Analysis Overview
SHA256
423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5
Threat Level: Shows suspicious behavior
The file 423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:06
Reported
2024-11-13 20:08
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrv61\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv61\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCN\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv61\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
"C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrv61\devoptisys.exe
C:\SysDrv61\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 06549e39218ef7ca5692fd6f9cd0e522 |
| SHA1 | 5c607d1be281f4a10d0d0a7984a1c6d148b5e410 |
| SHA256 | 2c3e89be0926c91909521a8dbe398957aaf9b857a99dfe79e7930d2aaf92f5f5 |
| SHA512 | 131562045462f5b27bdb1b871c6fabeee05b1fffc41b445409607c5617af8084c076717629b1ae45c5e250b8b23e864e45280d279cf3a0b37b62753df92eb1a2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b032f9094a666454d2ec4e0379d384f5 |
| SHA1 | bb2242f7c82cf43b24265ebd127abcfbbdb8f04f |
| SHA256 | 35e7930ff50d14d595531ebe6baa6f6304898ff90151b0320da224e45fbb0cab |
| SHA512 | 74646fd681bae7301cbf2268dcf6727187e68084813297f335a035433ce08f579098e38aa69e1823744342fe0313816b7d22fcfa9c8ab145e4eb05fdefca2424 |
C:\SysDrv61\devoptisys.exe
| MD5 | 0730d054b9e665df59fcd0f4f8845f72 |
| SHA1 | ef7bbf9868204465717ddbaffd27685f56b9ce01 |
| SHA256 | 9c570128f3ab5000bfc9f15516103221ddce99cdd2f3e23a293570778353f774 |
| SHA512 | d14da7e99d002eb57d4bd8eb930c38f94c075b9705af293b27572d978284da49dd0987d4206fb94dffb76c7a7ec7a91feff9ba30d13d4b2c0f0957c4487a3d8d |
C:\GalaxCN\dobdevloc.exe
| MD5 | fcfd4110e9ff4ac46089874d92e190da |
| SHA1 | a9c5414eeaddc052bab47a17e6bf2728c0e27a73 |
| SHA256 | 474ec594f6750ec293c5581b1e9ab829a97247805fd547c287e0bbbb9e1f57ca |
| SHA512 | f397338328046e24f8293fc15d11558741ff43e3a00bb7a37e35f4e0e45590cf4fd44a40880fdac4391a56d8e7db98281d81ab3ecc486884ae8f01e8932e561d |
\SysDrv61\devoptisys.exe
| MD5 | 3536501d662bf382bab1aace8f3d3b01 |
| SHA1 | 8566e77fdbce0631bf75fef8ceb075643873c879 |
| SHA256 | 9be5c8cbaea51dc9a273cb0ca8963210e21eb42b438763a3de72d8857ec5f3b8 |
| SHA512 | 8a0d12497954dad5dd92c085b8d9ef57e4cf6cf6b66b3a1c6e31c9a65eb1ed06c67ceacae931a51028aecb8f41146d63145a1732657d98c10ca43a2975159a01 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 70293277c3c8127a71cb4898ef8607e0 |
| SHA1 | 183b9108d4928922e9cc7de80bcc09e0879eaa21 |
| SHA256 | e66ea5148541f0658e23497db37b905fd80d58fd8e88a1973761aaa3dc6ec20d |
| SHA512 | 341748bea5cf4be2d68e644c8483240509e8478c094d709229a1a7c84801d8c6eda82f1eb2f7430843fe25d4e06c3f8d79f365e15f269d6dc0b103780d4f5422 |
C:\GalaxCN\dobdevloc.exe
| MD5 | fcfb6dafd0a9ed5def05bf9afdd436c1 |
| SHA1 | ddf8550483498366dec53ebb6057514de974ad1a |
