Analysis Overview
SHA256
714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899
Threat Level: Shows suspicious behavior
The file 714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:36
Reported
2024-11-11 23:39
Platform
win7-20241010-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvXH\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXH\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ91\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvXH\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
"C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\SysDrvXH\devdobsys.exe
C:\SysDrvXH\devdobsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 0f62a54e5b1b05bbbfefee77a6b1f6c4 |
| SHA1 | e67c637dec0f5142bf776346a014c240b552d1a6 |
| SHA256 | afef405b88d2f5b5104f40f1ede24c8d63fc53738a42a0932ef6427c7c9dc302 |
| SHA512 | 75ef291474aa9b8ec07a104fdd038c6e42b60e12ee3286535db3683ab79abd3f869dc8a9c97fc1a358c48bed1451b924cb711f1d50405ad70e73dffda277182d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d88b9ae6778408d5b813c858be0b6970 |
| SHA1 | 13d4f0a4c7775bf6729a4f86e9dcd4dc03ef16bf |
| SHA256 | 2245c1c5104b2055b66f516b7727936e02ec64a8077259d3243dbb92245cd449 |
| SHA512 | ceaf7eed1d1ca6703468adebb5249e4b698afc47ec4fd8184d3601edec52869d4775b2065816dab1bd35b4d6cfa3eea4291f58aa54e971957b45a8cd23090037 |
C:\SysDrvXH\devdobsys.exe
| MD5 | 6455c86524711e98824fb660aaf96d6f |
| SHA1 | 385c9bfb3400431f9cd9bfff33064972164e3c7c |
| SHA256 | 16ef96d2b7587c8f120dabb7fcc82ac93370e6c3d13c95f195d222eebb9de0bc |
| SHA512 | 91e29070926ef070497fa404b1a5a959ffc1cf0ebf7fcc167820ab0148b989cce061ace17369faa0cc43e4a4aacf77d5ec363d01e6ec7ebac63916ea06833a4d |
C:\LabZ91\bodasys.exe
| MD5 | f3acf8941da0bff6b5a64be294b37bdd |
| SHA1 | 75ecf8def1aadc6d618845d81ae32af1745d359a |
| SHA256 | c54bda6c5cf5e41fc069d80b4af34f422547754ab2676138a95bee12e048cc3d |
| SHA512 | 51cd50fddf48f794b8b46678c5a858bbc0cdec328383197c050ca4b6400a503e577c1c2227924ab8c0d290cc7f4e4600121cb21b81f40f5c17e7bd1ff8c7c36f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a2e4944d70d595f6a91775efe251da66 |
| SHA1 | 1d592db07ed7aaff222c5805563beb6a0a7ec13d |
| SHA256 | 3c3f91a9307c3a46c408f7914f789bd7b4c58a0c2ef9d65ebd72c255c605d822 |
| SHA512 | aa195039f33e0be44107eb4cad795516f26084056498fc463acf92fa09ef8db1b6c834fa430c170da7b4f5c9ee9aa7b3334a9c8b59ab0fe8da4faed4b11608bc |
C:\LabZ91\bodasys.exe
| MD5 | d222fdf0b113e098045cbb9c41e41c66 |
| SHA1 | f80a93bb8f203635696e40cb19c690691386cdfd |
| SHA256 | 6b2d49d61a5f4cb353f4dd8d33943ba604d2aa7bda7a14714cf89a1d0e29ff1f |
| SHA512 | 552a1eb1ebd6076a331bb8d02d26e86723e728538d6e4d6d47db610940f146e7c62702fe89eb557733566932424d5c6a8efd52cdc6f8107e29e8db5ecdc110a0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:36
Reported
2024-11-11 23:39
