Analysis Overview
SHA256
72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0
Threat Level: Shows suspicious behavior
The file 72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 23:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 23:17
Reported
2024-05-30 23:20
Platform
win7-20240419-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrvBT\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBT\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZT4\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
"C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrvBT\abodloc.exe
C:\SysDrvBT\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | b4e006ea794002c6b3fe6f18e62a9d5f |
| SHA1 | a7fc5c00744442be67b5fbb7688dc486d1b8c773 |
| SHA256 | 9dda8314177297b2b3c107ebd5dab3660b59ae9975361d0758775dee701f9ac3 |
| SHA512 | 4cf5a1ef32c6184a7c6b9bef6c9d06c1f046d28fa652394ee34fd04d8b029f50f91f57cdcd314fec1f9d6de0e31fe84f43d4fd523600a7bd9451644228386c4f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9a2ee3f23a9cd4662312ee5b032ead0d |
| SHA1 | 15557e7886a103eba4af3eab69614c32ec49ec85 |
| SHA256 | dc9c0791894738f3d04bb685447478a6c7e87d6177479eaebd9f7492e700b438 |
| SHA512 | be948bb963a930c385bb344b8c9d283e11b047a2ad2cd100998b3fe6973130a13da1b636ba61d2027801b57d414e475ab487aad30482b68e468a61aa3cbbe6c4 |
C:\SysDrvBT\abodloc.exe
| MD5 | 3cedbc5d7cbf122fcdf603dd4651c067 |
| SHA1 | 9e6185695e3e2d720f995bc9307c251a65f6120f |
| SHA256 | ab30eb6a4d95662711f5c20a1fea67f985cbce4d867ed61a6db693aad49af568 |
| SHA512 | 923ca9df3d94d3a35c1f8c3200ac8b7bbcf9e8a09d9cb1c30351cc02535d3125ec23bb74796ee44c92b45ebdeb6316fb63b60f8edd0f59b2df1f5538b7fad3c4 |
C:\LabZT4\bodaec.exe
| MD5 | 6835ccedd8340b012ddfa882c99f14eb |
| SHA1 | 8c0db252433bad3f1b098fbe42b96bd76eecb8c0 |
| SHA256 | e33744ac8578680436ca0f65ef93c7ec9f70a15ec4bc925dab2dbfd3f7f1245e |
| SHA512 | e3d8a35f5a85ae1fb415b0a7345e2458fe6dcf26b6c25a0eaf12db8c061021d87d1c9de0ab296d58dcea4628ca37d85297efd5f39be32645627366052e276c82 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7cb79f61f6ca4b10a11214c6d2f1c396 |
| SHA1 | 4bd0197bf6ac170afe56dfa7d2f6daf9e6839721 |
| SHA256 | 0c2a22149c468ddfeb93c758a1342693e614a28f4bc03a477d2f7ed4f61200a9 |
| SHA512 | 52991a6a4f9a4266e14343c430fa8a406549716c5e32d38bd7e6a6e9aa808ae13d1dccfcb562e5bbfa8f8632f6a6bc892a5ac7b1f5bde87b8f8180174f71ed97 |
C:\LabZT4\bodaec.exe
| MD5 | 76f0381e1802ecf861bffdcbc7f51401 |
| SHA1 | a975767240a9799c39630942cbbc64847231097f |
| SHA256 | 7762fba64330b940eec77b7d775c8ce968299e84efd2e6fd66634116b7f99281 |
| SHA512 | cbe66932c8e459b125942035e6afe3276a71075d79fb9d265a6b2b17bf79554510dc75327ffc3852443d5fd9490e8e0451cb64ed1b968ed767108657898d5352 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 23:17
Reported
2024-05-30 23:20
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\Intelproc2N\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2N\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax15\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe
"C:\Users\Admin\AppData\Local\Temp\72a39506bfd8c71cda2f55f34e2212a6b00e3624bdc320e4b1c78b7bb9995ee0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\Intelproc2N\devoptisys.exe
C:\Intelproc2N\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 23cf8b3e77450549a06bf1abdd385136 |
| SHA1 | 225a7b46ca55851ab01de9d62f3d00261c58d5dd |
| SHA256 | e98c73cd1ac53082b1898cc765e41e54d90d295afdebf431e35823b2b7dc98c2 |
| SHA512 | b8d964e0cfa8115c4d536d9c2034da9449e09447c525f013e9ac9cf9b4e74bb295fca8b39b45b9e7b10b8ee51c8d12022ee9e8213eaa2ec8fed0442502af014b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 528cf5756d873cf82b92f12ae0944fcb |
| SHA1 | f33f792d7acd5f6dc275665505b91643b6bceb0f |
| SHA256 | bc7ae57e6f48f3e2cea6a3c52b9a533c52aa1582df36c288f2866eedee819ea2 |
| SHA512 | 29513640aa16c5f09f5990a75ba07ac6942c82c9344bd743d5dba5ad1f6f0a6fe0d2441826502ca30819650afd4031c3e1bd9147c38137a31e531b63ea2d6c2c |
C:\Intelproc2N\devoptisys.exe
| MD5 | d95dfd47892d77cc18928a016fce804d |
| SHA1 | 0beec5057ac6a64258953590a06b36e0cc58ad23 |
| SHA256 | 91ae5b3abb24d72b42bb1197e7624947354c083041b074ac5bdc99889746d2fe |
| SHA512 | 102fa89a141b9b3e6d1377e1c9a28d56b9c2ceef559daa9030416f7939c8647589106a2156cc685f05eb87a2d647db2c788e313a7b3eeb0221149e8f07219f24 |
C:\Galax15\boddevec.exe
| MD5 | 9ce8a05d4e7545d8767fdb5f41ae20eb |
| SHA1 | d28d8b70dcd539aae11b5009151a00a552313b91 |
| SHA256 | 346fd158e582503fb2956ef67ca73d6bdc59f3a88af49be3d140aeceff6c6981 |
| SHA512 | b2a3299200ed06f4c08d5ef57fabdf7e0e59deeca81dd46239dbef77f1a8c9135ac2f01b1f27ec15b238b0e727c200e17896b1411aae80bbb96c85195c8f4d5c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dad9d8944835aad210d3f78616322ccb |
| SHA1 | 41ef7ccc6413995d2b0f4c11915dbaf836c5fcd4 |
| SHA256 | 33f192a3176c41ff8d2de6c4f121fd2ac4da8e38cc89caccb1ec4d3b2b66afbe |
| SHA512 | 97be59999ad9a00e3f0a3f66432b7232ba85d351576e2d7dbf78f499164f003fb2fbcde9994707e27248263a414c18f5c4098f40c9c85039b46ca287c4418b74 |
C:\Galax15\boddevec.exe
| MD5 | f69aeb02f45137991ed81168245b3f1b |
| SHA1 | 6bb2c0ea804f84c3a0591623a05c59b19b2cccca |
| SHA256 | afbe12083809699acd7df5003213f84af4d7879af0b2c1eb1dc6fdc1c0180552 |
| SHA512 | 6c496cdab78620ff6b0cfd548a3d0bd216f99c709e0c0fb3e8902f6f01b94c485ae1f2cbe879675831f4dbb27b8d6b677589aca7abab28193f9ff94f2571f528 |