Analysis Overview
SHA256
aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde
Threat Level: Shows suspicious behavior
The file aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:38
Reported
2024-11-11 23:40
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\Files9A\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9A\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY9\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files9A\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
"C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\Files9A\xbodloc.exe
C:\Files9A\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 6b92cb0243a50aa83c7a656d1b89b31d |
| SHA1 | 086750dd9b8c8dfe45e0d6249a9f460cf6168def |
| SHA256 | 44fda56c86395f9b42493e2244cc36137a421cc0757db3de69ad6a61dbaa67ce |
| SHA512 | 1751f2f1c404b0e83cde9176549fb1c0ef066ceadad3840d892283cafce2f198a44510bd52295799a83f2b42d31e274aee4de0ecb7b4c11f90a45a57b8dfc2c6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 60151bbe6453256c273a81b6ba25146a |
| SHA1 | 46e5f038c3e30ca153cebc9e53a680e44faba881 |
| SHA256 | 7db7bc0c7179b17a9799eb73b9fc7da340b6da90b04a76614d149dbd1f7beea6 |
| SHA512 | ab055009c3ec3ba7dcaf6b97b189a593ca7d9441a7f83279726f241b7f54a4a0499c337f5be476e4bb293ea44364e58b6b451e8692cc31f7cc4bc288b312623d |
C:\Files9A\xbodloc.exe
| MD5 | ab40f8f2e62200bb1ee9dee46be5a572 |
| SHA1 | c3bf48527f2c3ae74d72236dd6067d0957f6ccc8 |
| SHA256 | ac0bccea708a01c39038314e81ad131bcb1f6d07d1e955afb7faa35de5fa39dd |
| SHA512 | bba359ab38212c54e397bb74abcf0a03fbf5eb9fcb6d1296ba22d4a6fabe60dfc82db04750122382fd9f9f0d851716d42fbe3adaf0d30be1a1f586fb2b30ab20 |
C:\VidY9\boddevsys.exe
| MD5 | 55e522d0df04f016d41eb9c70fba2229 |
| SHA1 | 7779ed5d0ede5f8ff781d7ab77b93d32215ed099 |
| SHA256 | a514983d65c0a79dce30255d214f1737874922956cb46cfb25f60421910b8758 |
| SHA512 | c08db5cfcc9cdee57c224217644cd7dd2d54e262e1010e76f799dcd5972d839729ef9ee0ebb117d1ca7beed0f783fcf386d6054aad5b029073ee2191f5e0a809 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 478a7bc2b9f9478fb3850f7d8e89c557 |
| SHA1 | b4360a28f1b6def3490fd4ca6c0e5b3e74e679a0 |
| SHA256 | 3d153829e970f9e58d3c73428552a0d5c3e2968500e7c42a892b8085963cc2c2 |
| SHA512 | 63c11c270fa1e36611ed874be000d791e4ac40322e463ef2e579541e462def2f01f802dc2127ce92c027fac2e49bfad24825b9f33e747545f11a69d47d8783e9 |
C:\VidY9\boddevsys.exe
| MD5 | d95f209c6ed6c820112bee01886eebc9 |
| SHA1 | 459e56c005f66cd9cc9923a66109d7b9330d8ad1 |
| SHA256 | 0f0fc81d47826f86350624cad74595c681237b96988d7b25034b357c778ed8ae |
| SHA512 | 2b8902a2ddb15f77d6d3891e495c431214eae96e136af9e947defbdadd30acd394fac7f8152926c958681e402e0459df6d76bdc1b30f6a771065a3fda0f7be36 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:38
Reported
2024-11-11 23:40
