Analysis Overview
SHA256
614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d
Threat Level: Shows suspicious behavior
The file 614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:24
Reported
2024-05-31 22:27
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotRQ\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRQ\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1Y\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\UserDotRQ\devbodsys.exe |
| PID 2984 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\UserDotRQ\devbodsys.exe |
| PID 2984 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\UserDotRQ\devbodsys.exe |
| PID 2984 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\UserDotRQ\devbodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe
"C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe"
C:\UserDotRQ\devbodsys.exe
C:\UserDotRQ\devbodsys.exe
Network
Files
C:\UserDotRQ\devbodsys.exe
| MD5 | 99bcfc76aae64acd570746494b0eaeca |
| SHA1 | 571047b5e659100c08cbb8da1be219f7a5f8f72a |
| SHA256 | acd4b972856a1790b4ed94ab2fe78b0292db87a2ea34bf72eb09201e16e57981 |
| SHA512 | c1158f085f7e61eee95189b62d2db7ad6683023efc6b33061783387b1eb8faecdedcd208ac8993b26c234da63059c249cc2d669df744cc758ab7c9b5c8568000 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 595a2f438ed368436b18b1cdce09f446 |
| SHA1 | f20a572a95b9b868ab8b884a6be75974925a429e |
| SHA256 | de285c64ffcfba0e8e171111fcb397832b419664a8b42d70f798c7e5059918ed |
| SHA512 | 530396ce4c9742b97e424c5627df101e2f86c0f858bb893b051bb981fadbba35d1f5cb125a93bb9f8d4efa180cdf0ddab3a53165f2b0d7c7ed902643fb5f7401 |
C:\Vid1Y\boddevec.exe
| MD5 | 91c914b4a725c222bc1f47219653d665 |
| SHA1 | 4a4b803693394ebadbf8be19232cabd7f3919c4f |
| SHA256 | 11145b820a2de80850c7de1e74492b101e37759a686e29170cc00f853f585491 |
| SHA512 | 1dfdbe617a2daa55b4a0425ae6ff9e836bc5e76268e1b37722eb5096a878858150e9b494a2b3d02254b1477a54c2ffa7f7d183c017be924f992c298dc019081f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 22:24
Reported
2024-05-31 22:27
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Intelproc1Y\devoptiec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1Y\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZB9\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4200 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\Intelproc1Y\devoptiec.exe |
| PID 4200 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\Intelproc1Y\devoptiec.exe |
| PID 4200 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe | C:\Intelproc1Y\devoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe
"C:\Users\Admin\AppData\Local\Temp\614ed683bab245503ded537e8f027944698a41490cb1b73b58df03639e05657d.exe"
C:\Intelproc1Y\devoptiec.exe
C:\Intelproc1Y\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Intelproc1Y\devoptiec.exe
| MD5 | 5376a124b0af56101dc99d7534452b7c |
| SHA1 | 39a925a3cdbc01c9d4c10473b7800db6a2456c64 |
| SHA256 | a2c5ad4c0ebc668b92ae5ae79da53b2c642f4d84617294dffac2c861c417d0ce |
| SHA512 | 6786a2cce406036049d02ecaa23839f96aa1796435f3cc0acb43daafb91d4c681e86d4c2f706d1323bb409965ace89db1eef2ab720cc319b362d24ff99243825 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c3548cbc17aa31659c6714023c6cc1b5 |
| SHA1 | f46477a3ceed819a59093ed1ed3cd6448a5798c9 |
| SHA256 | 3ff73ee9b5017deb32e354a13bc22a85f081bec96b4d35d7b02cc8016266f6a7 |
| SHA512 | 8b7abb496492730a712a1198b36f85a3b9046304eefa4ff4620ea8ca5f7393fde12175b3211d2f2ebd17f7cf9d32f791a071b55f5e62018041b355fcf8dd8e8a |
C:\LabZB9\dobaec.exe
| MD5 | 0c9f693724040eb946cf0570b4191a45 |
| SHA1 | c07f48eefda7d2d604318426889183d47f0b24e9 |
| SHA256 | 8f559e4764a709d13201f431027e0515f77103ce5840d1050ff07d60cf893cac |
| SHA512 | b8baa3976a43fe4cb2ced6e52c4accf2ddc1cfae29ea7d4a58bd94e10cf0b8d23c8a9e8ae140c9a76695c50babe7164433b9a39dc1e766e0dab5fcabc2f9fc43 |