| SHA256 | 96c1352cd4087983e6e0979d6602024f2ca3cc1b80c7e2f0d05bd57f0e40df6a |
| SHA512 | f9dbf0f62bf32a046645b01182615666a4902352a6ed7d8a59510b39da15a2d37e88706ed9d4545502a09cb82e82e4b36cb0170f957acdaee1331fb87b5fa7fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:06
Reported
2024-11-13 20:08
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDot6O\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6O\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot6O\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe
"C:\Users\Admin\AppData\Local\Temp\423b8cb75eb691ab977125fcb8fea2ce950c86759acb75b209a52eedaaf17ff5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDot6O\abodsys.exe
C:\UserDot6O\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 386a65358c62712bb8e174123162a717 |
| SHA1 | 916fd4a573da6e00ad80cab7977b547d93bc1ee2 |
| SHA256 | 0a5c9416348408f71b0c96db1345590baf64b346d33ff05fdf50807629625c9f |
| SHA512 | 9355f0fa8d2e01b7604e60285daa333b29fcf09c5c067139426f7ae0a1002d2b0e307cad1c939c13ec1816713109f5408e1da671285ab951325e02f19a809a31 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | caa87c05077aad6d0aba7657a3eaaaf2 |
| SHA1 | 0e79a8c0c835bdd779883fe0a3cd1f29a7f840da |
| SHA256 | 9b1ad83d9cdbc9fc1a5a044d372ed22928d4823133e0f5bc5a27ddb6d3b40e5b |
| SHA512 | 317800cdb06655b86a86c1373e1ad8dbe2c8fe292811ee4b98d85694f6151d106861ebcb012bea3cace4454d027a93a83d0b36658a7b4a521c81d82f1df5482d |
C:\UserDot6O\abodsys.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |
C:\UserDot6O\abodsys.exe
| MD5 | 8ba87f63e63bf4e09ce0629063823b58 |
| SHA1 | be6a4a5bb8d94a4d0b681ec64a39309c954dc9a3 |
| SHA256 | 8c39fe3dcc35f36f9952a1a9a1da46c7bc29dd0f8e9e7ac732d45fce25f61cb5 |
| SHA512 | 0475235ff6c4b424ae49d596c8b7545b413b26afb9b11520dba56a07531e05d7bf46932d861a765b87eaa1d955df940ed7c2c85e184a3f083996ba8d4450d047 |
C:\KaVBUX\dobxloc.exe
| MD5 | 4db3f0a8ca214887cfd2aa7beb3eebd0 |
| SHA1 | 40985a926a895df60a43d288b24612bebacbd392 |
| SHA256 | 9bbfc50831928e3153044649183b72b4258d154baed1a1aa66364d4a97d3f3ed |
| SHA512 | ed2e78078e76ae5c7b496b1f356a13782d13361a82e0413d18fdc622d024b2c32a3b968ab546c882c03e047a7e527d589181e8e1e4427242a6935c3893a28b02 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | af18655f60fd56b9468a21804d0b0d38 |
| SHA1 | b2485da7dbd7de59862dd166fd8e21a6e659f5aa |
| SHA256 | 0ce7f994bf8fee21eb94a400c92be49bed78ec52f6452b9bcb7e6c33b04473bd |
| SHA512 | f3a280ad438242306e4082c57d093860c62671e76b4a6d680783d815c972efe119c4c1d72789eb879eaef251b4d80df9837cf1f27e71c30fd8dce6bd933017fd |
C:\KaVBUX\dobxloc.exe
| MD5 | 67b63bda74b1f340a22a73e4af1a8294 |
| SHA1 | 024baf78f903cbdcc62b7783e7d9963386b10487 |
| SHA256 | 6999221e08e7fbbbde2c4bf238373072d3ec3ff0ebec00413bb7c3d66cdc4eeb |
| SHA512 | 00ad75788fbdd9cfb0dc47010ade01bbdc13247050a76fdecb51ff132ec379e18a011c896beb1d95bf30aa24a7681b8b075fd15a652cd4b11eb61227a702a2ce |