Analysis Overview
SHA256
4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193
Threat Level: Shows suspicious behavior
The file 4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:51
Reported
2024-11-13 14:53
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeAQ\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAQ\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQ3\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeAQ\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe
"C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeAQ\xbodsys.exe
C:\AdobeAQ\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 81a6109d1335627e56df1dfafc7ecca0 |
| SHA1 | 7cd5785636c5d06329c050d62cbe1d3d2a1f90f4 |
| SHA256 | 3ce905e897e6fb2830fb0f1effedfe2bb11fb0ca194bc1042ac8d6a0a1ec0d2c |
| SHA512 | 8aa60f4549c8e12ba0b52b272dc385d5c086eb28dd3db52c0d3f23aaf4b1f7fbdf71808689b883afb536005fbfb14a2d45daa2174075470ab01ad5e1a57e08a8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aa9c8607b721a62480c18bcac68f7e11 |
| SHA1 | 7d26381fa097321b02eaa2e738328477c42ea289 |
| SHA256 | dbfc4cd0aecbaf4c3c61b4fcfeea02136d8c81c80efb8b8849a389238951bc9b |
| SHA512 | f15b955d1a860557176435a387e437e02f92bb39ace79114517c77574208c0d77bc7c557aca799b0ec24643d24949cccaf749234b5863a1fa94985701ee44d42 |
C:\AdobeAQ\xbodsys.exe
| MD5 | 7bdb6cad59a57fda6dd7647c6a621299 |
| SHA1 | ea7baea5393dfdcf0086a69e74477d08e684f9f9 |
| SHA256 | 143eaa643a0d36aa616a2e6a9295357e7e50047f9bb5db3f4579b9a4cc10c9e3 |
| SHA512 | 9cfbfd75fad92aa78bc737690c861f475b2a58fd2d6669355f6accf80212ab4af89476cbbe8132a8c6bb6aecde9a3ac0267df11af1269936353f5621984c2fe2 |
C:\VidQ3\bodxloc.exe
| MD5 | 745963c64a64afa30de72cb7f8e638df |
| SHA1 | a5f688dd8b2f39be1124961676a912078371e208 |
| SHA256 | 0c70414de4eb29def96481d1f4cf19cf7d519958690413dee53c9b3f6f3a25cf |
| SHA512 | 892495613a898f3b90c3d8feab87d471795bed2421dbb453f60a115ddee3c96375a22b951d76798a00314b6ac840c765faa43a96c6970f4f22ac65ff7eb5db2d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a213f40dffea5f41f2c3c656966eda14 |
| SHA1 | a29f2813d4efc9e117d231fc72864135238d01bf |
| SHA256 | dfd0610f8f60ecd499166bc776b91f0534d9bed0fbd163717c321176ac25e978 |
| SHA512 | bd95e695ff71f40e45eacf94bddffc30b1082dbb5dda478bb07c89e2f2ada2c3556b90aac2af1eaaefc780614227acc91d25fb39aaba814821361955cabbecf7 |
C:\VidQ3\bodxloc.exe
| MD5 | 90f1e2e265f3ef74ebf3019568f1b649 |
| SHA1 | edab64a7fc8157fe37380bddb3d2ed04bcd44741 |
| SHA256 | 6aa5cd6659c19dbe23ece69d6a30fe578b64e2441a5d6c83738705bc7655bc4e |
| SHA512 | f2820e4e89eb5fbb1c8a90a144c8a831f1233b45a091d277acd062e44e5396b681eae4686453cbe6243cda2d7b64905aed6836dfdf5e7f1885764220ac411471 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:51
Reported
2024-11-13 14:53
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\AdobeUW\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUW\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE9\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeUW\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe
"C:\Users\Admin\AppData\Local\Temp\4733d45c774722a13bdb352a37c23892ec18b994513fcb7ab79d7afae39d6193.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\AdobeUW\devdobsys.exe
C:\AdobeUW\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 5a945376fa1daf8a2de57a2877a017b6 |
| SHA1 | 46b299ca53672598b029f21803a2e44d149705d9 |
| SHA256 | 5b50cc17507c6312e66a3e373e3f2d32e5f2b4eef852c570b2982601548161bb |
| SHA512 | 8d4dd2610ad4ac1de35f71ec24cfad4335723c75e9791e061baa4ae31970d67005f4d89070746d40f3cbb0d12c29fef9edb5858b74d60c46e8bf1ebafa9666e6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3c01c163306a510823c2ed995b140fe5 |
| SHA1 | d355894069336cefb57ab9ed5ae20c1aa7c8205f |
| SHA256 | 0a5bcf2f0923406527da52d7b7b07c3b9ccb04e3b93fc0395b3e7392dc2b06be |
| SHA512 | f3b09513710aed2aafbc198500649822bc28a2b4e8369a35ed312e00b0cfe41abf1f32c9fc165e6af85b7c2a13adad57eeb6fdb1e453d99d46453919a07ad126 |
C:\AdobeUW\devdobsys.exe
| MD5 | 3839aa755a0a68075325773481ac000e |
| SHA1 | 6829bdfeaee439c42e8b774242d0b800f42660ba |
| SHA256 | 596265d47449b5982c4637e541f7c0b37df7af7c3da277c60aa298eea69a8b19 |
| SHA512 | 0e7806eb43c19e3e84bbf7bf516485d111032db1dee6db02bc3a1de78ff2a851af9b3d06f0e28640bc2e82093156332b3ddd86fe9456173a66735ba7f4110af3 |
C:\AdobeUW\devdobsys.exe
| MD5 | 0b6854feafa7940ee4588126b02dbdc9 |
| SHA1 | b67811c84ae60a404f7d9901268db6dcb6897949 |
| SHA256 | ddb3c2dfdb4c73526a5a205e0615382285c8978bcc3464cc547b0f25a60050bf |
| SHA512 | 786b23ece63f324f2cc30b4aecfcb69301ef02a975c94dab0b0b8b509b49ab296a23f49f0dcc0684d41f557231388b1dcc7afa9e3b8252667bbe45dd90a5dc91 |
C:\KaVBE9\boddevec.exe
| MD5 | 5a55f10688cae079b5012a0cae61aa0b |
| SHA1 | 3289891db2f41db5e4fe6afb7d314d143831aac4 |
| SHA256 | ddd5377bd0ca1cae2f4e9fbf0c734ab3d25b108cc880780558bcbc3eba0b817c |
| SHA512 | fcd8d4752c85e1a5e0d54a729b878f62596ebbeec9c0cb37d69b81265fc447c0b815df44ed5e25141f10ad84ea9d9b3bc80106957269cb7fad31d85a572fc115 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0b66e10eaa4df9ab6e286ecfd14ea0fd |
| SHA1 | fa203b6488d2dc7a8802b7263fac597f2bd9df03 |
| SHA256 | e8f2e9995ff834ea6a4602e094a6ee93b0c8963fcc9c986576d04586cabe7acb |
| SHA512 | b99d88f7ea100f1d1be8c33c3b73631d1bd0c5a6475ca677ef3b512dca6a61df8a0da2b7d64385be4e228b4db3308e9a3cd426d7e2f5a314cb23a94863d17848 |
C:\KaVBE9\boddevec.exe
| MD5 | 091ce6baaf2d0916f9dfa1461237e421 |
| SHA1 | 5902212ceeb2154045b0a0da553e70d84839836b |
| SHA256 | 62d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e |
| SHA512 | ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05 |