Analysis Overview
SHA256
610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d
Threat Level: Shows suspicious behavior
The file 610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:57
Reported
2024-11-11 23:00
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrv2Z\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2Z\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6P\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv2Z\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
"C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrv2Z\xdobloc.exe
C:\SysDrv2Z\xdobloc.exe
Network
Files
C:\Galax6P\dobaloc.exe
| MD5 | a223736ed80e0a7232fd84363d72159e |
| SHA1 | 5d92e9a95a108d4a24ed79a76e12641b61bc48bd |
| SHA256 | 3c9eb4ac5a1a9b279786a3c6cb86270e38d86eb3c175be5043b53064eb2a61d5 |
| SHA512 | 36a441ab570e8ba4ddd901d1303022db5254b5829f3851d2940ff574a52475f2740194124c9eb12ae7af454277d4d487cf8e9381dedae5b3a72f6f71079da88e |
\SysDrv2Z\xdobloc.exe
| MD5 | f1f58172ab1e5f1c97761f7fe51a69a6 |
| SHA1 | 2e82b9bd4ea7587dd2e23c49ad60b99eceda6caa |
| SHA256 | 9485b137e283b11e7570dbbb77927b1943ab82b8d671aee1ea369f1518b17257 |
| SHA512 | 6ae73ac695924c0b4a2ad05e6cc1cf6082cd858d83ab12a483e597ae7128882f046390671148d584f2bff285290e80fd561f55c151aa7249c03fb65f0f3d39c6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 3cb3b34ead24b4a4d18561f04615be49 |
| SHA1 | abcf579228874d95ce72f4b724ce9605e638e1de |
| SHA256 | f25b2d94d1710eb4bb3a89fe64415357309160ec79afee8c307fc0c7d0779e5c |
| SHA512 | b877e6028e5d24e0394f3d49061de75e3d204d154accf4cc804dcb90c6d84a06b1c7440f2e6eb270e1faa28a36c1e6cb6d03efbda94e7d09d45c6a8e7e7c4330 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 076908e3dcbd24cfb4b7a09ec43ce944 |
| SHA1 | e3d7f1d401d7aa73f60bd4e842c18d1fb42abfe0 |
| SHA256 | 6a16ca8e6a8bd87dedd2fb2f49b163c0456962ee0aa97a91bc3d60fcaa5dd554 |
| SHA512 | 63813fd32a44f6e14d02f00c0df1962356cd5dd1044368b976de642e034c4c942bb25933b2b4548b9adaf27077e3c86d1285a80c16cc0e4d4295caf698968bf2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3741bcecea467d1bc89332f54f8b83e9 |
| SHA1 | 88111790410d133e55fd424968f527ad23ae6198 |
| SHA256 | 32cb63a03b9491cbd7013842d00554330485bd54e56131d9fefb5d82f13eac4c |
| SHA512 | 7868c37d74603b1d6ad6a5b86f3095252d72ffede5c0cffb8636b151d0426875822602e9e1f1c6153c07051b799721a0cbf23421feab4b872cf3ee181bf072d7 |
C:\Galax6P\dobaloc.exe
| MD5 | b6beec8d83448f23b019412fb0c69858 |
| SHA1 | 39f4358c7e4f05960b5a0691576cc2c28a4d7514 |
| SHA256 | e810ce628ff366ab4c7bda1179f6750712f5b540293e4408332f5cde89572533 |
| SHA512 | b382f71a333380d7bd9bda9f9e309d5ed70db2be3a2da525d29fe5cfcaa89909f26aeb2b88be86b5e428fcc4714237dedfc9da8597b48d9825444d07c00563a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:57
Reported
2024-11-11 23:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\FilesS2\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesS2\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBB0\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesS2\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe
"C:\Users\Admin\AppData\Local\Temp\610eec7999c0e8eb7662f66738a149802db9054cbf732fb8bb2121bec709ea2d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\FilesS2\abodloc.exe
C:\FilesS2\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 481070519ae3f39fc57b00167d8f20dd |
| SHA1 | 599963b1e1c6914f1051c25ff32b6a6d38a78a40 |
| SHA256 | e15b312d4f9cfe47b948e5690a17608040a30aa6e02ebbfbf3a58125003f8f7b |
| SHA512 | d4077a86d8f7fc96c3c4292952899d74813a0a031ac4977d0eecdbf698aa0c9e83bd66a9640f04b1db1fac2f1f7f11873c110e0977b47a045f740e5d3a731d44 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 78af4d46f75e73957194c7bc28e813bb |
| SHA1 | 4b9702842c37845813c09215203dad78595a71aa |
| SHA256 | e63c925d5d0b40266e12016a780a585385bbf1cec208fc87754b93b840e09944 |
| SHA512 | 9808df8deb3f731735bc5991ac3de4e4c12c6fed21bcd86a824efeb1add26236048f96e80ad180f8bf22617ac795cb141125b1b57565d0a20be10427577af40c |
C:\FilesS2\abodloc.exe
| MD5 | c8190a91500bb1d9caa61e3b11eaf128 |
| SHA1 | ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684 |
| SHA256 | 6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e |
| SHA512 | bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b |
C:\FilesS2\abodloc.exe
| MD5 | 586b9bdb34197526061b10914b2dfa7b |
| SHA1 | 78db242714b5fe1e1cc13d40084c748832f037bb |
| SHA256 | 4ee727b979c8e4e986e6f0fee69d8055a8b0b4db5443a6a1bde26a5151f20042 |
| SHA512 | b4173a599647bbb9d7bf012f4208cc72ff326f3a6e2ae37484cbf4c119005cfe75e480be4b485feaafe8c6ebdbda685849076261e0410d76ca7dfd4b9473e92d |
C:\KaVBB0\dobaec.exe
| MD5 | fabed5f7f88b4a13753523a4c8bcb6e9 |
| SHA1 | 7bd70e85cf43f0f5794ce5055a4a413c46472163 |
| SHA256 | d8fbb735ff4160769fe16acd49759028fed5c8e161665e89075ecce6ccbf537f |
| SHA512 | 4720ac31917e0571b436d13913fd79a9c4d4744306c82ee322985fbe2c834d8077072a699d14007e3db71565478041cf6020a808d9b59bd2085c9ef9d0f7140d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ed332a2f80ee8042f88fd887386ab600 |
| SHA1 | 7d03d26ef16806a5040b89bf5ca7e0b77e922bce |
| SHA256 | 9d77ba689b61f0e801c78f5754be585afe43459ca89cb227620b78c51755773e |
| SHA512 | 209b4aaac042c45806710b96ecddf78f031c413004da7b8be24ed9f54bd90a325630c1479207420a8f932990cc14e49d026d5b2d516d484d783df0992afe19a4 |
C:\KaVBB0\dobaec.exe
| MD5 | 3df976d93d72a84a5d4bad281bf4bbf1 |
| SHA1 | 5b8f34f1464f72d0bd50d45b10e88c6da5ce0052 |
| SHA256 | 5de4cbd153bb554c80b9424f08ddd749c745ab9f15d339bbe9098148af0b69c0 |
| SHA512 | d5415af3045b6dc3bedfaff04959420ddc45dd0018d843cf8ac7e4805089ef30a52345f060c1b97f3106c0a00c76f39444d9a26ba5bd508df9bc38a538b4d05e |