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\FilesHR\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHR\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHY\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesHR\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe
"C:\Users\Admin\AppData\Local\Temp\aec1519f6fab653b7ce49ef6a703261a16b053cd296088cfa1865aad2adb4bde.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\FilesHR\xdobsys.exe
C:\FilesHR\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | dfcfadfb45708033bedc7d3eca206b80 |
| SHA1 | ad9d01fa0ef828e0f80b772cb962b0b4a3e49ad3 |
| SHA256 | dcdc488d74d7145fbfda97f5ce43d2e6806b1331bff4330271dfc4784ad2dcdb |
| SHA512 | 7e4bce8653bf50f15136a9ed9e9f5721776e9955547c99c7fcb0c39f49fb6edb8f448a440a8f9feacb3f47e617678fa8e7647b5b1184f791060393556ebde077 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7d14e312d954e286bd97e6cd17799e0e |
| SHA1 | c7b0a9edaa094b9e62413e8ffd999edb4c9f8b39 |
| SHA256 | 7bdfbab1a8e6dcee91d942e48c059d3b7567519b77bafae1921c205227120f0d |
| SHA512 | d565661701570437ff150ce37367b43deb22bdfa73bd4b69f1e86b1c65fa89a57334ff8697cff021928d1eebd1398d5ddefa47ee7125a725b71a481a222f4e16 |
C:\FilesHR\xdobsys.exe
| MD5 | 2e14ee6125a70de2dd549e74db1c538b |
| SHA1 | 949385f95d76b6aaded14597aca8198551df421e |
| SHA256 | 2d956d7b32b40a78a73328d5f24467b3a671304e29b0246b9a20d970a2dca344 |
| SHA512 | a9417c15ababad2a3e9923faf3dee23b8d2000de14673314d208222a17fca29b885b60c379d7c112b31556d41ddff46a3498c51d8eec69b2129b531901f1a39a |
C:\FilesHR\xdobsys.exe
| MD5 | a8e491d29898b6887eb547e2f4589ec3 |
| SHA1 | c566090a876f4eb43734a22ea4777e8189032550 |
| SHA256 | 20e1e105da99579bb5491ad3bf6927b1c826935608190f3e77c8f8849df3f490 |
| SHA512 | 29b483bb12cfa967a8ae24a060cca001c0431858e39bfb8e8a683b158df4c4ef5c2b2738c0972279a2665cdcfa9f6b35b83db5bb7e8f689f19cb5ed0c58db0a9 |
C:\GalaxHY\bodaec.exe
| MD5 | 149fabe738efd2711485730b84d00f8a |
| SHA1 | 7c4493e04792d60e86d0d02b8de857c965e4dcd3 |
| SHA256 | de613eb2e3fc63775e89e155e2ea2c7ad1214010536fe775ab16cf727a7fa67b |
| SHA512 | f3bc7ce3986cc6b100123815fdabd9c239f1510d34ce1b0c2222c86053acbb4140ec31408e03db236b60fff73dba3fd1037b80ac71b0183233b7d61a1ccb8520 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6c71b80b467bb9ca2e0b4d3ed244c6f5 |
| SHA1 | acf646bbf6d366f83b44fe508d2524f3b0b46a18 |
| SHA256 | b04ce25c1714e1976a81cf62f29d766e35e1a3834607491eef5231a79ff44033 |
| SHA512 | 0c2bb56fa4dd1e6c03196603f0d2996939495ae2e32d092b762be529b1567d617bc4e3a96ab134ceaaaddf0172aaa4571e4f487a8efee02d3748f1816d7e287e |
C:\GalaxHY\bodaec.exe
| MD5 | 82034ff2935be1a2c76118def6115bbb |
| SHA1 | 8b1fd87223feebe5460cbdfe73de927238e9603f |
| SHA256 | 0d80432c3b077ccd5d7b4b3dde849c274b3d9d78e49a12a48c146eb212e07b90 |
| SHA512 | 4aba53f010317b475d0e6e1cdf730e853b3182eef482c4e14e663dba5e75a7ef5e14625584a7cfd409494ee82a5e7f2b7e0fb996dfc0ac243b233a619a54515b |