA512 | 5d18c101b59164ea12c03d5a230bc95578f1e754007b47656db2311b2a6eca7cb1894cad98d604e970e8b200e0b652bb6c3592702f12b841a9b302339500641d |
C:\LabZXL\bodxsys.exe
| MD5 | 11350e9390bad12cf9e9b683224776a8 |
| SHA1 | 2024d456e520c7c54678abe371a753f8013b4ece |
| SHA256 | f42b2d285e92c0d5e5fabaed601223331b8f5f8a663481e62a9cf81f6aa0cb0b |
| SHA512 | 461590d741d6b672bcbdb48a444f54fd765361525b4ecdea8355aa3a8f426b4b583e3d093132e3aaae65464f06384f872f7c30135fe427b62ad7a80317864bf5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 53aa99e8a7f3b76d605f75eca4dd0f87 |
| SHA1 | bae3ae04de71c548e7800dbd5c64c79e3801423b |
| SHA256 | 295b9457fae5c3c5d67754121be96f2cc51a8ece655bd6aa154c9ef1d8e59700 |
| SHA512 | 78752c52af68fd20639bb267cc572f252789fe2acc9d2dbb3877d11249fc09d15e3a5cbe639263b4fb3ca26a0b36727552707fbbe548b825f2a66663ae22bd7c |
C:\LabZXL\bodxsys.exe
| MD5 | cb4821163d0afc6b8a4619d0a924f410 |
| SHA1 | c5adf96fd83cf8c7e12746fedac8b6eb6c28717b |
| SHA256 | 6e02ea2aae74d65c4c899cc34686745031bcbd78319297f1b71b7ac68ace95bc |
| SHA512 | 3f90ebcaee4fa757cb80902a5281e426aea04eb8edf25e9883ed237260af7b10eac50269ebb34e63df54a718be1ea466463d9f1cfe974b2689e757c27a97dbad |