Analysis Overview
SHA256
bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290
Threat Level: Shows suspicious behavior
The file bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 00:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 00:59
Reported
2024-04-08 01:02
Platform
win7-20240215-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotEP\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEP\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZW\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe
"C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotEP\devbodloc.exe
C:\UserDotEP\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | c67430fd987e21e2e2ae5eb7b5788968 |
| SHA1 | fa9d850b055348dcee02ce59f709f6f567c590e3 |
| SHA256 | 46eed86df8dd9e01b4fec810ad4cac2a5f5bb1184a60cb5baa781262ae4489c7 |
| SHA512 | 363351525c6601115fd49adb168f067b75c44dbf4c52cd6ec41ed96c55e128c0b693167aec1ffdf561b0c5328da9e04d5a1e0c3a143a1762f9747c66b0851591 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fc10fae03ce4c8943448dde0375e1ba2 |
| SHA1 | a4702e321182a73a6d376ca105dcadc994ae257c |
| SHA256 | c9b4622f096c8d553da091cc36ccbfe5fa5d6daac36b4fc6b3debed3332d9266 |
| SHA512 | dfcd11f63b8246f0ca8ac2f57f6c4b8f08794f3abf1ab441732e0172e573a2a700fde267c463bdda6c4d18da04e55c82a1d75e4483a367cbdf16ef52f830fad6 |
C:\UserDotEP\devbodloc.exe
| MD5 | ace1a96578309796df143c772fbda306 |
| SHA1 | c8b9fcfd7d3726cc9d26f4c8e6054545993de9fb |
| SHA256 | ca1befe61a5ba2098f3500d296ddf87da687ba3ecc236272cc2946c62d9660f0 |
| SHA512 | 431781b0ee818ec6be739c4044ad890b5b5d18c4d6ffb98f08c22d7b594aa49b48fe3fb547903e27ef705deff0920971a30577c07b4893677da864800bfe233d |
C:\KaVBZW\bodaec.exe
| MD5 | b2adb8506844c0a82940d0ccb0443216 |
| SHA1 | 58dbecb6a186081889c237c026b398732a3d3ba8 |
| SHA256 | 08a4b5f32aa7bfca330b8a9dbeefdbff368334634d17d9ef0acc05c18bdce375 |
| SHA512 | bb116cb0a44910f0cc8932813f4bcf0d6fdaeb81796d37958f36a7ce2b53acd72baf5236083ca308d27705165343653c182666b4e2366b9cd9128e7e43bcb79e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b0e06cd7e4138f1759fc4b00643fb2e7 |
| SHA1 | af50fdae5c8a0610b65c5330a81ca429b55fe5fd |
| SHA256 | 068c507c0e1dd6517b8e54d8e5a8ed550ccc188c2e01607ad9fbb8fcca926c3a |
| SHA512 | 62e9cfcc5b57f8f1482c311e3c948d84ff60795d6d189541a9865f293a58c554fadc0fb06d8dc6f94f8a0c25f407d498fb798667bb4835f57cee8f02bff5082d |
C:\KaVBZW\bodaec.exe
| MD5 | ccfaecee3eff141ea6b82e08b183334f |
| SHA1 | 8631e66faed14912d49ec31944552576334e4b8a |
| SHA256 | 7452c309e882c86a5fc1d49f2e9b16e62bbed2611b053e5d65ba804cd4764783 |
| SHA512 | 3e79f76a2e98819f802b46e4ae0fa5492fc1f64f97f86db8ed4e681e58d8cf335f90b99552d74bbaeb5f1f5f37ea147fc95bc6fc694d32f8799e232b6e8574d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 00:59
Reported
2024-04-08 01:02
