Analysis Overview
SHA256
b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e
Threat Level: Shows suspicious behavior
The file b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:13
Reported
2024-06-14 03:16
Platform
win7-20240419-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\IntelprocDR\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDR\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXT\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
"C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\IntelprocDR\adobloc.exe
C:\IntelprocDR\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | a055abe5acfdb90937ea0c702d68601b |
| SHA1 | d87d3e523554be131fec534a6b7336d8c65ffdbb |
| SHA256 | e2ded75e96cb032b7424fff79076346a3fd64fe4d6e0b96e36222c850c672d38 |
| SHA512 | b4587140e3c7a8b852464842a15dc652278071cfb780226176ec0918d5b78e4c1400f36e469e3e029b3d605a46ed6a447cc41216b59788ce974b90c40ef54e9f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b1db7a664897205c73c197e1599b19e7 |
| SHA1 | 9dcb0ccd281d749fcba265b8993f7467c204d6a2 |
| SHA256 | ab997b37462fa216e7b06b1a1c11f994bb891273573b6341458a23966c5c5563 |
| SHA512 | 553fa92c5c9548f4dcdfe65544bec18f940836e7f7d8c4b29f44d4005eed94acb58e9c2052ea9d48373c341793363dcb73559dd95642583a44ef8637656c02c7 |
C:\IntelprocDR\adobloc.exe
| MD5 | 34e55fc830aa4dac25e00e94662d581b |
| SHA1 | 7a15601395c1b074a34d60fc889b210d307f2498 |
| SHA256 | 8a7216a18c65163f1556a77fedc0d5afc9b67cf41dfd2d6044f7ad44cfbc2408 |
| SHA512 | 904df8f603b98a7365b99584d38645855d596d7b99ba55827b61c2fbc53a7fb2c6f6a8f6f541c4486066b05fd8dfcbae6cc25ed1610f3bba46100224e31ed434 |
C:\LabZXT\bodasys.exe
| MD5 | b85ef880820ad2f02706b10170e533fb |
| SHA1 | 71378239fb161e35c8f79d7a951d7d09d4f45b33 |
| SHA256 | 824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78 |
| SHA512 | f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3 |
\IntelprocDR\adobloc.exe
| MD5 | 63f47d33ea49b7a5de5b4aff11803314 |
| SHA1 | f87e873c6f67c610c88edae9c333c706467894ec |
| SHA256 | 3fa786d81f3683d2b54116b105290b10cc996e166c1de1980a036c32bcab853d |
| SHA512 | d21ac3d78b3f8f4f6eba15c584adb49a22e2e41fd097902d8aa85a0c824fe4655bed3ce294f1784b3c9a91213f9110d4f60f45009f91db3d51aeab8fa5eed622 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e2256f5c835a2e2dbbb6e3fd8585fd1a |
| SHA1 | 1435f95a17a3116288f3de770c41e0e56c1d0c16 |
| SHA256 | 9337a3b0b8c614674714cf812f124609c6167d30f49d4b9604ddac30e1235d95 |
| SHA512 | 742d6d5b7586346a7e41e2226b1c77859e8c7ec1fe480b066df70688d00d9adcd877e5ca89922cc17fefbff0bcb9b3f49ccffac9f60d6c043617b2ca4f392ab4 |
C:\LabZXT\bodasys.exe
| MD5 | 90845a76e15095f7342010077c8fb40d |
| SHA1 | 27cd7bf49776828f50334dc358293ceedf8e14dc |
| SHA256 | 48b270e53ed6aa45cdc072786ebd7003e5d0be58d76916467196252db9301e77 |
| SHA512 | f5da0656c11786c1c3e35ab1302c3c78c9a75c88f5ccc4b1e5e94d9627002f6234cafbe5b43acdda25d5cf6c8548c7b54951b5ffd8a231fdf27dedf18f3db168 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 03:13
Reported
2024-06-14 03:16
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
51s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocYR\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYR\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe
"C:\Users\Admin\AppData\Local\Temp\b8a09e4971f329afcb30b7d2a858f3c8fda49023c2fb154b0cc148be6ebfe51e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocYR\devbodsys.exe
C:\IntelprocYR\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | e846ef6f841fbabfb220128d65fbf819 |
| SHA1 | 3c85798469de9ef95f6cea2c90322ccac76b9ace |
| SHA256 | 3456baa23306841163dfbf5b4dd7da4deb85363157dfefdc93ca1ef13d17e56e |
| SHA512 | 12f7813c4148308334407f31e963567f2b3530f428e693bc4ac9d0737e9a7c3170d38f69f75530a1867dfc9c47939ee067b998384c5fd9747a73419f0af92a73 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 670be96e38aa44c5f1b2214f591946c1 |
| SHA1 | 0cb7658fa502a9fc5dabb2b010ef55185ba5225b |
| SHA256 | c14f57660479297d0b9d881a2589c47e03290d3a419b51442ea7a362a874e643 |
| SHA512 | 669085929f5a18abd59a8fcf1f80c2f5350c611a0e64ed2f69b1b349905eb456f01fc845b93018fe51e5aa103c000e9cf33348d23dcc6587f0dc975ec9c8245f |
C:\IntelprocYR\devbodsys.exe
| MD5 | 01e6638efb9fcf6e24edc1f71830f86a |
| SHA1 | 620539754f3c6e6592a64759f9e2b85537be5c11 |
| SHA256 | f3bc8ee6a9244968ad4cec51125e749762a7135180c70a69f021844a234ac6bd |
| SHA512 | ea876abb6b0ff2e82155b4ae16aa525e703213a611bceae60ad51c00fb2dceafce401f4d8f392fb6b3e21edea1d8bb06eaaa4cb28bff1f929610cc8d94883231 |
C:\KaVB2E\bodaloc.exe
| MD5 | cfdffafba26dc388b283c9f1748705e1 |
| SHA1 | 6c6d6d58a72748ee7d16d507e49e1f5fc1375fbc |
| SHA256 | 6f352ce9256ed9265f252726eef6ec86b3c0dee94a9b82f4e77bff3fe977b3e2 |
| SHA512 | c0959f56ac4bc13b4089515ab1d8d6532f0f5df2756e8a77b707a631c5b2dd0495888714a53dbc116ab1e76156eeb9972d711b1b012e9de8bb27bf0eafd287da |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55d7f016b8a8c380316c57fb48b39a25 |
| SHA1 | 7497b8fec93a819f7d8eaff98b4336b36dc4de8e |
| SHA256 | c2d793f21645ebea150f8b2ff5048aac31d27f77099adc611c7c6ef674b50eb8 |
| SHA512 | c610506dd8b12138799339fb52d06810c4e63c43360ee87ad9b063a38d7e05511920064d185a086d079c7ff68118a38dc5b20c3ace52490c1b407d50873b15b5 |
C:\KaVB2E\bodaloc.exe
| MD5 | 41e58d7d4e376b4008fb3ea22feb6afa |
| SHA1 | c8e29339835fbfd0ea9ae5957eaddde7be19b984 |
| SHA256 | e58418a6ab84cce760b39a6fad0a7c9189a44ced6618adea7782940efcb6b06d |
| SHA512 | f643b0173b2cdc1637bb7ad4e962315a0d89b7f9b277610a1ad04a029dc39d0c29e6e11bd06bcf5db43a89b1275ac5f7c720ae8c0c4cdc0f087e2c347262517d |