Analysis Overview
SHA256
766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60
Threat Level: Shows suspicious behavior
The file 766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:56
Reported
2024-11-13 18:59
Platform
win7-20240903-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotZD\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZD\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintI2\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotZD\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe
"C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotZD\devbodec.exe
C:\UserDotZD\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 44dbd4a53dd9e423c269e7ea98f56eff |
| SHA1 | 5f4c9b3a2fcdcaf7a84d928df55dd2ecc18420b7 |
| SHA256 | b30848d920ef85f0c3babc7c66f2a1c8a55b8ac2b5cbd10c0b5390efabcdfdcf |
| SHA512 | bfe33b2a530f3805da6de47c8879993b861b1d9e27b2c22d75f6c1083a2107afb57a4a47ccedab473612227192f652778a5826a781bac877358d5b9485becdb7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 269b5cf0cef1d48f1a14feb032beca80 |
| SHA1 | 430197f408a2a60da15078d284d344e4ddc5946c |
| SHA256 | 2c0ca9acf0fb795b6ecebab034e8a0ac8b9388565290b70ad9e34d05cc25bae5 |
| SHA512 | 4c448fd2452532a82a4b74a5086219c27ed1b64cf94845eb74c948553309a3878081c60c233f56c163b502b1f804ee8f497407fde158f774b348959afd0d9fdd |
C:\UserDotZD\devbodec.exe
| MD5 | f67ab6bebd521bfca2d49b33869e530a |
| SHA1 | 5745d4ef1cfa2150cfd8e32dc1652ca29f0c0907 |
| SHA256 | 933dadf101772fe0b1ef44eb608f5c7b07e71689ad01ae4cee43023c0d5cff6c |
| SHA512 | db5ea468170535a9409fc4959c4f30e709cb276dd946582a75fbe3128ceee45f1fdd7c5758acbd4b83d81cac188da09b9ac94822239e7574a2102694601f2d08 |
C:\MintI2\dobxloc.exe
| MD5 | 0ae548e4f931afa314ff0b15fb06dd24 |
| SHA1 | 53b330cd1f5138e82bfcd8fb2184ffb697f5501f |
| SHA256 | 4b21b21efa137b65bb10e0a1e3b8bcbfcf327b7f220e10a4618e5a5cd16a2da9 |
| SHA512 | f9440fc3e94fc8c0ce027160aa5d4a3a7df30c0c9a90436db0afdd0f4464addb696c56d5e05bd66fe58f36427aa216d6ca305eba9f2cacb46d1ed4867fb77d09 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0fe953d15f84a953bebe1e569cf59477 |
| SHA1 | 0336e5edd9b1338164c5922d0f2ea3f59e266705 |
| SHA256 | afaaaa3da93ddfcf30f1d6768154f8829a00a4dac4da8b028d948e8da35eeee2 |
| SHA512 | 750da09914fe25efa907c331bb5710cdf6d15b5daecf48f711dca1254802efeaef8cb668876032ae9ba90abd3a4eec4abcd46d4ccfe687e9aa39c1fcbc01a7c0 |
C:\MintI2\dobxloc.exe
| MD5 | e1a2bb369fe1fea618b4bc43a0cc9efa |
| SHA1 | 3d26f8f7ad076d4fec26d933509bfed56ac2051a |
| SHA256 | fa349c9c2e463e74e5a53a99cf6803c31fab5ac99f8ffd8a69cd08382d0c0705 |
| SHA512 | 38c87788b73adbf0fe2892d5681855a2721b0886bb1f09f1db2b918ebabbe57f0461f583040cebbf39a34b20a67b0932e8ab0368a5274d9456447e0b615b13f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:56
Reported
2024-11-13 18:59
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\SysDrv07\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv07\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8F\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv07\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe
"C:\Users\Admin\AppData\Local\Temp\766164e453628a8a317de09f932b54090bb66d63b4e38c9ab367cad6b8f2fe60.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\SysDrv07\abodsys.exe
C:\SysDrv07\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | f2c195a094c982da41a33ccedf9a8a25 |
| SHA1 | 593e456ba109df842c4274484c4e615d006dec8d |
| SHA256 | ff0f3278d010b1aae902b9b7fccf88c018c166c4691137c240555c4be58eb33b |
| SHA512 | 34839757989879c23be980b3e8d846d73584c4ef7bcfc5f92424054f89013dc7c26d90cdb89f87942aa8fce1f3ff26da9e7c71cc7e61a5866157790f0745dbdf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7951739850748f30a8750801013afbe2 |
| SHA1 | a58bab6b464326ea43ba37ef9fb1fe67c7b5e208 |
| SHA256 | 4cd6d22fe37aa9a1bbae580a1598fd3717edc3521adf7b7b550a2e3f9eb2b119 |
| SHA512 | 661e68c210c0882c04884285377484958d17744d706e6d55dfde947358945393159aa0375f5b8a74f09932f49f039baf6396b900aa4c678e5d2e91fcac91c7fc |
C:\SysDrv07\abodsys.exe
| MD5 | bf90cda1c25b2b34b2f8c04d71240966 |
| SHA1 | 3f188af972e08be48cc48212ea3e84eae01b48f4 |
| SHA256 | 253256411cecc8e2bf5de2a3cac11704185c138d7e70222fceacc667077001a4 |
| SHA512 | ef8ef23ed2a5b7dc2b215bd0ac49120e2e8680b3fa849560ac6068b0c71e93b085a16b5cbdffb8d35f4444e02b8598a4fe63bafbee86ba1c0777ef28eb6f32e7 |
C:\KaVB8F\dobxsys.exe
| MD5 | ec619f25a1857c33d05d3c5fa6383aea |
| SHA1 | 23522cadf16d1cd34b95f87f0a9c0776c6c59216 |
| SHA256 | 02660e7ee98cd8a5e00f8a5a16eed7e65b44789fdaf37057a83dbd6ee2054f6f |
| SHA512 | 5714dc0542279157e5b963a1e219c7738d36b2ff516043e372ba77e80269f58c36c181e86975dc457d17407837a064f3418f3b5d35075eb3e67b17feb6d630e2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ef32dca60e20702fdacaf694a1b951f1 |
| SHA1 | 4e75f345dc0c242fff80a0231fed0770dc49a1d9 |
| SHA256 | 5019ab90cc26ad7cac8047e4c2e79cebbe2e4a14bbdcca9e3fd5f930eeebdb88 |
| SHA512 | eafb39cdad174c6917265b5dc641f06749fa2c38c4ddcd37323e8452fe3eba4af21d5d0cf4b7a2b71ba7bcff8b8856a78136ebb30ceaf02606deb81f75b73994 |
C:\KaVB8F\dobxsys.exe
| MD5 | ea0acdf98de64a63c91c2ef0bf9f893c |
| SHA1 | 7395c09b638b57afe251c609f080f9cc8d78e7a9 |
| SHA256 | 6932a5bc61091818ddfd7f26019e8949b28d03ae68097350042806bab49b2d89 |
| SHA512 | 507155ff5ed9108acb999012d1f91a1cdc233cb9cd80f964cef580e5f01cec6c07796479b33a143889e0dae0d115981f7de066546aa23098834589e8802ea7a2 |