Malware Analysis Report

2024-12-07 03:07

Sample ID 241113-sw1cpsxqck
Target 483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe
SHA256 483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03

Threat Level: Shows suspicious behavior

The file 483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:29

Reported

2024-11-13 15:31

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU2\\xbodec.exe" C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWI\\optixloc.exe" C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\SysDrvU2\xbodec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A
N/A N/A C:\SysDrvU2\xbodec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe

"C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"

C:\SysDrvU2\xbodec.exe

C:\SysDrvU2\xbodec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

MD5 44c271b762e9ae11d732e1cb6b850423
SHA1 8c59f571fd28877e79c71f9f1993f1a3daa0099c
SHA256 af8c07f0c16551a09a439ddf7fdc942ef60d3b56a97877436cb7b1fb42adfb6e
SHA512 0c856e090560c1f8ccf3bcff4eee22d89bec24a5fde7b251909aba4f5c8a1034ca27e94e33ea1fc828b930e760a51ca0551b35569212c5330bfd7ee54014c6fe

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 9d047328ae2571ff2c216915ab14f231
SHA1 2e5f685fcd5930c36eadeef4d0705e05cb6fed0e
SHA256 a2a8be4b37dc024387422e9e71228bdb863bbeda79064562ffe4774fec93bfe7
SHA512 bff12d33ae0fbf001dd461dddcc8805e9f1f38d0eec13abaea5a1db009822692b0587d9063970bc863bf7e9b2786491f7c8e03fb1c2d5023e107d0de611621b9

C:\SysDrvU2\xbodec.exe

MD5 b4eca5f5c2ebf587f4b52f2e4e49a195
SHA1 752ebc0ab2d2a9dbb064374966459ae8fe3f20f5
SHA256 40819708451f19a4c63a759492f5bac37a6e663a7801f037b027cd53324655e6
SHA512 0101311a3728475a28b80fcbbfa0e6c5194a77564df8a6d7ed4a45612669fa7c73964aa97a42745d389f5738888f46037e0d906477db9b224e8213be2e90f1de

C:\MintWI\optixloc.exe

MD5 ca420f759f7d3a8d47a4b0006ec027cc
SHA1 7b77b159520c00a151f25d8aafd395d389bd00cc
SHA256 ee8dd697378168224a687006c2b7e68becf20ff753b05df7588838155ec30b83
SHA512 bb0e6f3502b2a63a60ede9471ce9a5d0a1f5ba764d20fdd61caa1b30f4294eef0d7dac2d07ae6748cfd6dcef484be26f2b3372504ee45e03dfc32d0c5e428c30

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 83e179066b8100b93a734af526d144a0
SHA1 e807eccf0af08e34cc4b68dc0f12c83d93d7c5dd
SHA256 a37e0d151a5a0e9d8f00380c92fa886e19100e7c1c26213934a9232b2310b78b
SHA512 5efb2f113c6ee2d6b6426e45b6d4a544c4678be117020573217fc4198166af9afd4b3f9963405aac7e9c64394e7343f22eadfd0d6ab0a0ae961500f39151a2be

C:\MintWI\optixloc.exe

MD5 de0d5a8de2e87aca12a6e0364c7249e8
SHA1 5570f9b67f650b71c94cd270fe13d438cd8c1a26
SHA256 fb0858efc8d29b1c35f93b942b3a791c273abb8f07d378307edae2fe7fd893cf
SHA512 a0aaa15dbd3d4071ba152975b1b3bd6c9a0d7a64ee79d616a03ff3c2497108eb049b6d28776de10d720d90ee15fd390af9bbfc0858bfdee484afb355cdecea0a

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:29

Reported

2024-11-13 15:31

Platform

win7-20241023-en

Max time kernel

119s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPY\\devdobsys.exe" C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBM\\boddevsys.exe" C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\IntelprocPY\devdobsys.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\IntelprocPY\devdobsys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 1548 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 1548 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 1548 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
PID 1548 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\IntelprocPY\devdobsys.exe
PID 1548 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\IntelprocPY\devdobsys.exe
PID 1548 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\IntelprocPY\devdobsys.exe
PID 1548 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe C:\IntelprocPY\devdobsys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe

"C:\Users\Admin\AppData\Local\Temp\483c006b34a48a7ce4a8c0b11393f232b3befbfb4883f280b0a3c13346995f03.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"

C:\IntelprocPY\devdobsys.exe

C:\IntelprocPY\devdobsys.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

MD5 107ff0ebb4065df75a1ba6214d2c8ab8
SHA1 275a001e62f9aaf0609f2feadceedd7297c90961
SHA256 a68508e4ea2a516d3f1e2eafa967942126188b202a633b941478358531086264
SHA512 8b1853b9ac78c70a920138c82ee6a2d5463e5b4ccf756ebaea387d467f3cec27864b99b606f2933800e901526570629c71a822cc3b4a43b62d88306963776f6f

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 072bb19ae9212a926c42cf0de529f0f7
SHA1 5f93461997d3094f4207eb0227fb41d1f654e793
SHA256 a4cb861a4f407f2c3c27c5d5de5d9cf9f8b70ae33c684a6ca860f92840e07ce8
SHA512 3bea77ae2db85c9ae67dc42737c07c3b5a964c26f7de43aa3bf659d74a2b8965a88f957ba880e28a07e2196072c61c5536f567356daf4521005c3bbe1545f597

C:\IntelprocPY\devdobsys.exe

MD5 5301e55fb361f85ace3f4389afa953e5
SHA1 9cf0c634e1bb208c2e0a334561a92c6cec3943d7
SHA256 14255f4d5d99b4d3a85c3844395735f4ca2ab48aaaa888d5ec3aec7577281f7d
SHA512 c0c72d540badc3d7450ca089495675f9f51f3915837e8dd8c4e210dd65edc62603412b34a5d0a1d0a44828fe3c8a5820a1dcd6a4b79628817935d0b655075768

C:\KaVBBM\boddevsys.exe

MD5 d5d36f6c0e5f0f0121e299732e06fa85
SHA1 e99a2a3928b243305f88a693cdc327c640779627
SHA256 bdb75a39fb6b7e958c08b55f0629e582be511d39684d310e839207c8c3f97189
SHA512 a53d3c74a4246039e0d3dc7ff7f0e5ff2f8f892892d260b106f395d0d437c07ca528119e0a801382027ce305f0110e52410bdcb16230fc5eb02631eb143540b0

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 67d36e89de2dd323c91b113e2f962e4f
SHA1 b619cd837f9c06e517dddfc8a9962e19998fa2cd
SHA256 0a98b91a54540354ef5c8b03a8ec81764a9f936014728346c39e57f149681a25
SHA512 996bd897635c6e9a692f33183b304e7181a118b87fb0ae85e1d0e073df6f9c0cb0c597d07327faf4dba1ce308bbf62884cb938dc79d6ce172a67cfca32fb4f50