Analysis Overview
SHA256
2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106
Threat Level: Shows suspicious behavior
The file 2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:51
Reported
2024-11-13 19:53
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\FilesIF\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1R\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesIF\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
"C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\FilesIF\abodec.exe
C:\FilesIF\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | f51b6c95576fc3919596ad4634544cef |
| SHA1 | 7c7b3649a9f8f9d85654db98598ed0342d63fbab |
| SHA256 | 76e413f95c140fee1cdacce443557d360fa2733d6aab8a5f2ed22c0db4e4d5fe |
| SHA512 | 4d1bffc3df4cd28101770025215460b7d234474955847d750ffb83819b4c6269cbac8d9ff1a1bd99d941be087f77517d4ab4b7e459f5c88bf6e94f887338d1cf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7a4afc58c6694671ddc3a6279b13f680 |
| SHA1 | 4373c90b64ebd1a8a87af1e8f3c14f4dca96a71c |
| SHA256 | 775a57a281947009a336778e823aa3eb1dd317843a527f77b18f5aac7df8ee91 |
| SHA512 | d377ab63e02ffb57a70978ecf91c4c640cbfa1e56cf4a0a3244ffeff41386778e15cac97343b3096e7c7147cdd562cbc2295fc648f8a0bd40b8c14effb25e1c7 |
C:\FilesIF\abodec.exe
| MD5 | d29e0dd61b3e407b96e7b0d6fb747379 |
| SHA1 | 2b0b51d27993f4df123bf69d2e012dffe72775fb |
| SHA256 | 000ee6c915a2012adcde03651cdc9ded78b35e5383385fd35cfe65806d366285 |
| SHA512 | 50648ad2f517be4bb750d8e4b616ac9010b3dec9bd94d239b776bef478990538e683c4d834e1c16ccb5f12213b00a0a9925cb20fc18706ce91ebb5ab8cdbd3cb |
C:\Galax1R\dobdevsys.exe
| MD5 | 194d6a8580113088ee1cb16ce995b7eb |
| SHA1 | 82be3c34f30529bdf2e6b39f0c449d1962a96e53 |
| SHA256 | 4468ab84670d2d1f1ef1345571ca92da2eccb7e97b84fbf6eba1fe50f5b8174d |
| SHA512 | 17a671fc890ce788cf6326eca6d2c6134cdfef5342edb6d44b21d1061f179172855d2fb3c96795e8995d482391519bd1edf26eb5cbefdca064cce1a39ab94edd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9d835f72e1500ba783fead9f724c5216 |
| SHA1 | 23e37b78fc6624fc0f18e7f5a82231742d32b3ef |
| SHA256 | 8870236ff0cc0120755b9eb54321bbc6d46575e51b642dcac922d4b3fa463259 |
| SHA512 | 8dac395e64520b082e863093db30dda7920a63ca9de672f5d52dd5e5a2c5382d3cdd221ba6257fa421635244a1f4ae021749df9a4743973b9f1a8ab12355357a |
C:\Galax1R\dobdevsys.exe
| MD5 | 87fb4b911f1ccd440e8ba78b1472973f |
| SHA1 | f24e9e37e0c0a12c6a8aa934549d82c2c98d639e |
| SHA256 | 63a0d1e652d24fed85c6e82428ede193dbc4a74bf8ed742821c6978f9ae478b8 |
| SHA512 | 6cb0a4524a4cc4431de45e1165a5167bdb5c460573ae9ea98d20b240becb55ae61054d623baa0b8912d80e436e7e7c882f3ce5e75163444f416e8499387bf5dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:51
Reported
2024-11-13 19:54
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\UserDotT2\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVW\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT2\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotT2\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe
"C:\Users\Admin\AppData\Local\Temp\2ebf1a5e46e3e780c3eb74ccd7c03d2d614e3148a652385dcbca2a7d4d662106.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\UserDotT2\devoptiec.exe
C:\UserDotT2\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 13e9c021fa948e0ded92d99a6f07860f |
| SHA1 | 8ddadf3ee90ce88b8df24c2a915bfbc07d92f1f0 |
| SHA256 | 26ce8449e7a44c32d710def9f13927aac989559ea5796bfc24a36ba7233eeb0b |
| SHA512 | 8cb325470717f041e4a492b14a111dbc5fb61b8175a7d4f8bf7d25e213dc81a57f1010a67a33da4cf6f9afdf89a4a3bcf126b3f3dfc7edcbf548c3ea5870c501 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c7a301b9b2cc0b4d2ea424a2f197f920 |
| SHA1 | 7125f9e254cb0d4597c4e23c36ca8bd01069c384 |
| SHA256 | b1282584d51b310168d3a07641cdcf0815f9c716a8944a13b3251054c84aeb62 |
| SHA512 | 0d53e0b8d4c73305ea6c168a817c11b2cf5faa49a313614d5f37ea5559dc338904070767b0db77ebb81dd65ea4aa891762609d7bd845970217d7fc21dd593637 |
C:\UserDotT2\devoptiec.exe
| MD5 | ce165c1620dec4a372e2598993fe31c2 |
| SHA1 | 827d3680cec6c24a5e1026e8ab0a26acaeec663b |
| SHA256 | 848fa1114146980b2036ca9bd7d9e8e62f331bcd8dc0cad6106608746d486c24 |
| SHA512 | 7242a7a52759247d7be27cc6eb80d7b1f6391e6a93cf29908b4c72a5ba0613d638e319246eb5d78cb8b36a710219dded4dea0edd2c1975f097ec871e33fdb432 |
C:\KaVBVW\optixsys.exe
| MD5 | eea4aa3d13cff294fb9de101050d3b95 |
| SHA1 | 8be9253d0215e54c585f56eadb2280278a3ef3fa |
| SHA256 | 4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5 |
| SHA512 | 8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e5f41508854e03fe98d16dd426865f1e |
| SHA1 | 790260a6cc4da4509ff7020162fed5c338be91d3 |
| SHA256 | b5db102b6e7d4030ce055d0d46ae0c81ccb02a801e6e57c7d0a82403450d36b6 |
| SHA512 | 0423e8b041306240b05964a88b1497deaeabf4da01727c28fc42a3a1a3ddf06d2a56dfb9e7900768e72360bae68c8e2a307b4ed7ca81ea5858cd6a61b66b9bca |
C:\KaVBVW\optixsys.exe
| MD5 | e883a7b2bf5da2640a7c07274a277e74 |
| SHA1 | c13a864660f93cb0e6317ed0271e501e21abb457 |
| SHA256 | e2fb9b194182ac05f171eccb542ad20dfc9b2342c2b5ef982b9a32463243c7f8 |
| SHA512 | 0b64d417734c270e613fc92853d22778fca9cba19f5aa850922561fc1807fb3e312cbc3cc1b4ba4de82fa0c5781993123978c04ac27f0a664813087e24012f5a |