Analysis Overview
SHA256
45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d
Threat Level: Shows suspicious behavior
The file 45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:35
Reported
2024-11-13 15:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\FilesMM\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMM\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7X\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesMM\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe
"C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\FilesMM\abodloc.exe
C:\FilesMM\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 3dd4944f2987bf579a5f1795a23062d4 |
| SHA1 | f829eb52bf8158cfbc5a91eb8ad28eeae659b6f6 |
| SHA256 | 8196ded0bc866d38bb17572fc94f249eabe77b299554211183668eefb6f0fdab |
| SHA512 | a0348ad1beadf1f678f88e8aeea43e3e528e9ae88223f2b3e10735285a1ef8fbf80ce5ccba089ed2b0915e1fc3189931f6823c2a1f09983eb3c1e1a1f7429f5f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6f7a736741eb844b1ebc87fbee4ae9f7 |
| SHA1 | 1b01bd026638a5c08574be5808009ab73c8bf0e5 |
| SHA256 | 917030f1778f17245978b7157345538c0357b49aa9124a07178335aa925999c2 |
| SHA512 | be9a67e1c3a8ad2ec10df552d3e4945345378c7bde7ba17140c5e79a99ccdffa3a8ab63e16d7bd36f593bdac838ec630c72ea78117488382cca1e759536fcf65 |
C:\FilesMM\abodloc.exe
| MD5 | 8470c0c3552b11d762f45dbe59fba4ad |
| SHA1 | 6be9d6003c4036c0baf4b2ae09f81fee92d1b0ab |
| SHA256 | 336461e8b9ec4fd67c37ee48a8c6c29483fe3ca9b498476df0883e4c881c2150 |
| SHA512 | 992fc6382c1f48f6f588a4eb42ffd149bee3e0f22ae6e98add21b4b7dbf0c5bb10d4ed2dcad7b9fb947750b971520c5e3256fa2798b13dbb287ab2b01d2a8ede |
C:\Vid7X\boddevloc.exe
| MD5 | cc95f0da272d8be805ca694614764234 |
| SHA1 | 832b7840d329883445d64fd7a9e8f39bc3ee7979 |
| SHA256 | 6d2302efd9e8f8f66bd5f9a9075200c697342fe2793b4b9066172e817024bed8 |
| SHA512 | d8b2c65f0c25aad68a241c5a8e557b457cf3ce33ad13078f984feba08bc655d0cf088297c8ab52135d54b63bae98f6de308e686e735d3c31b6feff5c99035897 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d79ab039689bb32ca868c1f8761756c |
| SHA1 | 324fa5bb85fd8393a48ad446e23f50bac9d56425 |
| SHA256 | befcd4cb9d17872b97a83b773ae5c34041ba38b395df0058dd147579d74ebd65 |
| SHA512 | 09b299089daec0aeafaa74cfb852efc756b134482da62a1faf33a1f54785c85208426220aec940914ccfe6cc077b257f2b2e199eae0ceb5215c6f4189d8a1b0e |
C:\Vid7X\boddevloc.exe
| MD5 | c5a11c20435bf167b7ef33a92d131f4b |
| SHA1 | c88559847d49a4715d86999f6bdf7f3a710b55a8 |
| SHA256 | 186493aa3c8ae67d8a6672ff6b522c91a36ab2b4a1859de6cd024fde6cca526f |
| SHA512 | a9ab8a378a0eb79b224d30ae559dff6a73633c0f999b60e3331479037dc18e3d1bae1bc28941f4b94b6ac102190b5899adc9a706d3a4af95dd8c65e897f34335 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:35
Reported
2024-11-13 15:37
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocPV\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPV\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2B\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocPV\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe
"C:\Users\Admin\AppData\Local\Temp\45bd67504a4b590cd4d0507c74938d9c8592fb5782701ba94628faddbcb95a7d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocPV\devbodec.exe
C:\IntelprocPV\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | aaf8fb99f3b7a22cee499427062a1080 |
| SHA1 | 739856e89ce6b819ac42bf8185385786df2fe2bd |
| SHA256 | 0ababcea9d77eb5a32b56a2865dc1f7275a88538bd4a9f06f6d82371f2bb6d8f |
| SHA512 | 414a2e57a31875d896c81064da7c0a5d8f5dc9fec58846383c4f0f3a906713bf0cb3911e8f364cb9818ac038896e86b6a6e4e7a5a247f21bf98d15a55ad8b6c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c3593a2bfc3556a2f87fde6b18a3d2bb |
| SHA1 | b745fe0bf8b2cdd48b80dceada3eb980e57a3d4f |
| SHA256 | 1118fb1acf36c1fcfe6193681ae4989580700c95c2cbebc382058d1b9154b431 |
| SHA512 | d34443b68917842f8b2b98d233c5e4428ae1d186d726782b1463ac487914f50f446b825f981bc213b4f49855e37878c5f6cadfaaace0218f0cbf90880566fa8e |
C:\IntelprocPV\devbodec.exe
| MD5 | a9b842492a4c2f2492a9a8e21b4205eb |
| SHA1 | 63527731ef2d2b74cf10c7a42d9155e98a0e54cd |
| SHA256 | 86e540e8f96d72b4c4cbc9e8d21516b4511e7914ce2c57b3bb060cf420905f34 |
| SHA512 | 9401da11db6f53ca877b7eaae245223c71db5f262c9c3d5f2a18bf0297efb5ed1f85750d5dc5c56fd1d3a339f8db7ff014ff6fc963e5daef5eb49b3182ba7494 |
C:\Galax2B\dobdevsys.exe
| MD5 | cecb2d76573c2ce76bf70b0372c4c273 |
| SHA1 | bd33f3714d69b61d97ad44f93ad06751f1a13413 |
| SHA256 | 36115dcb70a26cd6015d779f05abaa10d75e739f1514870ac0ba5dbe76a2edcf |
| SHA512 | d3873f4ff0e1c630c82372466db1ecadf8f9d6ab81d0723ccf2a04d88f0a78bed57ed387f1d2e0bcc94a6961f39bac6aee2c65667e7f1b3b7a5b0b2c62087a60 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1025bbe9c978509ed8c19194279b262d |
| SHA1 | 2a3f307094f83b9cdbc9019183f0dbe9eb707348 |
| SHA256 | e9ff2fae75b3711f1e4b3bc8ab478c20324f01f3db3f135fc668cd96c9c24a71 |
| SHA512 | 6fea695825613e5d4e255ab234179fa3def7e34a8383a00eb14069ae51284ebd13549a6554442918451b619f83b419e5aeeb0caf0e430b018233e97894a6bb93 |
C:\Galax2B\dobdevsys.exe
| MD5 | f08995adf32c4c881250ae70726e3709 |
| SHA1 | cc2dcaf3100d0114080015a43e7c05916949c87a |
| SHA256 | cdb9222742d2fa59f365a36263ddb82b2db34f215eb5e0c4cb625f027ec4d8f5 |
| SHA512 | 33fa301e0c9ea4dcde5fc437164b87f2109421e516cc2f9d53dbddbd8b3fdb03c75ee74d0f77317ed11595715cb699b6727971f14064b39201215419eb219801 |