Analysis Overview
SHA256
6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82c
Threat Level: Shows suspicious behavior
The file 6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:36
Reported
2024-11-12 16:38
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvZ6\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ6\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ25\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZ6\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
"C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvZ6\xdobsys.exe
C:\SysDrvZ6\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 3a13e665e1302756969cd26b1565acbb |
| SHA1 | 4f157676313d43fc2da32e3bda71764838f8456d |
| SHA256 | 144a3467eb097f6f8e3d2d859076afbe0462ef307ff1bd20ebc7f5b43e18f4c2 |
| SHA512 | 13972258c6c2c3bb3fbb7c841a1fde714e5474c0015aa1de47e5e02606735fb7a43b524a5305e0f8f62fbd9a87b124d6d95f05f9f22c33f0cadb9f2b8895a489 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b18ae6d8ba430c964aebacb67d92e119 |
| SHA1 | a57b6a4ca366f7c70a72f57e5139156b6ad75e53 |
| SHA256 | 24e775a684534221e36f026beaebc073c513841ce8cfa9a23ad5cc9fae2fb9f3 |
| SHA512 | b215867060e05a436ad102419f1c7bbe228220710c0c942e232dcb88d00135a7482e25ff5f71788ef3b340bdd070d5c33873d6c866095cae21295cffea505112 |
C:\SysDrvZ6\xdobsys.exe
| MD5 | 19299b20a631f602dadbfedc947b45b9 |
| SHA1 | 9fcb1d4fef804af3a7fa9310c3020452b17334d0 |
| SHA256 | f0f5d280f557d57009df926468e13d68d8b98c1e774d8dcb85df8fb6b2e2352d |
| SHA512 | cc6bfe44a9b7938dc8fed46e0e968ed128696554b673f9ddc349b19502b929eef046eb860e48908a6a22d80bbd2d749f54a0b4d553ec365b8d97429cfc16f817 |
C:\LabZ25\dobdevloc.exe
| MD5 | 955866843b2d70f1acaa99c1887a8917 |
| SHA1 | fa7dd44c40d78af634bd8d49ca408b00a15dc1f3 |
| SHA256 | becf197a314d7603456a73723a402e12c838f95a30b3b62fbd6883cca57378e1 |
| SHA512 | dc12afc303f1a3f6bcad3e3522186a1cb229c97a9c1ea39ded04987900c122598958d971abc27e66081dd9f89838adbba071cfc7b8d0c57245d024e6bfc5c918 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14840abefeaaabde16bb020d5fae395c |
| SHA1 | 991e6fbce74692d7f360845ef1e8e2ff59759a63 |
| SHA256 | a8ba49e4325c42291c969abd0931c0ef4f4dd13483f9c8ed1dfa3740b8c136b9 |
| SHA512 | eb9db47b394009cd9e6b09eda8ac6332087c90790b58eb94b6d0f8ac52bf092569e3b84ad4c3a06d14a95b2a69b9a4ebbe6bd1da47b6f5690cfa5b3be7d061b6 |
C:\LabZ25\dobdevloc.exe
| MD5 | 19edbfac35ee4cc2ec541fb6f49eff31 |
| SHA1 | ce97af3e3af303bdcb36bda362d154682ca7ccfc |
| SHA256 | 246bc5f7c083c7754b5256617facde076f75b0c4672c152c6010090385547321 |
| SHA512 | 9609adc7265ff031b1648051900f1a42a800c2632d73e33223ea2bb3f6b17ebcd7942b3ab5bd82a43d969500728bd9f6fe7af335a4b5849f338fd1780ff326c4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:36
Reported
2024-11-12 16:38
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrv1W\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4X\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1W\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv1W\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe
"C:\Users\Admin\AppData\Local\Temp\6ffa2b20b3ed4e79d78ea466236385085c5d271a53e890a38727ed03e64ef82cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrv1W\devbodsys.exe
C:\SysDrv1W\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 8cb8c34cbbbf40eeee260c66321a2979 |
| SHA1 | 6fe96734af91e5345b09a266eb332ca09be40a60 |
| SHA256 | e4dcba355b460af9a72bee3fb45ce0c40ae3168e48b93c21b614ecdf06aa27cb |
| SHA512 | 64f8b9f493db7cdfabf8302620f694e89a93e7bd98c2e749ea1215eaab63ad3b24c65be07062c391a4381b132a65f2a0d27e0a42f387992a5e53b530245cb210 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 69dcf24d1afc23943f92da1e80600f8c |
| SHA1 | b408f5f006c3f12eee41be71fbf734f7d11436eb |
| SHA256 | e25d029d444c209f89f7f3f602b411efd9b9aacee68652421f2f46b887dcbe0d |
| SHA512 | 7430aaa6b0325e49f198bc45847f3bf22709ee9ac82d8d3e190912080445beebd5258a7f81618543e6009bd2b2ef7de0436335e1d70d383250a35b5f18babeee |
C:\SysDrv1W\devbodsys.exe
| MD5 | 018dcab8d557a20af82ff5ea0b11f3d2 |
| SHA1 | 52738cfe4af5d7934f685d6c6b5b7484462f0ce8 |
| SHA256 | 450ddd597c58031d81db828d892b90dfb60cf71e7f8efea90b37f970e550f0c4 |
| SHA512 | d7544bbe34be2026d967f03414d1223435d4559175b87acc97958f1aa9a7ab0f6e9b19a9ea6f13918c9a69d1786dd5eee911926fcea488d395e03003cd3bef7c |
C:\Vid4X\bodaec.exe
| MD5 | 7d9898c95cc4fb1394cc1f0f4e937181 |
| SHA1 | 1b3b4762015c51dc9ea93eab626066722c97f003 |
| SHA256 | 323570568b9b8ad5541b2179a08130a3db5b191854b647880763909f0a79e5c3 |
| SHA512 | f132cbe718beb76d12684dbc7afb2a876bbde653190c0b11735aed182b7a00d09104050fde5bbd5afb64bb2f7cbf7c5c230a5a77fad70f2b5e84d3af6f6a1ef3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 88fadbdea1624191332633fa35c07471 |
| SHA1 | ed234ca19d8c07353776cf3600a7fa711cd4c0ea |
| SHA256 | ba896d1827e67a42fa04c071f68d2988e5a5233e820a0f3e53704a8215bdebd6 |
| SHA512 | 6fa1f33433f3d8b1635443024abf86e090b4187423bb4638c75e35bbd4467645beb7f5ca5d79564b7d14a8bde5a4dcf4c6327de03fd7a871966dd674338b5fce |
C:\Vid4X\bodaec.exe
| MD5 | c8190a91500bb1d9caa61e3b11eaf128 |
| SHA1 | ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684 |
| SHA256 | 6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e |
| SHA512 | bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b |