Analysis Overview
SHA256
92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540
Threat Level: Shows suspicious behavior
The file 92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:16
Reported
2024-06-04 00:19
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\FilesDL\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDL\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHE\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
"C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\FilesDL\abodec.exe
C:\FilesDL\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | d100293f81bda9a9b45c199c94b2cce1 |
| SHA1 | 3f58321fc6929b18ad98e7de03a39d17e23b9175 |
| SHA256 | 1375a5da0041f1c3c69ed9f2c94cc428359af24c17d18cf056feefb9bc506526 |
| SHA512 | 6fe7cdd43eb38d13a5c477c1c487c2a6d3ec3e6f3c77c2a2456055868d06fa07cbf1d1d01592e12d648da28add80a5134d5da4a6bc745439d5e6b5a912fe33ee |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e7f0ebbf0f1a022ed50b7990eccba830 |
| SHA1 | 2405303823f01990616b3458c7b8d2682632fa0c |
| SHA256 | b8c6dd63b8140c096c67e9cbd83be9f1abbe4c921e6ae153516244a2b2c17ff5 |
| SHA512 | f6d0fbbdfafc81376619d319f36779599a09d98db6ddc0870a1d4934a2cc7e38aa85023d91181c61821dbee25585cfb40ff19ae77f8481bb2c69fc0683014a2d |
C:\FilesDL\abodec.exe
| MD5 | 8858df96e6548a27423d10a0f193afd6 |
| SHA1 | 3dc5dfa28fd5f6844f3a66cb043b43b6127e72de |
| SHA256 | c2c5958ecea38409923c98dc722ef1bc491e1489687e69f8705f7261b8fedb63 |
| SHA512 | a0b9155854907e7aecd9ef2565b2a5d2e7ad3bfa06a7a400aed2976961a5c71feffbc71258665443cceccc187396eccfea2ebbefbcc33285a832936d9015b510 |
C:\KaVBHE\bodaec.exe
| MD5 | 1803b2adc5be774fb431c33a5eb8743f |
| SHA1 | be5637b16deb89e3964a2f7bde7d0fd632e95ca7 |
| SHA256 | 7cb7f2ec92a8aa5eafa1bb9d358efce628715689e3be5758f213e4673d3e8e4a |
| SHA512 | 7dc738b91ac81dba9a8450183ea746cad8fe9ba27351cf4aac01e9483c468d3f82243d23eadb66c06865e1476a6ba76da4e34261ffd24854a16001437cf8b358 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3a60189ee50a8544ccae5472fd8fc41e |
| SHA1 | ca05c3a9b46972c2eb04afb7c405c3f2b3b21785 |
| SHA256 | 04145af03ef5057778a3f84710600021841b7418aea8927e1254de0097e893de |
| SHA512 | bade3d6c7def7d43798dac78c0e993ebda00382288776910673716535370b24c919c0e9bae4dd5ced282489b43e74c6818ac3c6c11870e61b8612a4832f310c4 |
C:\KaVBHE\bodaec.exe
| MD5 | bfb926bf00e893793307cf8355a87908 |
| SHA1 | b4155cb9acfc66009ffa6a64c47d01588df7f346 |
| SHA256 | b9b78aa09500939dde85c3c376fcfa47805073bc3cfef119f2613c97344f724e |
| SHA512 | cad23633ad9bad74e544227ea25d4c4989fe356b60e70e64ebabf7a8d20c1129470df72c5feb58a279acce72f0f5e815f52aba603d4ae79ee3350c6e509a8436 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:16
Reported
2024-06-04 00:19
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\FilesI7\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesI7\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8A\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe
"C:\Users\Admin\AppData\Local\Temp\92703c317d1db2da3952bad50a09d9b6417ecb357a2e9dde52b22b5d3ed3b540.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\FilesI7\devbodsys.exe
C:\FilesI7\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | d93b351d15aef16320acf10cf3d60e82 |
| SHA1 | c63aa624e875cbf702c25fefa6f7f2c9c8f81ff6 |
| SHA256 | ec3dc5684af8ef34fa6a4061c39354a7d3057e0e308ede1e1660216f2a7404a3 |
| SHA512 | f12a292399558810a0bd276234ee423034b3990d35d69be369abfbeaabf4e53641a7102ea33b44e5a84ceb28224b156e53687936299760be022018231663468e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 37312b02e9d0d0505548249612130e33 |
| SHA1 | f7fb9367c74aa7ed2620f91021340a6524b69ebd |
| SHA256 | 70d5708dc2e20a6256b60eef23a7183a4c26c0f8a07b04cacd30c5fe86a14fb7 |
| SHA512 | db228758e42bfaa2cdf150395c034cd0bf77a7f8f4c258ca4531978bc12552ad08654f4b8df7b21ad492f056a34f7c79c3ab6bca20e201481727023b164e58df |
C:\FilesI7\devbodsys.exe
| MD5 | 0a15c6e3981868c0424de6ad7d093fb4 |
| SHA1 | 1f2d2af2c24bd1adcd307916134727f39e17641f |
| SHA256 | 058b3b5d9e87fbe7b9d598e27519861e9c387b4ef1d7abdb00e35f7f4c407564 |
| SHA512 | ceb4fd60ed7c4ef8a8c713370111e885c8141fadaeaafb5e3a7c6163c58c87567abf07543e20f595422f4ba1642f4796a11ea26d13348949022e1ac86966b52b |
C:\Mint8A\dobdevsys.exe
| MD5 | 976001ce9292b5870f5043c7c5616523 |
| SHA1 | 4ea445df2a5e1ce383ef61defc43374ebb42b775 |
| SHA256 | 893c6623996fffd89d27308ea6d4406b12193239d28ddcad5ac0a074a039ef20 |
| SHA512 | 018c038a8afe05b417234b8dcf9b1e929dbd04018a8d7b865fc6f24421829983903729d8eb1992fec69514dea1c96485fb9cb74faff03a5949cc088fd7e11a15 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfd9de7b64639a08f4f3b919e3a4469a |
| SHA1 | 45a22e9d7666ca1c0b38f9f2920ec8131fb9efe1 |
| SHA256 | 410c273fef158718972a3a3df7487642cb41594816ea586bde45fcd89ec0a8d1 |
| SHA512 | 53b66e9b322d65ebce7505bf3013ef5f167c4eaa51b0f536ddb7df38ae8dd1511dd6e907c47632601610fdcced32a895c562d4bbcad00f1dca24a2fa82cf3cdc |
C:\Mint8A\dobdevsys.exe
| MD5 | de9ad993bb6ce983af736a980ab2c509 |
| SHA1 | fe6a9f83c74de1814a8f72e0835ab9e6e5a77d52 |
| SHA256 | 0974cf88e8cc6738010ba48e9eddf600d7dfe30c1291672c10922b0e690d446e |
| SHA512 | 31ef6985bc4cef0da57427dd705101b142a4fb04ab94a586d27c678ca4103d734cf91e8119fc703d0f1c8fa7040a256f2621babd73dc9371f80da6674f4def21 |