Analysis Overview
SHA256
989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0
Threat Level: Shows suspicious behavior
The file 989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:08
Reported
2024-11-13 19:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\Files54\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files54\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintK9\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files54\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe
"C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\Files54\abodec.exe
C:\Files54\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | b4469c1186b3614e05a41be734ff8754 |
| SHA1 | 72aad5f8aa138cee14052a2fbd0a7b10bd0ccdf9 |
| SHA256 | 543dec1ee4cec54ae3a4b9a91a95f6654270bf67e39aabc9365e143ce08ab574 |
| SHA512 | 274c6c59cf01af9ec4223201a63c0a2321c4f6c1617f5bad9d6dda3bd3bd1bac5c0d53be32495352c14a612bb6fce44c905d59e8663b9773f5ad36e94f841a90 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d914852a1192f5ffa88326bccb1c1e21 |
| SHA1 | 8f311384aa8b59cef09a97a0f34d738059a7c327 |
| SHA256 | d38af2e1f6fa85b3808be54e996c9ca83d7c214838515e7447d88be3e3918aa0 |
| SHA512 | da25a82d4b555158b20f8d818e5ef8886013e4eba8dd91ec5c7257fec2c37e82a954569dfa7fdf0c465911f220c20b184abc97b64cb7c303400067947c92d6ef |
C:\Files54\abodec.exe
| MD5 | 26d590246918830c3491b023fb476a14 |
| SHA1 | 2f6f0b92c1214d394c4db066346415aa5e30f81f |
| SHA256 | 0df21b1753c5d81a51d2b265edb37dc15181bd2752b83180d479450d3781ad8e |
| SHA512 | e8a482b00f4f842700191b53b112a36c7f040b35d9391f2df50229f5eacae8f4227fc7157d12a6562cc6182bbc2f29b4cb583216ab4a3c2acbbca1dbb5d52c37 |
C:\MintK9\dobdevloc.exe
| MD5 | daa1cbbc75f689a3a01eb68c71e4958f |
| SHA1 | 0bcd72cd553de8fbe8b2ccb4e30f35db8c58c259 |
| SHA256 | 6126ca51287d0ae3713dc15f300cc9498aa768637b72eb0b7bee4fea02a7aa1c |
| SHA512 | 6cb5bebf83f0997a3c9cf667cf239ce27713c5956ea7853a246a9fa7e8f03945f89c697637f2f038fc901bbbdb6e0b4c24c8b50a9d61b231532320c4c8e46aa5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8fcd826cf33c67f3ea588d71bc043c00 |
| SHA1 | 0d1c66132aee09d79677f173d15bd2b3504d2936 |
| SHA256 | a3833fbb1e54b2c7e98788754f7262383dbd62dbfd38b48f779d97b774d8c598 |
| SHA512 | 3779204a51e9aa75479560dd3e8e97f08e8203033ce5f663c1876ae19287bdd54c1fb35d2f91ac144b0f38bff1ac1e76d487bf20f3f591f1b0e6b86c8fb68ec3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:08
Reported
2024-11-13 19:10
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\SysDrvZ4\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ4\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBP1\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZ4\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe
"C:\Users\Admin\AppData\Local\Temp\989e78713f3a1f967375f5e4a4f99fdaed7abcfcc69dddadc97ced4ed8c0d4c0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\SysDrvZ4\xdobec.exe
C:\SysDrvZ4\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | fe3a410cbc85c465d8763f9d9dcecbc5 |
| SHA1 | e60f0d407c6c1cd466c3575a158ec84ec931c3d0 |
| SHA256 | 3abe2205fd6e69f4bbcf96a794254552a93b0c104b33688d8e71a55ddfb2756a |
| SHA512 | b087ba8a18c73d8eeb77502ec41a3b6dd3dc50160007cc39b2de4122f8667dc24a8c7ec0d6a5e377b0cb8979b8ad1cf83a66fd15ac57da7c98a1c78865cb3d2a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 47e3cd312f1bb77ef42da798153b8a71 |
| SHA1 | cf0a253fc96cc8f806768080eec3b8586fd29ee8 |
| SHA256 | 5e962c7a96a8e8ab4ddcb4df7fc91a4371ce21b92adc152cffd598f6afb3b9ab |
| SHA512 | bedc17055625a6eb3e1ede03c2a66170126999e7a3db3ff4e0c7c1a4898a3dce5f830b71ccfd2646e507f32cef963f4747c17fb837b2d8461288f5cdd4883849 |
C:\SysDrvZ4\xdobec.exe
| MD5 | 62eb41d1d4a755e57b37df643dd70e2b |
| SHA1 | 0db4b26c70cc2941145f6af89c000b8f08675644 |
| SHA256 | 01b1a5d58495004219df7a600dfb3295e840aa85ca2f03d9a81058ec333a5605 |
| SHA512 | 8f569a9c9fbcc5d383b41bd5c879f248fcd32b1dcabeafd72d9a5731cbac7636f03f460e575323b2c86f0f0abf9fff9c8aa55def4e0ccee7ee2b4622096dbcd7 |
C:\KaVBP1\bodaec.exe
| MD5 | c2bb216ca5177204f06e1204e30782e6 |
| SHA1 | 200cbdfd4d005ff8214a19546c5e72c8850a3f42 |
| SHA256 | de9025dc799869d2d695b32bb9719e69d050017d22c0f6e27b7083e1f0e2d3b0 |
| SHA512 | 391aa42724af7237a8f3bf67c673b6df7e9357e94194d210bd6bc9694f4ffc706e416e154b64847b8f149ac3dd40041abb3d548ba798112eef7bbbd7694f9886 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ac98dc83aadd7e370b476476213f2bd1 |
| SHA1 | a284b0644eefee3c4542fd9266e72fb36c970c85 |
| SHA256 | df680b70ff858a4a94a90b3c32e9d56ffc0ef68ff1eeecfc8c17258edc6206dc |
| SHA512 | 6b63589696c6419636a9eaf518f81290eaab0b0549abce325dd8bfb54650eca88e54b2aca44894ad5a3e24041a30baca4a76ae4fe3dbba5bfbfc26244032a722 |
C:\KaVBP1\bodaec.exe
| MD5 | 931a6c78cdd52287c0844f5e6a41e8fb |
| SHA1 | b4c36c90beb2305de222e5ef2273243466d34b2d |
| SHA256 | ede421e7848a5c93bdf9dd13e9a4ce21103a9cf99746804405f5c5d444428c41 |
| SHA512 | 454801433225ece534d150d4f303d669a6e46012bc93a33beb08b19baa7a425caa45dcef2e18bea104b8e11b4f1089113c5bfb290ebdd0c2f3e784f841666d67 |