Analysis Overview
SHA256
233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7b
Threat Level: Shows suspicious behavior
The file 233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:24
Reported
2024-11-11 23:26
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesOP\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOP\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMR\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOP\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
"C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesOP\devdobsys.exe
C:\FilesOP\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 6b97322d9323b343e6d5e57bcb0cd4e2 |
| SHA1 | b6686b7ced772a086e1619be36633f021f849a3c |
| SHA256 | dfd5e5b355af91e52a163672994836cd90ab910e0cde57325adc638a98ab36b1 |
| SHA512 | 58af4eee3e4898513d6ceea4e291a8b877f314b481ed6d83064bf2e1aaca7cbd8531610d95f61b2284330d6e50db8896bb7fa88f0fa1e2cd24d648a847673d32 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c91740359f094806ca93e94e5a61d1f3 |
| SHA1 | 92d963c136b9e0d5d5f94c7052c7c32dcf4c2983 |
| SHA256 | c80739766545d3bf3f8f7dc30ae6d374a0de98c2def63ef3f620db671ff77cfe |
| SHA512 | b2723cab9aefef97c64562d237b4fcbc41d28d3fbfdaba96cbca0040f9ac884929bd470ea657d9ff5fbc419788c539cdede8751a4a68d96656a0410ae6e03812 |
C:\FilesOP\devdobsys.exe
| MD5 | b5ce79180961884259e1c1466500358e |
| SHA1 | 08088d284a19c038201131db4e8c4325ed7a0c3c |
| SHA256 | bcf2177cd1e4d890569ff4acb622c8672e6399cea88ec78e9fc416cd4e969596 |
| SHA512 | 7b4296df27d6a162a11cb930a353f2c88b9a543162cca2fe78cf59a92a59f8a29644a9dcd8972c92904c18bf06c5ac3199c99d001492db534836ddbeed7e9d72 |
C:\MintMR\bodxec.exe
| MD5 | 5460b10c42b06e262412fc3e28bc22ec |
| SHA1 | 293983cb6589fb09095e36026a8b83e08a005391 |
| SHA256 | 8b5ce7ffa24e877429ef276eb2d9700eb12ccf478560a35a998ec5c0ec97522a |
| SHA512 | 08a31e3d00c6c398e3b1468e024fe769c128129c510bf226ef2d306b7123844e3dc77b234b498bf5f6922cc9b4818e578dec1fd4ee858cda5d2a5ab5b21dda14 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b9bb07f9928c63d7e7cae7c90799d3d1 |
| SHA1 | 41ffd2866d076666d5db0e7bc450cfc40072ba08 |
| SHA256 | b775dbe2a2b1e9584f099743463f22f83e35b3a0fc09886ac089f6c3d4b75487 |
| SHA512 | 6a03cbb5a6c7f08f47316b82c33960e2e75f1d61f83ed014c5fb6ea9ca3e825c4bd5a92b29bd0fff95a3f4f431f5ca7abd2a049e5691f5376613e7684b74ae75 |
C:\MintMR\bodxec.exe
| MD5 | 97b873cbaa5481c8bb8ac61ca22ef18a |
| SHA1 | 8c70f3deef9bc063e352ab311dbac0c61c27cbd2 |
| SHA256 | ffe0382174eb399e8a26d888d833a5f386e180ca9be6e4d67985914057ad78f4 |
| SHA512 | 95821acc431b96a77c0fd070f9e34cb1b119c805f2cd312d615fbcf7e951094d48e8a9ea35a3f1097137909af38a73a4cf3673cbb1b860383d8ffddb964ee042 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:24
Reported
2024-11-11 23:26
Platform
win7-20240903-en
Max time kernel
120s
Max time network
21s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\AdobeV4\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8A\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV4\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeV4\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe
"C:\Users\Admin\AppData\Local\Temp\233845af0128a916484f55a8e37d354b9dac79162123bff97f8ac6f92bdaaa7bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\AdobeV4\aoptiec.exe
C:\AdobeV4\aoptiec.exe
Network
Files
C:\AdobeV4\aoptiec.exe
| MD5 | aa404e81fdc4946ac80a30fbf1b10c14 |
| SHA1 | ed71e23df81576b945ef2f6e00f8f5b35f6a533b |
| SHA256 | 93b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79 |
| SHA512 | 3e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | ff5a5d7f5f622a427e890fbaf8f98211 |
| SHA1 | 3917a1b54977efc0848970e1f39805180488dcb5 |
| SHA256 | c040eb2b101acdaa0ddf9bb6a19a9e648ba4a870e08dd4cba2f57350cca8ab2e |
| SHA512 | 670c189cd591f8a6f25f5bee7273d263834ab2f567f3931f1d282d514f1c042d0046d67badfb234577340a8897d84dead0e54b7a1d27d28da3cfcc2b165519d9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 78ba6f2743c02b1f156cb7eeb0b91a0f |
| SHA1 | fb917389ea02d19d8290d329602c6fb1dd1b4f8c |
| SHA256 | d51c4e03a9aef20580ed77e5a56b60624eadeb6c06d126f05813517e94c46461 |
| SHA512 | d2b5b0fabad63e6885b2929497d34404b9f686ae59bb9ef67a5ffd1ef7f4957d4e5475ccc1f7aa0aa760f1d853421536c1f3d69dd56cc8bb351b4dc1de5f3830 |
C:\LabZ8A\bodaec.exe
| MD5 | c591efcad97a654bef2575cd58d4a0b1 |
| SHA1 | 0b921bfdf205f29802ce6969c1e07c776635c42e |
| SHA256 | 492568b6ff3aed2deccc990f35438dd3eccfbb329129b1dfb292665a79a8743f |
| SHA512 | b395a44d7acdf69851d48f81affab34e9ae934295fc950d2af04bd3e7dfb69c258052e4f0e1c6a61bb8d45331aa7aafb6fe3a7f9665474e4d8f79014f04994c4 |
\AdobeV4\aoptiec.exe
| MD5 | 3bf0ea8743e0801be5a7ef1de0a73ff3 |
| SHA1 | e0c8b807c4f9eabc23787cc696e50788ad60f922 |
| SHA256 | 837c7a2a1c38fbbb4f3c8fb8eaceba4d136d86e91eeca214597103158e4b0bd6 |
| SHA512 | cb9f82109f282caeaa6a328f3397b28c1d053d0cfe2d2e2aa49189750e7d83ebda711da0c5a6f0bd99fd2ffb6afb21caa9030baeecb86ebb0e508aedc13f38e2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b9cf59cc26fb838c012d6ce9b43e7909 |
| SHA1 | 9f647bfc14c4926bfe8d79005c97440d8d96775f |
| SHA256 | baa614e2c7767f5514f4e1605a393a8df05644492a7990f8ad7e8f4ee95610cc |
| SHA512 | aa4b8f4f2c3e0a8525ecb8baa49b6d356e387f3367ab3b657e8456a035046efebf1744d6b752032ca6c39d0e4780c9e2fc9db58eb7ce9539f0b880b447e6b8b6 |
C:\LabZ8A\bodaec.exe
| MD5 | 9e3a71ac94137568ad74cd951436126b |
| SHA1 | e6670517c50348cae97a5f3b5fddaef8c40dae66 |
| SHA256 | 9215fbdd55399cda225e2226edd2ef7618c4955200cf7f56a8421846b94e0d77 |
| SHA512 | 44be26e214abf0766b3b281fbf236b09620e045469c463ff878e1c319754cd3a2a1fe716d543c45fefee1384897ef50776cbf15f75d713d9988c908bbc814275 |