Analysis Overview
SHA256
f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77
Threat Level: Shows suspicious behavior
The file f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:41
Reported
2024-06-03 05:44
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\Intelproc5V\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5V\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0G\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
"C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\Intelproc5V\abodec.exe
C:\Intelproc5V\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 53ee35863662e20e2c1a88c30cf10aa6 |
| SHA1 | dfb6413a6e184d1c0fe334a984491b3ce196d875 |
| SHA256 | 5286947b103fcdcad0ebec26c0c5b135dc1f7bd0838e67438c66f45411621dba |
| SHA512 | fabf7f79a52cde10c0126c0decd60a0ccf832a5b42659e1ee6959565deca48ed54d0d4ebafdca000b11a0b23481ae4eb37f7dd3491222c75cfe1b2408aa36c8f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0bab846e313217a04bfc0fba9fe981f9 |
| SHA1 | 070ee2b809947c92dfed59269d4c4845b8bc0306 |
| SHA256 | 160f95fb112f9917b2fe2885ef0539ff97e914bb5705c48cbef63de12432e3b4 |
| SHA512 | f1b5d887fa7473422ababf99da996f97e3fafcc4db1b828dba671abe81b40711461d13d8eeb7b0570d1e77c8c190e6f7d06870ed415fac4ab5146054fbf01259 |
C:\Intelproc5V\abodec.exe
| MD5 | 8289566ee15db2d66110d056656af409 |
| SHA1 | 66cd870ba62c0cfc13bfd3ddb434df4d083c9eda |
| SHA256 | 9827e33487453eded58402b7e50780b2a78074411ca79a65d3d50872539a95e3 |
| SHA512 | e3380f045fd393fef66ae80f8c23b7004a2c42f981bc1b94e1fdd6bb8f9c80567c5ed44cf7cbe83f789326d7e6bb6a2ec5b72e1fc67c24851ccfae341a4b4243 |
C:\Galax0G\dobdevsys.exe
| MD5 | 3a2f0e3b4dc877cd6861254f7f1b1cb2 |
| SHA1 | d70e8d3d966864795e342492bc53000ca22b0d52 |
| SHA256 | bb83ea2118069a1ac02f368bc4df1c1f8308ab93cc9852c09271848bc10fdae6 |
| SHA512 | d7bf72601f9db881ff19c1027d8f04c64f53f415c243285106b72f00124dc02d054d11c4a651b0c36f4658e933e7f115e7c4354392e8fcf02570219f9961ff81 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | df69540fedab0e7099c74e7713c6eac6 |
| SHA1 | a843362e27d9da63b742cf55bddf560b85ee057d |
| SHA256 | b63cdbd6fc715691e9141cbeeb272cc535c66c26f72010de2c9c8fd163e76f49 |
| SHA512 | 3ff0b27233f68461ff1302d75956454513c41d0a15b4168887d37e469651ef71ab191c8c86c06509162fab155c0f7dd2c43fa4672403ca752e659c7b1c13bcba |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:41
Reported
2024-06-03 05:44
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\FilesTN\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTN\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUS\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe
"C:\Users\Admin\AppData\Local\Temp\f8e2d6c9276e668de04639de8eb25c9a8a6b134adff31b7014073c5779a4ac77.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\FilesTN\devbodsys.exe
C:\FilesTN\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | ee33273067b8b6ca638076afe9fcf411 |
| SHA1 | 549409a021ed955a2cd5f4e8524a0dd0a5e1b197 |
| SHA256 | 13cd8349cae8696ad211810b7ce31a6aaec194eddd3a3924d81acfaee51db47b |
| SHA512 | 06fbb54a5198b596d469a9157905341ed594c8c43d3ebefe7ba8996397a72198c06da73249cba90bdca8e3ca04c4bccecda5f867910cccddd52209d43ad49964 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7f97956a9cf59eaa85f3809583d54674 |
| SHA1 | f4e49d9c94294210c11c486716d5e03185ab5a0a |
| SHA256 | 368a8f45bc294c72c038a857a93d2621c759e0f00041197bc9398d3d9ec1908b |
| SHA512 | bd26fd021e542b41794f02042a3858add217a853ce092791ab32576d99d84664a66252d60078781402ece7aea83be16b813184950a09e17443699c0d3b383dd3 |
C:\FilesTN\devbodsys.exe
| MD5 | 7ad07bc927adf45eb9a085ac71ba0a26 |
| SHA1 | f720acef80dc31845d437e92edeb249acaa64cf5 |
| SHA256 | b501de7e316392673403336c1e41f245343fa4a16b48a710e8c70f37a71fcda4 |
| SHA512 | 8bc2b66a0b198327a774bdbcb408f7c4381ea8abf4c8d96515920ca375ae565cc1687c883b17e3671e0076ec816d6354172377bd65067c926004dcbbfc8882f3 |
C:\MintUS\bodaloc.exe
| MD5 | a2a762ee11d033f7e67f3d8b7195471e |
| SHA1 | d9b7127b0bf3b3fe85b7d51032e4db03bfe3edc9 |
| SHA256 | c810082a2291330ad1cdb8ce535d7653e0e00afa386c716a329369ed26597345 |
| SHA512 | 56c42fa915055977c7a1eb3c5d2c6cabd2230043bc769ecd1c94d0c3aca8ef0517163891824883df9538e9e4218753de85ee6eb0f339823e745ff74844a74221 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bd32eef9f34e8a91a8a4dbc8c35a0f14 |
| SHA1 | f1a5d3ead5333d4758a776a59afcf6bc8d30cf7c |
| SHA256 | 49eb8d2ea2200ad22f4a2ff030cc54ff1d334b3d8306a6ac6786b549357e09af |
| SHA512 | 62378df8aac49a6d68b3662ad30451609b32e8d03e6d890b3678f5b45e244a797144ca208155c0184baee348763a28323f17bea6d9fe93bc6e192b376fa15d66 |
C:\MintUS\bodaloc.exe
| MD5 | 436f3a07b2efda912f27ac86927d8ef7 |
| SHA1 | ae0a78759a3a9e78e855e4b63ccee06c473ff11e |
| SHA256 | dc0e2f9f41b3a12b14a2140ce217017777dd7ca6fe929dc0328feaf28d5805d9 |
| SHA512 | 712ba814d4039fa281115bd0ccfe6322e7eaf44fcb52f5a002832641c7148c39f3987050ef4bedaf6980c7c266a6ab908fec4604e002efdb50ec3f65001b912b |