Analysis Overview
SHA256
619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80
Threat Level: Shows suspicious behavior
The file 619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:59
Reported
2024-11-11 23:01
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\AdobeGU\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGU\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3N\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeGU\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
"C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\AdobeGU\abodsys.exe
C:\AdobeGU\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | c85addf524606f6e1a4feccc049e4b85 |
| SHA1 | e8a52b8719d7c2670e84b16d9f9954bf4ea343ff |
| SHA256 | 05a0fcba877f8abd6eac6eb2d3afc0da100a1e1417beedffe7f3194736f2b375 |
| SHA512 | 9a748474d2e92bf403a0fa49214f62df455f716255d5cf5ecd53538794783ababb665de1474b75e0cbaff618dc58596af807752e791234c13ffe02b3d87df613 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3c658ed1dc203f73d1d7a271d6f6afc0 |
| SHA1 | 5e5b2b68e41203cc8a607e46becc434133a40cea |
| SHA256 | 9cb4c9a378309ae3c242e523f6d99e6873a2229c67c5ac80ce90424c5e1c810d |
| SHA512 | 0cea844296e371120a3dc872ad5d6c93824cc5cc8e0d28545b671a79b14a8b4e798e380e9acb5b2c47bca43f3d3883a8870d40a6708a7c434fd3ebe68c31aa0e |
C:\AdobeGU\abodsys.exe
| MD5 | 2cd708e4ff32e3d09dc1c9c7e6fd416b |
| SHA1 | 547c651fd3428d0baa9116226bce1e4a40eeb4b2 |
| SHA256 | 7158a3da685cd247f87dc181470fea0fe6d8a5c38239cbc5bc276d03e77f36cc |
| SHA512 | aa89316be22d759a8e4a0d6af16920eed8405356bf0a569c914c4897505ba1cb83c43e27599c1b755a67889c5e8ced7d05ea1b93e516e0b0aa65b40f4ae70a63 |
C:\LabZ3N\bodaloc.exe
| MD5 | 57c7395c5235304b8a9c4dfdb0be6bb6 |
| SHA1 | ad0d1cf780f78e82fd5d1d1e044596369610acf3 |
| SHA256 | d8ecf665fbf945c90de70193765594e2ec06b0f3032954a720c2049176bbc6c1 |
| SHA512 | 021f5b5af0fd06c0aa0b68ef0ee7096725c0d27dd43cd0e4f46f54d2708adb13102ca4ef9ea20a2b82672dd0bddeec563120d2a3fa2c089ee3907029af255cc4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 29c830e5fcc11d1d79c20d11d4c48c39 |
| SHA1 | 9ad39cbae20a0aae3349d3e1efe61b255652807f |
| SHA256 | d0e96fe42fc7b092d31fc9ed375dfebfb886e750d8f762da56aacbeb7d603313 |
| SHA512 | 429dd0c384dc474170009a93e02d93b2a56f7709435f63502f77a185754fecdae6cfe385634c3e9157e5681fa17cb1b1413ecd448ea5bb8dfaaf897e51f57294 |
C:\LabZ3N\bodaloc.exe
| MD5 | f24c0b6ad669a42c1544e3835b44b614 |
| SHA1 | 797b32edf1887291ddada0d431bb429d9347b586 |
| SHA256 | 5ec8f77064db9fed8be72e518c3a83ef900aaeb511f32462b15cf57bdf9fb855 |
| SHA512 | 48e9bbcbcdb69e0501f03878af52b09dcdbcd5c866fc31ba01d081325ff33d2374bcbbcc97487c1f1f4c4da3685d1a36133e367ed161838428a01277684468b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:59
Reported
2024-11-11 23:01
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\SysDrvXL\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXL\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB9D\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvXL\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe
"C:\Users\Admin\AppData\Local\Temp\619202d2778f0e62aabe87beaaeb470cd53e2451b69689a8d9989afbd2700a80.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\SysDrvXL\xoptiec.exe
C:\SysDrvXL\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 610aed4d2a02e31c74c8b59649f7807c |
| SHA1 | 0f7f7b11eab6c8c5f0a29550faf5be5b10b509ad |
| SHA256 | 1b0b5c4bdc072801bb8239681281129506eafa1001de20237c59e6e40475d4d9 |
| SHA512 | ca316d4a14249de64a8998a7b25ce6f48f40538f962a0f97a1e2172d5609b9f3e11f10d6605de62e4794eeb7c3c5ccab4540bba1bcea3d07f41a0c43e2680b3e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a15e5d8d21dc32a7be474afbafa56b49 |
| SHA1 | 677fa3409f5821d0347666b4a7d12e8df52545b9 |
| SHA256 | e3e3feec800d63dc05af01f7ca95b93c02d9f599bd7b73564ce164be4cee4b2b |
| SHA512 | c464733cb45d871b711195712c90657506840e53b83c58a003f410f018af7e98e5a6285a3eec294cd67590261cc8dd8f3f2a4a1618b35e82c52faec8ff4d5dab |
C:\SysDrvXL\xoptiec.exe
| MD5 | 9c51f5867980da5ef74c551c64fc3141 |
| SHA1 | 43a66c047b4aa05f992fac3efd20fe0a4f28d291 |
| SHA256 | 0f38b67e03ba42936b6d33031c77b85244385529381551ba83eefa13263f3cc3 |
| SHA512 | 29615a68fa0e36ce527546a06f48c9e83e1929deb8532d89a9dc5e59d698884e35c83bcb52882a172cf42bae5b06441d2bef836c9c7c6548e5418b635626be80 |
C:\KaVB9D\dobxec.exe
| MD5 | b3fe316653a050c97979922b587a6f40 |
| SHA1 | 6e265faa92cc6ec9ce3d902dfabcc5890e3207e5 |
| SHA256 | c2454c2e86bfc377d9bd8f87dbc6d226c46af1c63d9d256f0a3dcaa2de34dd4f |
| SHA512 | 5f29a7ca83560afa6682e8abd6be6cc4b359a467586e40677bea68f7a93d5ab74236d866af1dc3b61a941f08b8a104da4549c5ce7f401e78565ceff62b491693 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 661695a8229b21f5ef9b948fcb18a3f7 |
| SHA1 | 44a29723945a010652adb65093023a1f6505dd52 |
| SHA256 | c17fae0c01415e1691dc78813577d6f87b08889e3c44c9a507a1ddb51e3bc963 |
| SHA512 | 14f0920d0106545704cc40a7ecf2693397c87452da0fdb676726dd7a3f6a61231b311621958f2c626f2cc0f4d1c2128d8b01949462086246d803f11722de86c0 |
C:\KaVB9D\dobxec.exe
| MD5 | ce1e4653ab125653cb8daee5ade3db99 |
| SHA1 | e5cd3fb67d670398b35863c7dea12cb972571397 |
| SHA256 | fae9d95858e344767a41f67f5896eeb04291338e6ae607a0c2b60569b5b32546 |
| SHA512 | bf6d81338a530263db4fa8b280fa91134dd496102d86afa3c21a9ce3565d070b392732bbcf1563e3befa1b9ef96cb7a4608bd9f2e3e8d316a45c83121b2610ab |