Analysis Overview
SHA256
a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e
Threat Level: Shows suspicious behavior
The file a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:23
Reported
2024-11-10 01:26
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\Intelproc9S\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9S\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidI7\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc9S\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe
"C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\Intelproc9S\abodloc.exe
C:\Intelproc9S\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | edd6abf194be719074239d3c91f74ed9 |
| SHA1 | d599600ff3e6f4749ad527bc3b04ad2a9c73865c |
| SHA256 | 0224bd75577dc430f170ef9858809d95ea3d0d8010c8627c5b6ad22729dcbcdb |
| SHA512 | 9fa34e11d7614b86eb6db27156baa75a72a147a3b1c9ec376646f64beb52a9018ba77ef9021d560f816df4cdba6d96f3f099064c4ca59c45b86261ffd0b7b174 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4124d9a345ea3d2321d6bc4409805985 |
| SHA1 | ce7830b60e83182046b825401f3c9c20209843d3 |
| SHA256 | 0cc0324df9a132e7e7caa02bf6e216f8708f968f04768d26c0ced3b69fa857bd |
| SHA512 | f993d2386676bc82e59d092cf7680e26e84c2921ee30902087cae83b51f58f59085d8a7b171160538f5e4d51b0a3e9c71a125633ba8555409a191de8d6248be3 |
C:\Intelproc9S\abodloc.exe
| MD5 | c8fef6cfc48e24129fd42fd6fb010381 |
| SHA1 | a135512754bc032b4f19712822415f25bf77b09b |
| SHA256 | de9b3caf64bab8b74161f1ef8332ea646ec85a18eeb89bd98d99404c256e44f0 |
| SHA512 | a8438ba5006ca74a760735168c54adb1b6f0064e90820c940fb7ac09609659f4280bde6b2fdb63f656a27c957c3c66881ae602d43f5d515e53757d458c42cf93 |
C:\VidI7\dobxsys.exe
| MD5 | 4627abff0eb1ca2086aa327ba8ef9c42 |
| SHA1 | 81e3084d716f829b18d44e3918d67180f3de769a |
| SHA256 | 96ed6821a6d8c633808f9d5a60461bfe1ce477d90547e1e594b507b8fa4d478b |
| SHA512 | ff64d9f97043f4e6463e337d6ce869651b4c8fa47039d93d1597ca3b939cbcdf958057f79836f2b3c9ad75eeb8dd6e623714d4363d94390f8810f3580f83d178 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b7fd003f0677ee17da069589b9e37970 |
| SHA1 | 5f2b269c53804601f4307070e2b5335c77aaafce |
| SHA256 | 5cda8f62a3399be70320adb2237d836517f8b0f1352e2a06e84f989ce0cb8fda |
| SHA512 | c1171ffc019d15c4adb9dfa8e2794506d952d8a8ef05841c6f5d6c8c1dc1723a045025b7a2f506e89ea105de61002fedf0d544da613a647dbe601a7b00741974 |
C:\VidI7\dobxsys.exe
| MD5 | 633e19509d3f67dd0828e28778fad382 |
| SHA1 | ed11d26b83dc069fba78e3d61a72dd134012b7c3 |
| SHA256 | edac76b710c435d51af8f38d660c156d37e8e031e53ca263a3f36dc7bcc3f568 |
| SHA512 | b743adcc2cb91abf306241ef8025c7685ed24d5a4b8b104d28bba4124c69b714d29e4117cf758570908f18501b33580018e13a164c23c47a2183f39540eefae5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:23
Reported
2024-11-10 01:26
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDotH3\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAI\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotH3\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotH3\devdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe
"C:\Users\Admin\AppData\Local\Temp\a6e3d544dbaf0dd0e661fb4fd8933311ad4be7f083576aeae2f7b8612d385e2e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDotH3\devdobec.exe
C:\UserDotH3\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | bb815821ee870ecede476293a2c46ac4 |
| SHA1 | 259ee3e63e963b6f3cffe88c919cb49009533384 |
| SHA256 | 635c6e065f2bbb3c0f8b33e33f54e0c0401475430ee92d71a6eb3912869e5ec8 |
| SHA512 | 38e456939b4b12f01fae459b220d8770b5ace2142d201917c2cd59ea096eb93ecc738e19b0ad53c2f22f759383eb025f253df1ac6f966c9e9c3a516d8677b382 |
C:\UserDotH3\devdobec.exe
| MD5 | 95a0fe0ed27d03112ec1b8d723957932 |
| SHA1 | 87d5b55605e903dd4b23fc3db45d5250241c414c |
| SHA256 | 8a4b63c4a606ad8569d09209af1b050629e47f6600c8a55f010effb873d2c551 |
| SHA512 | a6953ee37ec5e3377c58e468dbe9dda8283d42dd34cc43603bbcfa5d89ccce7c85fc219f77d7c8e710a1e90a8a3574fe51060c84a5899206ca3ae2707a9b15a0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a68f99092bfc4b1bf07aba58526e885a |
| SHA1 | 5719533a6b4c48146049bad1e0b4f6adce90c1ad |
| SHA256 | 24c1681f1dfb5d6c72c4d67dd26a42052145942e2b7deb12f41f1bc88642a5cc |
| SHA512 | 38403854ffa718420df263d3f5a721067be03efe97f92762171df6b3480ff39f95f7bb076584bc5cf8217d125c29893ee455d3717a9a8cae533bd08c793d794c |
C:\VidAI\bodxloc.exe
| MD5 | 943c5e247b3241e95353469362b248cc |
| SHA1 | a858ffffdf600f530d3a8e692326ab3d80de47db |
| SHA256 | 3d1538e0821f82feb21aa002fb5f8bb41c85b0ce09c4ab22eeb733bc8b026565 |
| SHA512 | a71a0b1f93bdb4c39c34774abd0c7e1595e7eb5e8ad8994da122f3617aa1a9da8550c02801658f699c1ed5dc306e486c3ac41ce5a10083b75061419814c91b99 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9d49949cb7a916ce4cc23d6aa9b7b8f3 |
| SHA1 | 7423e279ca954affae27b9a174796eced0faa999 |
| SHA256 | e6a741d85f4898798a1cc375d0a32f191b389ea51188f3f02cc4a8983cfe8224 |
| SHA512 | 5f5cd8f3b98201e6ac481cb3fda789a16f85eddb80266c33ea1914ca73ce35f4f5ba10b1ca700ec711486b808d9a2b43ae6e902f0e215ef6d5615408688b6890 |
C:\VidAI\bodxloc.exe
| MD5 | 9ccde50ee33d01970daefde8943574e3 |
| SHA1 | 3047438087a36e21f509180ae9d1eec5d15ab803 |
| SHA256 | 2767baf398c48ca98bf4da39233819cf0f7279c2f9c95ee1459c13a6117f562d |
| SHA512 | ef4c467baa1c63c895b118ada3a00f71c27aaf9213fcff1c6757479e8083cb48d7d6cc97c09857e4d3d81bef041fa9b336ebae5c968e3267b20d77a136e89bff |