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\AdobeQ1\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUY\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ1\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe
"C:\Users\Admin\AppData\Local\Temp\bed801a42370307f40704d88bd249746a732b50f51c854993a03eea8cde9f290.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\AdobeQ1\devbodsys.exe
C:\AdobeQ1\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | a2308a83ada0b92b70608f5ef5051eff |
| SHA1 | 8d7ead6158e781a165a275b6c900d16db57121f0 |
| SHA256 | e2a0fe9e27ae696c70be1dc5a7bfe233bbc622eff8b52312f7f77490cd8f1dd5 |
| SHA512 | 11616622264ea5e67bbf4442b995f047f3db1e47b37dd20924eaa36589750a4a38946bc1ffaa883453b75030998853e7f861f69b83e610e4603182bff1e333c3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 885ba6207eae5321250641d62dfe48fd |
| SHA1 | 75b9971760ba6bec5a8dd600495fb12a19eb73dc |
| SHA256 | b1ea0a1c226915040ef400aa0a4bfe30aeb0789e1a600376de20e51a5c93514c |
| SHA512 | a2cbc0c3c144aa12aed94a96f350dae882e029a99d0ec0875f39889ea4bad563f110373b6af37af57c970124feea506c5df292661717bca5d0f0461de0f53239 |
C:\AdobeQ1\devbodsys.exe
| MD5 | b7db22c0cb3e110be654b681c38a959e |
| SHA1 | 5cfee5d01ed9ad18e7d42b2e417689f3df8fcc69 |
| SHA256 | 177226c38374c822acee1fa64d3b427c6375eab66e5eeda625df01522c57bd76 |
| SHA512 | e284ed7a1a745757cf882fc85a2f6465ac9476ee0f033d104b63ee8acb22b9e19ca36944d940b9251ab620d6193921e014adc93f1aa23c1ca4adf772d072fba3 |
C:\AdobeQ1\devbodsys.exe
| MD5 | cf6408338ab650bdb81d7ab280df39bc |
| SHA1 | 79f2ee8579283807a3580daa2ec5f287ae3697d9 |
| SHA256 | 687da1d5e3401ad32db356584b37b077058d01beed462eb6360c164f74179a46 |
| SHA512 | db74990bb229f7187d9cd4d1d9172d34937b3206a3fb3cbd1550e6136bff7c00344d9267311ab327f244cb0474091139cb901baf2e487d3c4d67691f0d3091e0 |
C:\MintUY\bodxec.exe
| MD5 | c7de7ac46e1218c04c9b40a01f08e5ae |
| SHA1 | 46fbc67cf9b630cbb42b4e030d975ba1d6caf904 |
| SHA256 | 9973f0629a59066456907c67358f9c32627d538a5080411ef6a053e580f34be0 |
| SHA512 | 21106ae7a86ab09ca9620f998f869579767090b715907ce7b3fb242269b90685171e5272a160527cc99b707908598f23b173d9be8e5454ff0ab5574b30636ef1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 542c9933d8fa18ea3ca019b0c094fee8 |
| SHA1 | 3111cb07b93dbb5f9298aead059e5f616b625740 |
| SHA256 | b4c4c2bc6ea95dbbb0d2ef304191e635a2f2b4e1d491aadbeec5c1e6d3f98d05 |
| SHA512 | b1fef082250b4c0fa4f76984a8aedfa7eb32495c8740a3101cf9e7bc7b5a5341222e13c33261a36bfa035b11b852b7fa9fad9d43f7705b97ddfc63e14bc54f94 |
C:\MintUY\bodxec.exe
| MD5 | 055c9bdc863581b1a940f2b7a757dac2 |
| SHA1 | fe305b09e115709954be8fae9112daf821a6dd72 |
| SHA256 | 5134593c12d40b465eeb4b782e26b2343e143c60e3a8fbf9c814842b87d45992 |
| SHA512 | f1438d398b642c6d743073cd4aadeb8d60af3d29411893d4f22bd9362835f680e2b277b82c1cdeaa74da766004d4fd49252a11e63b393586b8abdd0e4640dd28 |