Analysis Overview
SHA256
ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6
Threat Level: Shows suspicious behavior
The file ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:20
Reported
2024-11-13 19:22
Platform
win7-20241010-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDot29\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot29\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCR\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot29\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe
"C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDot29\xbodsys.exe
C:\UserDot29\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 91eb89c293a4a8c335a2105b331cd983 |
| SHA1 | 8f26a5672a45c4ed661c7cde6a3cdda0face92d6 |
| SHA256 | 6d472d8d78d865aa128638622d6c19930e850ca553f2bf2e5525dba7e01c099e |
| SHA512 | 97686e80a1a8a8e36745e93743c750c3ab3bed1ebbf24ea7151700448e4e4810c5ce071aaf65de5dc1f4b5947db110b623b464215651741d09ddf6a48f5f5f40 |
C:\UserDot29\xbodsys.exe
| MD5 | 01cf70233771de3a77bfa21e894e0700 |
| SHA1 | d20a12080dacfec67935100f7db65c1710475f53 |
| SHA256 | d321fe256db2c698d21e8db295f33092fb71c6e3c7b350befa799bb14616ce73 |
| SHA512 | 87e5173178dfa3a37188403919365b0d247958867d71a75bd48fc06585c7b7ad7ea5f81f64f50591906f816de220f72a060db7cddc223707c32d87951d4770af |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5e011f1892ca32119780882e521daa88 |
| SHA1 | cec034e26b11ee1292e2ca9278d3ecc1ee8beaaf |
| SHA256 | 293bb2e0cd5e26792259be2db71dd06a47e2b5eae239fb0b913e0475cd2d73c2 |
| SHA512 | 9c3ca6238bea3427fcaf3aa196573ead76d9fd3b4d1d1d65f0d07400315ca79e56cabb58fcadc2dee0660e2069430adc39e21e07e1caba6df9eb192878e26842 |
C:\MintCR\dobdevec.exe
| MD5 | dff7d6deab7f32a7535c9f861c0341c5 |
| SHA1 | 1b7a041e8fa8ddc842a642665634cc743453585e |
| SHA256 | 3fe2db4990ff1f3fba727972a800e2d49f585c5765eac608cac570a8f0064355 |
| SHA512 | 5e1322af7165227064669ad5bda9cb4b34074180706c775b1b0221688d7bc446f2be703a9c6de6c5dbfffca287e6d8e407a9431c5f676acb605aeca29e28f4b2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 46a53f75b80672b28f34f298c0cabf12 |
| SHA1 | d59ad0fe9e4b1a50654b11561fef21ae659b4a51 |
| SHA256 | 5cfba4d05aa575d2341ffff0f7d4b1176a9c5033bce2b4341570712a2211f676 |
| SHA512 | 2dd82090fdc95f0246021cacecc7e9126d489e913bc4da68c1a9d1eaab3217869dabf30a3002bdd0a394f5587a3751f9c1576ba4f932b283a1e1b062ea4d4865 |
C:\MintCR\dobdevec.exe
| MD5 | 40768adcb9bcfb46962fc192c907983b |
| SHA1 | 15628fdbbf669aa99803e2d402a8090aac7a047a |
| SHA256 | ab1fc21e5845c91e4617dbc498c766332c986b556df4938000554777e77f2cf0 |
| SHA512 | c89009d5ca9901064964d810833f16c6157f0a41697ef8c4815ee8a6e00958aae719f71b6e90f00f5a71634c1dde4bbed76f015ee2d31b963af3e61fe30350c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:20
Reported
2024-11-13 19:22
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDotNB\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotNB\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8V\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotNB\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe
"C:\Users\Admin\AppData\Local\Temp\ec8b1ee3312b133433b97107cb99fc617393c6a93c6a8349d788074e01f1b5d6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDotNB\abodsys.exe
C:\UserDotNB\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 45d8a6a5cec24670da298a24b92b3001 |
| SHA1 | 49568f0d916f78f4b8cedd412205eb7e731cb038 |
| SHA256 | 89370d69415c89ee07442e648d6620cf1288e513ff71c664a997367f23280270 |
| SHA512 | 259de4eb1882969143185a1092fb1a82bf8681bea12456e4e3b9caa5f95d9ae48e8224348eb62849256afd1e43941effb3ed3d5297eedae8c356d217ebe32860 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 968b760011868b8d79989d843135ff55 |
| SHA1 | 3f93ad74ee514e517b8374e49a07131775f91609 |
| SHA256 | ac038efc2aedf612e939f95353cdbab7394c811589f5d3fc8939419b316ffd31 |
| SHA512 | 21f6f62c4daabce1797affcc3d4903b277dfec5b22ea946befbebd6b405c0e78beb0d60f19c5b9eb243f3e83670934a15f3f5abc904c6076cae87a8988e4b7ef |
C:\UserDotNB\abodsys.exe
| MD5 | fb59fc26aa9ccf84312ae518876f9917 |
| SHA1 | 353a34bac90dc6235c805ac2072cba7f6a2ea71c |
| SHA256 | cd50fff25e9296c5d541249cbb886ac9730f58abed3e7dfa8308dac7b2d39ad4 |
| SHA512 | 535061a5d9fe1a457819f75357f256c1f4fdea710395c5d5adba880ce5dbebf734b4b567c47dbac65cddfd9861b288d6291eb264305bd054507e3f59c789050e |
C:\KaVB8V\boddevec.exe
| MD5 | befc7101454f96ffa1e5290b71716d5a |
| SHA1 | a0e7a3e0814346610b4f7b63635de47ba994f098 |
| SHA256 | 46312b61b541647e859e61956be8f98e0857b713e18ccd67bb25c801a7fd17c6 |
| SHA512 | c29af8726fd8aa1765a66f467e7b7f3446ab93f47d68b1a6e1e747a1c259b66be284b6e500b659ae6359638a4739371cda190d7ba260ddbdb1ac7c86a3163e3c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 053259a1dbd9511fc0b12ed30d8cae8b |
| SHA1 | 329df78d3dd6ad63a7e5b7ebd5340467d5b7dd23 |
| SHA256 | 500cfb3e9fc77fac08e542a4f4dc17ccfee2b18af531a6f388e207ba1c9ad798 |
| SHA512 | a8ffad1540bcbe3df86a55039296ecfb19d8c68cfc1746b8df353a13c273ff86e29903a6985024d4526ca0e8d472880a26b5848f0210cb3220554948887fad6f |
C:\KaVB8V\boddevec.exe
| MD5 | 417a66f1e4d0b9d96bc7fa75be9c47d6 |
| SHA1 | 926df99781fe93c2ec852eec3364f5d34cb85aba |
| SHA256 | 8a841ec66e64d477cabc08846ccdc10772035c2286164d48c6f2c6a1a0ed6c82 |
| SHA512 | 79273837c39916209af7322230bfbb36bfc422caf7093f4d68dd6fa8fa87b3524cc343575854317b7f620c0625596b99e9615cc991891a902a2194bd2481afc6 |