Analysis Overview
SHA256
e91b495fce23b9ae3bef492959fe7153cfe3ca001b6f62083cf7182272ffa9c2
Threat Level: Shows suspicious behavior
The file 06348b8ef30ef902883c8e85873773b0.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:08
Reported
2024-06-13 01:10
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\Files12\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files12\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMJ\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe
"C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\Files12\abodsys.exe
C:\Files12\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 639d782fed26593a5b0f47196ec753fd |
| SHA1 | df3e301d7e4c76d75d94620d7eb6703a258ac3af |
| SHA256 | a5a713c51e2b52fd34d95d499b955a4d7ce36c2465fcf69a4433242b26325a20 |
| SHA512 | 04c78341fcbeed58738b3e2c2c81d81d5c5110506132cda2a0aaf11f106bc04fa80f17c43d3dfd0d97701aa4b5effcadba90a66be1e7b3aa3fa84656bd333393 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 30474f5c9812340a90914b3858c5eec1 |
| SHA1 | 0114717c163fa14fc1fd1c33c44c245516195f8f |
| SHA256 | 59380a5bfad2faf3a9af00f51b2de49e27f2e6f9712b940153d93cecd68f6f2f |
| SHA512 | 4f88f0105b4766e71e70ac0c5797f1397a233a0c590ddd1c87c36e137790c4c44bf98f9064d9bbbbcdda7645847437c912060f21cd9f1a9263f381e760acd80b |
C:\Files12\abodsys.exe
| MD5 | 4769b3fadd4c321d38494f1433a14a1e |
| SHA1 | f466bca230aaf8d040f32f2fa701e6768e27c2ef |
| SHA256 | d2f20f791d6dc92dd138d78e3fffae2b83b629e53d0e30cea353b0043dddc17c |
| SHA512 | 9c0b4f7a3bbf8b37e5b2b811c8008c822fed90332335fea670cc3444a0251a1eb3c089cc976ae1ea3c4db7191c119026bdb6f27b4488655e47ebfd71207cc66f |
C:\Files12\abodsys.exe
| MD5 | d831b8052ed899a9742fab1471242a4a |
| SHA1 | ed58440afb1de49b078cc03f175573dc5a876240 |
| SHA256 | 4d5e044bcc8457e2ce99ae81ce97abcfc06096f4a36547298302c0d655495648 |
| SHA512 | 2fe9f7ec445fa442c3514ba5e8eb994af315a3fb2018a4bd8a6710ced616c5dd831c85e9b23b327d58913dd6d96e8d04f03b94db129e3c0cd70f78e16033f6e6 |
C:\VidMJ\bodxec.exe
| MD5 | a81d5b4448897b659f902fd5ea78c802 |
| SHA1 | 341c33ae88e1e90aa286d1cc515e87f5eb283d2c |
| SHA256 | 36aef12e29c2e8ae33c0f6b2deadff89c81dda0b364a878f3e607d2d67a2d880 |
| SHA512 | 20b1782a1be43f1acf39f54b5c83fa5afb77042a83cf6e439cec164f1fdbf1b978be97764262f436e48034ea9c9a8271d0c53810d83d974258c3b68e103ec3be |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 577cca2eadbdecc42b2b7632e55d9b29 |
| SHA1 | fd953057bd0961c5443d363e53e0bc90a79fd29e |
| SHA256 | cfef3f4326a5f1f1a73457071dc59b7722f46844d538ba85ba1a3f26efbb3b2a |
| SHA512 | 5997d697b1f0bb7437c0e8a622cd6b079526a62fd13ddf2ec6d5d1cd66b2077d37312f71b0febec0b85f3b507c8e96d62012cc0d832fe662356143587e2c056a |
C:\VidMJ\bodxec.exe
| MD5 | d3c6eb79b9a74b22ae8816c0162e84df |
| SHA1 | f338e1749a9983c8127761c95d9b4c68c978c7b5 |
| SHA256 | c2a3c26ad841b55a13f0dc99cc9e84719501fa9fc252df8e3eef7b7deee242b2 |
| SHA512 | 2911f3c23392e076b797c4a627c427e5a4c210688609eb707284fe37bd4df81090a48c38d6fc68b458bc29669c8afa0334e80aabdf5e17a61253603d559a4753 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:08
Reported
2024-06-13 01:10
Platform
win7-20240611-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvFO\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxS0\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFO\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe
"C:\Users\Admin\AppData\Local\Temp\06348b8ef30ef902883c8e85873773b0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\SysDrvFO\adobloc.exe
C:\SysDrvFO\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 7ef19b9d6ed9b5b2d4beee27e50873d7 |
| SHA1 | 7de26ba4359d5a9e7a56fafba4bcb791b8cf2362 |
| SHA256 | 807aa7da192ee3a1a22d3265755efa0bc0babe30aee6015ec9096229e4bb8ae3 |
| SHA512 | 9a07895f253a3b8254e5b72f0ebc09a6137077e32268cb15341c448c6ed8e45a2891a908c6485c94d90d9bbb76fdd48907630cffe637c0c4a0407a8198a980d3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 66cd1b276e117eadab7f7542231f6bad |
| SHA1 | ef3e45de70a4c12f33901e9bfe96897b7be393b0 |
| SHA256 | 780e41f7f2d11830d56f72848e46d238448607998d23a78ca6a2165bd75a0deb |
| SHA512 | b6b0796ee4688f58a886e147cce1f5a42f0dba3a2e7acc60f65f027e40eab9f7ed348eb0f66fdca43f82452658744e77b1d2f3971f643690c275c36cf49a2363 |
C:\SysDrvFO\adobloc.exe
| MD5 | ba75247232ea4a56bc8adb1f16bcf93f |
| SHA1 | 147a1f7655d4600691da64357a720f235a95dece |
| SHA256 | 7e4c8d7fdb4628b40706b3f3ac35b45d4b24b5b2187b9adee4f5b11080a3c89a |
| SHA512 | bb0331f3f559df362f3995c3e87a6350470d4bc13fef91d1c3b18eb8c151ed70c04a96a24cf999061201ff5fbde2ef7306d9587feac5a0c22df8a4359da672d9 |
C:\GalaxS0\boddevec.exe
| MD5 | bd90cb413756c2801ec95d15004167f9 |
| SHA1 | c09418fb41446da5c6670a3d61d9418e76d42068 |
| SHA256 | 3ffa11b027513fc02eeab053de0405e6ac7f108502a89bf79c951a2a33ec57cd |
| SHA512 | 4b7a1809b3b43bde6a796964a79b3b1eaeb73ba0ccfc8f77b6fd6e4e8b2e9fc72366b3493c13118261c4357cb088ef56cffbfbeaab8c6ae32ae7c7f6b9718340 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e859757753b011d127b16632e4b0ea3d |
| SHA1 | 5705615f6c4d8150dc73dffbb50ce1b978a9e30d |
| SHA256 | 785dc5e28414b75e520bafc59e58a1411f29bab6f0e710eb7bebd06493245afa |
| SHA512 | 6ebe60c61fcb13fbec59ee3608b58ded0d1eac7d8df22103ee9dd4ca14fb72793fcac338174959b601aae37cf38e2abcad75cb71bdff6b4ca31dc7d18d29e8da |
C:\GalaxS0\boddevec.exe
| MD5 | 0d80c026ff7217667d1758553c9b1b94 |
| SHA1 | 14d1f220d41220a37e1c0a894bbcc390e238adac |
| SHA256 | 3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8 |
| SHA512 | 5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a |