Analysis Overview
SHA256
1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9
Threat Level: Shows suspicious behavior
The file 1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:13
Reported
2024-11-13 20:16
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDotDH\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQB\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDH\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotDH\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
"C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDotDH\xoptisys.exe
C:\UserDotDH\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 9cb9de0b8f19c7358604e967d7cb751c |
| SHA1 | add69ed24b75844953e9e9d03013012443d7c648 |
| SHA256 | c3a9304d32b80299e8a58a4a0c3343fa01fa9861e6512e0c105ee09e0207c4d3 |
| SHA512 | eae235019d65643e9cb75e59b502de0575b3b5efb2c02ecf7c429a9e4e47dd8ecd38f30d7d832d2e6441a1f16a1f7870c0a359a660497977ed1e98101b80967b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfd35dbfae7d4e3f2ab701f6cb1e6ead |
| SHA1 | ac1aecbc9bca5b9f539292feeb109b7bcffe92f0 |
| SHA256 | 621768cbba0a2ea8cc9ec6246c4cee80e803d8abba6d46112caafa62856de3bc |
| SHA512 | 728b0b325aef2df4a1cc1c70029a780dffcd93718dcf79baa41140c5538def1104793d3ffe9ac5652266db83e2698e6bf87e069913c5b9101ca3829f9db70d1a |
C:\UserDotDH\xoptisys.exe
| MD5 | 3f2f2e492aca72b681000b15730f58fa |
| SHA1 | 0045f1196f2b9ffdb973385e39c417cb7a0d33f4 |
| SHA256 | 403d1aa7d26b46aac8b143d916d570eb377226e2cafe62c912baf88b2ea4d1ad |
| SHA512 | 43f3532e1523d01a71f1be27332e05dbe2a70ce51c23ba8a0dc55208f502b1ac7dc26f6a0847bb3d2cd411091cfda8483a83a91f773c33b28acb3becf18469d2 |
C:\KaVBQB\boddevloc.exe
| MD5 | a07637f82860b8b7b5e0aeba0fa3cc85 |
| SHA1 | 6b14f2580e5c5c37b0623250bd5ffaaebfdd7bd1 |
| SHA256 | 8a6b9af2a3dcd372a7e9193777838c1b88a1b403f9f41760a33245d41f6b3e90 |
| SHA512 | 35e07970ba0348c73c5ff67b2957ee746d929c84d278842d55cb868c327198077525448ae2445a38906c42e28306db01556cfb7be9a1fa6f59ea265e72141115 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9752ce21851db248ef43b07e531a72a8 |
| SHA1 | 03d4021038cf5f141f26059f6d93cc069cf3c037 |
| SHA256 | 9e81242669b644a0e288f790a755ed0eda09a4951d366b20503315ae2f848eec |
| SHA512 | 36179b4157c33ae6f5457af80074e5c710d35fc4093f67aeac74edff522c7c1d013fa59815c8af4e5a54874529d3d72c8f14e35a38c3123b39a35f11fd63ed54 |
C:\KaVBQB\boddevloc.exe
| MD5 | 0b07253be627d5b2d62e42fb2aea0b47 |
| SHA1 | 150ecd8af321c5e7310ce3f378602d7b8041aafd |
| SHA256 | 8d6cd9e777421e132a64050fb154d4162347f6f88f4b5f5baa64376082808534 |
| SHA512 | fd4df607504751b81ba51c13ddac16144bfb2edce66645dbf96bbeb5ca3905a14a750ef854c5b500696c9db13e080af87a948397cb0ebdbd7552e982cb3b0168 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:13
Reported
2024-11-13 20:16
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocP1\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocP1\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQU\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocP1\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe
"C:\Users\Admin\AppData\Local\Temp\1b6c49e3588b50419d17c8d06045341caacaee5bb588557dbbbad91e239805e9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocP1\adobec.exe
C:\IntelprocP1\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | f29c484136ce356cb679f7dca022d5b7 |
| SHA1 | 05991d49fcc6800690ef7863ab2e5674ce4a3f69 |
| SHA256 | 73c2e0c185ef2076adef07ed62b2718676abdcf3d92ace4843a87ae1460acf45 |
| SHA512 | cc360975e5f9d3b056d1ba7c3d9c920f630a40f264e100260b86b6b59ea8a19ed5e4c5dd90bd4fe28149f2967e5d8f7918d5565953ea85ecbe5406de8af5c435 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b91f602c7281229450a3bc247fe89049 |
| SHA1 | fa808a8828609ff28930a4c46230b333511d79bc |
| SHA256 | 7f9af52ae69c2f2c7528c95d25e10d0629b470a5cf059c81a2ec96cc4cd5ab20 |
| SHA512 | 896d4f43870b90483298c327f07b28b79ade7c2aa69a97c53fdaf20ad67e931678d5cc81a5bc7fc1157aba7b38113164414bc0a21cabd3494ab9722a6bbfe445 |
C:\IntelprocP1\adobec.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |
C:\GalaxQU\optidevec.exe
| MD5 | 8c3627c138b69a29f1f3e7743c377ac9 |
| SHA1 | 38d00db20d4ccba9fef285bc5b2c50eb73f352a7 |
| SHA256 | 2d835e282b9a7e65559019000af2d36aea1151090066ff801f25da276c99e627 |
| SHA512 | 0e81b2f188fef8742620e583da5a47aa6eae70cf24a798f64d916f01fad49d5ad6f3e883deed9cc6b3dbd7301c28e483ebcc324d83c8a63b41ef839432ef7a21 |
C:\IntelprocP1\adobec.exe
| MD5 | e8b0e855d64d7010d47a21d001937569 |
| SHA1 | 6719d6ac4c67ae201dd346e4112717c4814f49ce |
| SHA256 | 9a19286b5c6f6544dfc0f93bbb9f566adc9a51e25f1e7c737e1363224d718d6a |
| SHA512 | b1d07c57ef30c62c461cc68fc111ddcca7e85d8de2a5077131800b8bd370c1910f72a1c2f9db850baff27e2810983ac07568ea00f78b8269a0606e860214a113 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 729794b044e400273060ec28859027df |
| SHA1 | 8bb1ac2b9032bc35116d026932eb9f6cfb3a2ecc |
| SHA256 | eff42782d9d1f21b1dbf2f60ae6ffd2bb5a23d6f7fa11ece0d1cdb66aee0d7db |
| SHA512 | d8c236f50688e445b974a98fc863debd6d60a8c43ba11497b22970cdc06056fd14a57eefc80da4b021ab722fca3f8b3735f1ffe218bd6c831a52cd1d19a18789 |
C:\GalaxQU\optidevec.exe
| MD5 | c69ee011a781b6455abad3435e01a4c8 |
| SHA1 | 8513c927d7132e0bf31c904e70a286a038394765 |
| SHA256 | 71c1b4731c1cd67ab838beb313dbbf44da94a3513f5cb5d04e5dcd71635466d1 |
| SHA512 | 495e994d1a8bd2cea3271bc70d33e75ecc1d8751574da642cdfe7d824909fc737e862cf80ca0bf83e1418def9a3b1a417437afdcc24aac861fb61bcfd959aeb2 |