Analysis Overview
SHA256
1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bc
Threat Level: Shows suspicious behavior
The file 1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:30
Reported
2024-11-13 14:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
21s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrvAB\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAB\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6D\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvAB\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe
"C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrvAB\abodec.exe
C:\SysDrvAB\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 2895e64cdc2182d1e2d124aa8245666b |
| SHA1 | 23d374c4ca0a2a777a3d1bda8d532e3d014a89e8 |
| SHA256 | bbc93591c8f10c3f5dd269b092998da6aaf522205e241ed416c9da86c4302eba |
| SHA512 | b2abdc7d7a93fb28596b42a5293054051acdc32ddacf264bfd86ff8d264dd6a60a3e594704723db32650c001a745fb526f77c0887e71a47666cbefd1b1bf60ad |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8fae22b990df16254af4e9507ad69a30 |
| SHA1 | 1c564ccdca23931f1b3045f435f849577ec7e2c0 |
| SHA256 | 967b232c78dd637a218bbef8ba1bdb3578072c0b8b5c3fba8f1d772880d480a1 |
| SHA512 | c4c652d3b5f706b5950c50bb13639d63fbc836bb4001f41bf0bf61e1b4a276259123d39653a4e588b9b384189383ee08f07b0598aadee2d49675f3a8e98bb602 |
C:\SysDrvAB\abodec.exe
| MD5 | 4a5fbaa7d96a0d034f5a094b61f22909 |
| SHA1 | d65141db5111843bf0b9e1f27615ce60b9b1faef |
| SHA256 | 547f0198df479b9aa97aa45c77da105da1a8a08a82b8b5efe5ba8743bdb5d64b |
| SHA512 | dd07451f26adfd8392c41506885507cbce7771c57e93622420fa6a0570e625337157b40e33d885e0f8fb47ed164dad77153d639361b969f2a5c9752bf1caa687 |
C:\Mint6D\bodaloc.exe
| MD5 | f86b410a3dff823fa2773b6bffdc4c29 |
| SHA1 | 95d0147008d0b79b8e260dc2cae5ce662cc0e76e |
| SHA256 | d2d65eacaa96618c112ed92625a9b6b23fdcf520a0a8a63d6808b6aa9feff117 |
| SHA512 | b8ff7c1280e3800b2cd2d1a48eae26617acce0a8faf8a4618302138463aa55a2041a94e401cf86e7c6a35aea751a40ff415c6035d202f561ca30df0ba97631d9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c426415d1f23b8feb6698658c09463b9 |
| SHA1 | 102e6198f5baa36d011e8585a1cad8a4cf4357c2 |
| SHA256 | 54471a754bd0283df8b4470f8ac759a94b888614f90a8dbb415fb701c26ef4ae |
| SHA512 | 6a49adfed1ae3813572eb05fc74178decfdc013712cf52e51f8f89862956db16c47411ec768bd9c3b10bf2a33ceb7918b88449d656aeed807ddb05e65d1a743b |
C:\Mint6D\bodaloc.exe
| MD5 | 86f3c839572a8194728d525af08d29a8 |
| SHA1 | a3eed75f73bbfdfb2d4261aec9244b0953ee1b0c |
| SHA256 | 14ebf4949076e9c7a0bef45b68a6587aaf5fbf0cd265bcc932b4daa214e09c80 |
| SHA512 | f554654b855b91f6cdbca9c374208fa887e25faf97ed35f39c13267b61554cc469001e5801e771488086b5fb4eba071461147d2d1e62b8f1dea632cc0c8916fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:30
Reported
2024-11-13 14:32
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeRR\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRR\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYT\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeRR\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe
"C:\Users\Admin\AppData\Local\Temp\1748727a8a49c7fc1662bd13e5ad2dd84af964275c117ba7441726e6674368bcN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeRR\abodec.exe
C:\AdobeRR\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | e8ce5d9e7679b4b837f98a37fc31cc42 |
| SHA1 | 877a06b556b40eed08ea3953c46215f566e903e2 |
| SHA256 | 5fee6cdd0a301d6c04be45645dd5c0ad51637cbded0bcf8e59406d7ddcec43d0 |
| SHA512 | 0fba70bde07cf7f81e7299c86c94901eedfac334237233e8d291b86007074dc7f69d6565babf56b587dc7e2862437fbc825a00a17fd384c024260308cbfb8f69 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4dcc4b26716891bd65e629bf0d45a719 |
| SHA1 | 609100bf34444e3a0679724ff1138a4eaca306b1 |
| SHA256 | 1f6125b940a3c52bdd4ba5a4b840ec863024ec319db6844a4ed0c433b41b5f42 |
| SHA512 | f0ea4002047ebb9845399de45c5f5c60e32641f3d1b84f67f2e3b52c924b22f17745ebf59d3f6d8a6cf44dd5f2dab8b509d5a51999570a059257ef96eebc08a1 |
C:\AdobeRR\abodec.exe
| MD5 | 3064b01dfd7cad05877acb65305c6acc |
| SHA1 | 9cffe9e7cd90eb0555278fa1e33ddeb0951e751a |
| SHA256 | 5fe058b37d8fab879329a19206d1cdf0ad70bc050df193dc26ed018a99a9fb35 |
| SHA512 | a674ba4fbd519d83dbad4bfd36b066c00d68e33bd7e9f1e8cfe81b4eba1d93559dfd634bcc920c6c66bd5a7d8664fee5884e6f11229f4f754b815df824e4fb2b |
C:\VidYT\bodxloc.exe
| MD5 | 88f2f1740ef151be8b572b42b0f70163 |
| SHA1 | 373a93ba18e0430cc8cc9f2fe29d59553111398d |
| SHA256 | 33df95ecef61568718eff5ad2394c0f565e04657b3693183f777363ab2e3a6e6 |
| SHA512 | efff46c523056e9007d33c623b5cef774d0aceff9dece136ebe64f272ca1187ba7717375a60e727e66646c81b17abd97cff81351cc15c03fa5be6e5ce0db6e56 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4b7e8172c1b8de4c5d088ba4effdfc35 |
| SHA1 | a956c1c0145d0f052937dbb41734ccd41cf05f8f |
| SHA256 | 8bfed16560b99afae2f1872066d5a1772c9139ff7fe35fcfed956f4279023033 |
| SHA512 | 77cb0d547adebf7501649a6effcc255e836e2803b749d17f2e1cc9b3b26d388b38eccc07d512967e092727851d618899fe6fc875365fd58800ee336dee1bf3a7 |
C:\VidYT\bodxloc.exe
| MD5 | 1158f86a0845ee6fe9ce7b682fd51439 |
| SHA1 | caf9890ab05a6eef87827bb3ab60eaee3b254faa |
| SHA256 | 3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1 |
| SHA512 | 3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503 |