Analysis Overview
SHA256
2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7
Threat Level: Shows suspicious behavior
The file 2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:55
Reported
2024-11-09 20:58
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocGS\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVO\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGS\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocGS\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
"C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocGS\xdobsys.exe
C:\IntelprocGS\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 06c5f346610ca58f13c614d7c3dc7763 |
| SHA1 | 7a4174e2ee7677fbf52bde20cd992812e2217d6e |
| SHA256 | 10af2c834476d33b9928aec51f876d2366d46d3e27a99a842bdd0b3ad9e18e63 |
| SHA512 | 32a7e4021b183e29ead8b4ae12a0cee7eff36a3689010b27d4cf6200c9bc306affe093d060dad3b20bbb37543a99a24612469eae0f61a7489feff6da644c5d1f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 10209582701a00f1eb4d6571a2d9c8a0 |
| SHA1 | 37b71138880a48e7b4fb1878806cda7a84e206ed |
| SHA256 | cc6c92045f3e5232fb6a423fa9f6081b1d890e5e685347d2f550af573cd2209c |
| SHA512 | 1ea37b95a99ab790f6dd2a4bce73ea9808f4b4bbfc8fc643591f221f4484c3286b0b22b857a513f66dac0fd39065a51369a25523bd7d8582b3d3e09a57fad6a4 |
C:\IntelprocGS\xdobsys.exe
| MD5 | 001678ed2caaac502a1f43861a7bb520 |
| SHA1 | c4be4dbcc56ddeb94f2a9d0cf8a708fbf65b2250 |
| SHA256 | 0daafb97a99c5963cd974669d23ad9ffc66baf93352389b7ee855dc7f7d2e803 |
| SHA512 | 932e61d89afe43b28a6d7cfeb844d21934bc83351c712ed8331c4742803ac3da9aa355ab271bbc65435ca72a3a8328b18a14c45ba4893a14da26e24d503c7bf8 |
C:\MintVO\optidevsys.exe
| MD5 | 005d7f2bdadad253ebb2a009399b3c7c |
| SHA1 | bfd1ee4b9fcb7b8c3cd75e90c01e51e4760da6b8 |
| SHA256 | eb038adbffbbccf217928a650d6d1157b3a596b673e0945802d9e691331ebbf0 |
| SHA512 | b6b762d5b61e1c5de05cd69d78266c4da54201e1ee3adfe26999c0b888e22d7a4aca856625d153711dbce0b286402e5a082e6db0ad532371932951a28665737f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cedb5fb349ceff525093d516e99e0e80 |
| SHA1 | d938e3768051e563fe5dc21854af479062790b0a |
| SHA256 | 8b2e49c7bfb8988a95a03c4f89b861867ef38ad64a5228c3b279aeb1641df1d8 |
| SHA512 | 43c9832f93f33e93574e5916b1553327b44647adbb271f409e680095677533e3325b270dab5aa44fd5b999c5acf4c2cb36e1f85b58c8550837e06ec781bdd7de |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:55
Reported
2024-11-09 20:58
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\FilesE7\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesE7\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9D\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesE7\abodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe
"C:\Users\Admin\AppData\Local\Temp\2e68762a037b701318975efa494a1ef36ca2516c92c3603024d3613b13a9d2a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\FilesE7\abodsys.exe
C:\FilesE7\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | e538c5b2ae4ef7159d430b149a46bae8 |
| SHA1 | b7edf37155c2889eeb08ab2db3eae447985ceea0 |
| SHA256 | 202cac51887c7853421e3ef163da2126d8b233801c3d73d54275c0f5de03f497 |
| SHA512 | ea5da3192b6ad903d3eb3298eb87420760a84dc2f8552d5ad7b6b10fdcde09e57c26b56a71888e8e3801b9e67505147506aac31fb9fbf06c85968162b30448f1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0cf379b8a788f24c886168a4b0ab0667 |
| SHA1 | 50f83fb912415bb3e897dfe558071429e6791e13 |
| SHA256 | a457df7bde4e48561fd87e9fca3df7044fc3a9a924568fe38615c45cee958741 |
| SHA512 | a722db24992af509c55f09c923e803be385b5006fdc494bfbfa45855b819afafb34305de35d5a7adfa292e453aae9f257debc8dae9362bfce7b8f41e4afc4d3b |
C:\FilesE7\abodsys.exe
| MD5 | c008f82098d0fc86d6d97b06931ed1e9 |
| SHA1 | d6ff2bf29202294dc3d9f0b5cea1c43d597456a8 |
| SHA256 | 9a782330ee77bf9befd1b459ec49cac1d8fad95f90899dd703ed854109200c0d |
| SHA512 | 3d7711f384bef8cd8202edda611ac0c4bd5e7c71fe62510beff7d57952eb68523599dab94a584c25935a66915791d04d51b4f7b842ccb6ac9d41eef7a19acde5 |
C:\Vid9D\dobdevloc.exe
| MD5 | 2eaea640c6ca3c6436663edd759a3c1f |
| SHA1 | 616234afae3afee7e55ba7f2c3e57c4253bd8fe8 |
| SHA256 | 4f36c8304845010c35af64302515f4d08c93924c9075c6421437b92e267442c3 |
| SHA512 | 648ff818cd55cdb6304b895925336ef78aa14393d19064e71a42677edbb67cc79ead803d5ee867ee61f894df7895904deb6a1f48c7e83faf5dbd878842270dce |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 694ce1056ba8e3b8b3c1d6fc30ecb7b4 |
| SHA1 | 0d390eaa282c51d3bd94ae4e1ed2c6c91d669f1a |
| SHA256 | 14fb9cb969e4ca1dd6e494baff55de93475eacecfd23b75f4106f0ab901653d8 |
| SHA512 | c4e4f18a22029e489eca4a034db2820be796dceafffd2922d59edfd9258fc81e77ec077d5ada8e64e2c6813fcc97a52830d787197ae5635c64528429c61588e2 |
C:\Vid9D\dobdevloc.exe
| MD5 | 0019475ee865cecb0012b5ae9e8b2645 |
| SHA1 | 1aa62475d2857430fb9515238eb0e3b18968e225 |
| SHA256 | 6584feffc09cd03a2f75c80a3d36463d8e7e18993485ed822b030833a6917c0a |
| SHA512 | ddba0e3a0549043f1205ad8b68770c3e260b7d5c5d8b8bcc5376bbee3d8f892bbe63e64ebfec2b403bb3e66f7392a9bddb0dff66147cbff812af3458e908dd03 |