Analysis Overview
SHA256
3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b
Threat Level: Shows suspicious behavior
The file 3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:44
Reported
2024-11-13 15:47
Platform
win7-20241010-en
Max time kernel
118s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDotPE\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPE\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBR2\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPE\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe
"C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDotPE\devdobec.exe
C:\UserDotPE\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 23b304477c80490b74b5e9c658311ee0 |
| SHA1 | 1a298fe841484129e8c03a2278236a74a5dc6635 |
| SHA256 | 222f41db78abf344788266013bd0fc5a19cfb3391496b180bdc1d50779919588 |
| SHA512 | 7edba9136b09fc5ff7723c40adb3c7452aac67f407a89843160babc53dabe0f6b52b898ebcc2f8618b2c9626cfe380a19513b35b9732e3a84f30259e056c53d0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e31349c4d540ab4202be4a2ae3c074f2 |
| SHA1 | 5dc9c7dd312fc4e4acb45e35d7a943b7075788f7 |
| SHA256 | b30690587ede2681c82b135212a9198c56b9f81b82e01ece137cd9476aeae364 |
| SHA512 | 781ecdd85fc4075c6fec885dd6e1c8bb38bc2e051bca341b804453a6d6653d812a8bf80ad1ebdaf7ac279b3f92243b652d66bca90add6951949b496906f358e7 |
C:\UserDotPE\devdobec.exe
| MD5 | b2f48feda5ee67bf82385ce32d920625 |
| SHA1 | ed116342deaceb1ba37711f983577a39a8d39524 |
| SHA256 | 1ebb7721161483d3acd8f913b0ba9ee9428c4ca997a34fc9fd2c597f94125f7f |
| SHA512 | c1694bf59f461fe7881b42da8e1470a68cfbb7daa1255d6c78f1e741449836a2229c39b9add8e1336edbfd31ab83ac0981237a9855fba557b8aa42e10adcde28 |
C:\KaVBR2\boddevec.exe
| MD5 | 44e78196657577739ea2f176764e6b41 |
| SHA1 | 8d8077e97773f14a1328997e91880c0fbc959623 |
| SHA256 | e424585d957f8a495432b05e5a608957cba149f44d3b32c7d3cd327e1ca2e67d |
| SHA512 | 1af080269c1934dd818bf23b61af6feb7e64b2c41a1e0a77f74e53d2aa46fa7d83089af3a1dc1f018e0e8fb12d5f6619e6da9d2c2f0bf885a519f14e86b233df |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 925122005b96adfabb6d9e2a05b80013 |
| SHA1 | b8e17df782c1a2b2b79168ff4a0b359622120979 |
| SHA256 | f1462a22bdb17006011acbfc240409603b4de331b5a0d480161150c9741062aa |
| SHA512 | 9c9947086a1892b9929387a3438df1765dc9dbaddc8b34891bd2eaac8fbdd3c39bdefc6ef49e68743d029d0cab9da374a5d166e6e700cc1e94ead74bcbec7740 |
C:\KaVBR2\boddevec.exe
| MD5 | a9e92fb529a6115452dcbb524daf2837 |
| SHA1 | 397c7dc829df3302e4a229a9fa32fcad5b4bfb7d |
| SHA256 | 5472c869731bb9a857913fecdfd263dafc514ab5ec781eaa11625be08ba77af4 |
| SHA512 | bd00c3129cf567f460e666536989a4806905ab17c7aa08169bd9093c2a84b8553ff6a0a05d253d8bdc263e1925783f27ce56c16a4841e96972b4eafdd5988546 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:44
Reported
2024-11-13 15:46