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvOY\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOY\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGD\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvOY\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe
"C:\Users\Admin\AppData\Local\Temp\714ae6baf56ba3502c4fb20a09b40ad73d5afa238a42de598ee0b310b581c899.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvOY\devoptiloc.exe
C:\SysDrvOY\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 22e6746ea60c6d0e40396860fabd618f |
| SHA1 | 18a24cbb9f6f950d7ade64704d7d89b4ec158ba0 |
| SHA256 | ef03825813b22188768f0ec777c21dc4ddd43544237d55babced99d919e40d01 |
| SHA512 | bf12004ab7dae8fed2290b1815f003002e4ed61b7bc00f8901fc4ec12b04896176b83d55711b65420071f5ad4ea4eb530d5e2fde748d41ba982acef56a96798f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b8a05e527e95d01834a8c99257bac3d0 |
| SHA1 | 8c1489e2f6557fa8de714d0cebc6557426f5f111 |
| SHA256 | 9aa08b1e2271249979feffa21514e0c24eda82ed1e1d39c93da8f6b75a9343cc |
| SHA512 | 568ebda83ba21593fe7194c0e8bdf0dc1900cf8c646b56d8a42b875ded18ad1c8b965a5abd60960fc13cafdd50f0b7fd94124a2557405a1ed4d0989f579f9a5e |
C:\SysDrvOY\devoptiloc.exe
| MD5 | e34520bc93203a072a939ec6969e94e9 |
| SHA1 | 8c1f498f5e8e597e6684225ad02860b524bfd4c6 |
| SHA256 | 4ad79bf2a64f85d256f14d61117eaae47ed13ffc396bce3be1863004e20cc67f |
| SHA512 | 22ee91e55d2257abd6f1819a1cc18770579d03c47e9f5b016a3c40fe565aa221358019fb10289bd3e1d33d961cadcf5cfa2a2bd77ef03282c9541b3d660ac81a |
C:\SysDrvOY\devoptiloc.exe
| MD5 | 2d8c055e41eb6bc8a100f1bd093d9904 |
| SHA1 | 44a3ee96b13dc251aae76666ec80f94ec62f0e8e |
| SHA256 | 68d691d6131936d0e1862e3fe6325d7e0d3b68543afe9a20b17c3fba427413f5 |
| SHA512 | 75643960cfe3de728bacfaed82d67333d6f85270426c2abe069f241b2e7dc53b35a63b3b54ce2b4ca4a189b2d832a00b2c5f597146a572267595c4f635d813db |
C:\GalaxGD\dobaloc.exe
| MD5 | 8c48839869cdc33ee8d808cefe4bff31 |
| SHA1 | 5b0b150ac50ac276c0394f201a9a70914f7030d1 |
| SHA256 | 0c7ff96bd5692ea5156bae38325137308fb73a9dcc77a1d4745d404c26fd50c8 |
| SHA512 | 92c3e5ffc33e917f5f31664804b9a54caa4fe3bbaa7597b30172b6643fa48df9ca0ab3a9dd9c5c87c16a92feb5d88232a9ba4f26b67c04e892cff5889fc847eb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | df01066a5764d81c61bf68c499b3e71f |
| SHA1 | b5fa03ce2cc4e54db01f60f0cbd1cb604d2ef654 |
| SHA256 | ebede10db995092baa009b0de44d98a63fd3cbaf32ba3b7a742c4207e1ae7b2f |
| SHA512 | 8a061243a4757018cf5d3078036f96392b6e65edaabecf23a258f9b3afd8b1210901328837ffb77ec197b32b5c0c0a7375636aa838045a10bfb9ba7e36ab654b |
C:\GalaxGD\dobaloc.exe
| MD5 | 3cfc1096b13ce7ab8735810ab4d16307 |
| SHA1 | caec2fb8e8dc9f9bde8779b61c413edc3b752e62 |
| SHA256 | d757b692d8295f6e5b02f40a09fea36c1171593d26429207a0b113b86ff250c4 |
| SHA512 | 61f5644ce7a001748eabe5f645daea9a9adff9e8409f85d217e4a176fbf0baae2454b9ff2ebc158dd87b06294458cda8e5a2941720a858d4135e77d3e04cb1e0 |