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\IntelprocLG\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRW\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLG\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocLG\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe
"C:\Users\Admin\AppData\Local\Temp\3a420a5683029819924f8a87c8350e41ecbedc26c40fa80ff01138225bbf421b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\IntelprocLG\xbodec.exe
C:\IntelprocLG\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 447ab9676ea386c0eb2ca0e9e0e43120 |
| SHA1 | 17caa24729b4eaf03a72d0c39278abf78a6a7bd3 |
| SHA256 | 7a567d1d006985cef7eb9f80b0846880688cb53fe75804f2c63ba4d6ce388ec0 |
| SHA512 | a60c44028e7fa4de7103ba4e3e563c1cbed9fc609e870a4bb9d1af029118c144cf0b0921411b32ede027d3904e3c4c8698de1f4bbb542d501a5d5684cc0a05eb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6b143dba8139cb562853ccbf5826e831 |
| SHA1 | 9c01e0d84db55bd905a08f6f851528a0ed4619c6 |
| SHA256 | 6f51cff8dd7c6ca76624819d5d778a8188770ea6535910c36879615ed7b6632d |
| SHA512 | 5233a385ec78d0f6921f6089dd3d7c7eb700adfa3b315210929127767486a1d99ad6da63f875d45d5e668c90a67fe55fb3da099a3db00f162463297568deca1d |
C:\IntelprocLG\xbodec.exe
| MD5 | dfe131a2e0a20ba50ccb2f7d21f78a98 |
| SHA1 | 2089afd756f93e348be176e4d4948007a8656624 |
| SHA256 | 2b38f6563cf94297b71aed5819f4007c7841a14bccd1c1c95605e2ab7eaf1dfc |
| SHA512 | 74c0299e38ea4964ab4fac63d269e6368f5acd5f664518ef2154862a3f843f4f6bd22916ca113a78b78733ceb38836e68b883fd690e81da4ce8a815a133e196f |
C:\IntelprocLG\xbodec.exe
| MD5 | d52c80536a61720e78f597fc7219c192 |
| SHA1 | a57124f9e44ca55aae29b125fe6308b5c6efa473 |
| SHA256 | de6cb96a2c2a8b672075251e70d2d0c410f6598420d93808ea82fbce92870c70 |
| SHA512 | bcf460f8d7679ada1ed247a4324344df8f7ef7ad4524a0b569e0bb9183aa2c3b2419da5942bc3ccbee474295790ce5a2cdf125aaf48de1712f38b82aeea68973 |
C:\KaVBRW\optixsys.exe
| MD5 | cf5ccae4e1cb8c0a8082b575e72a82d6 |
| SHA1 | 690ab4b9ced4ad90e15621103f11c4602302540b |
| SHA256 | ed5cb5ab595a99d6eb91a60a348194db67347479c6e7ca933a146282b0dcc7f9 |
| SHA512 | 0329125a22b2ce47ab230dd10a81718b05f9b7a3a1a92b550575589e6a9bbca98cc25bba42d5a5a1fbbee365dd3952f2e469d62377768749b0ed0d97a1d64c9a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bd4a02c2016aae36244ba856c0e36eff |
| SHA1 | 4610b7a20fcb5dc2fe179dad1e5d2890eca5f835 |
| SHA256 | 0ede4b85495c7a70ba100e083cbf90b8d020c76dd8e93013e55e11a764af07c4 |
| SHA512 | eded06d3eca982f8ba68abe557df55c2b5ab9395e81c6205bf29ac4510cbaf9e5412e61375db7480a54d839b5bbdfbc80242fb9d44128a79c412b202ac83b187 |
C:\KaVBRW\optixsys.exe
| MD5 | 8d0c0756c4dfe2af4ab2f7720d303ff3 |
| SHA1 | 6b39dd80f6026a347b390dabeac5f2bca2752954 |
| SHA256 | 188f7a04468adf578a50df0a7b06fab6b30d8d6f4ba78286fc34631a44525842 |
| SHA512 | 6260dea084cc0dcceec5eb431459329fa6fff618cef86937eb89df38a4f01dde587abe120a0fd338a1c2e0b975bd6c8492af6780cfc6e00859c0061ff93997a9 |