Analysis Overview
SHA256
b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857a
Threat Level: Shows suspicious behavior
The file b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:12
Reported
2024-10-25 22:14
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
108s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\UserDot5I\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot5I\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTA\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot5I\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe
"C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\UserDot5I\xbodec.exe
C:\UserDot5I\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | d42bf789cf19a365acd0a23ca5d219c7 |
| SHA1 | 6589b3fc34607c5f9fb4b6e1e11f9e804b331b9b |
| SHA256 | b5eb4b4c83abdf24285c6aefae82ae41f87994a35cf9d3e619f96fce095d0d92 |
| SHA512 | a48f53ce36732e4216d24188f0169d72635893693aec5a402a111aa0cd8bd9f4910b4c02c098bcc03f405a29388a97fa20f958ae1b049e708eb817b988e5df89 |
C:\UserDot5I\xbodec.exe
| MD5 | 4ba290ff964be3ab73783979178864ed |
| SHA1 | f0eacc2f9bea071f816f212e7ec71f6c4b913671 |
| SHA256 | 3a3bbcdc08d43d7c0faee81d6a995ee50fd1957877a254663c9db7bb0f15c9c5 |
| SHA512 | 8bc035f9a0c35fdd9be830979489ba400c6ad7c7ccc18e86e9c3ab56abc1d42a977bbf8edc8eddff7a79f1bdecb4b20beb0a81a0c04306ebe2c188c712c38667 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 612d2b76524d3b40c6274348ad3c7aa5 |
| SHA1 | fefc0eed870034d738814d951a71c92e2e17c5dd |
| SHA256 | 4e180dab36a6f379a81850a6189957f620bb6045df910ab817414b652afd58d8 |
| SHA512 | af65dd71b45ba9a16249c67cd63b62839380dd20851c6aeb0899a1884abca33b3fec9f72bd393c2e8e84184df86e403618c1c9a07fb3cc5b0cc261eeac42ae4c |
C:\UserDot5I\xbodec.exe
| MD5 | e252031008c40af69b3c4bf243e98159 |
| SHA1 | 4593fd2354c562f8272717624f96adff206f4ef1 |
| SHA256 | cc1d45d9f4004f4969a4d1ac4953d08b848fae7bcdf3293f2bba92d346c4a054 |
| SHA512 | 778eb36b7138c8f72562b1a67d2010090000a18cb6c591fc6d843829ca302b4bef9acaf846e325a343ff62f1030e73a30bcbe433ed0e247735b6788ae2664a8a |
C:\KaVBTA\optialoc.exe
| MD5 | 05b41ae8a0495c35a9a4d4ae8e8f7d0a |
| SHA1 | 36c778eb4d0f58e38e4927ef7aefbf32a00262da |
| SHA256 | 282cc2dc52731f043b93c0c7ffe960395b6579fb1bba721e7080d606a4b5b05f |
| SHA512 | 7a5534fbf0eb28295fa2646ee334a70a07f3da13b40604f79bbdd1cad6c9edf4cd8719129be0318bc8943b00fb26496a90a0999ca126aa74f57b48ce5674b983 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 556f8802d586b2ad8417a82625bdc1a0 |
| SHA1 | 5cc12cbc1afdacc7914595cd0eb99611a7231e2f |
| SHA256 | 5fd6e5e90a980648287e15dc355e86010dd582222fbba0b2284948978bf60827 |
| SHA512 | 3bb4d7168771a454bd40f1a006ac21275c77eaaafed6fa376463538170c91a26a8dff1d6095fd64feaaf2eae5478f74e89b6fda64958e82871f5913c413ba4f9 |
C:\KaVBTA\optialoc.exe
| MD5 | 1b4e8bab23889157d78abf48a9949886 |
| SHA1 | 37eb5742ada0a91403f8f065d15d3686750da1c4 |
| SHA256 | 1cc363467ba6431e344a59411a6ff83a6ab614827b9d1dca4dc8310b970f3b71 |
| SHA512 | 17a18b3861fdf915b0707b501aa93976d13bca5b3eb852e11c3dda04d2a93ed9dc2c51414bbd3f33df80795550de240cb4a45e9c02f574649a7cee4debe916bb |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:12
Reported
2024-10-25 22:14
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvHW\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHW\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWX\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvHW\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe
"C:\Users\Admin\AppData\Local\Temp\b8949969eaccd2ddf4e3502c596beff49ccb4188a91696cc2dc854d2b1db857aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvHW\adobec.exe
C:\SysDrvHW\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | b90e187e14d37abaa67140aeffac628e |
| SHA1 | c4d71682811f71df1ebfdd2778c29691d724a308 |
| SHA256 | 7a43fb691963ff37d8d4cf9089cfbfb1eabe0db4323f348350796668ca04fd6a |
| SHA512 | 30aa73391526fa75eae543f8706405ccf5570c8082e6263bcfc22705b71f742c531228ec719fe1b1204e14a9f926488b0d2f0edf4c0fdaac9ae58a5c2b814191 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d31e9045cf7b68fda98e1d96bb1f349f |
| SHA1 | 08a7919ee05be45b280b5de32f6ea66fab6f8f54 |
| SHA256 | 2147c377b114bfcbac3a7678a361725846105021fa74e6620432b8c2ddc3d6ff |
| SHA512 | 818230e46245e74979c751164e11c1dd343903e2a4df3d4f3eb45068563160adc810c309a932e0be8cf79ddcc9b784af4a6e3454af4efd63ee86c51a4f56284d |
C:\SysDrvHW\adobec.exe
| MD5 | 52ce446f492980cf9a9e3f9648710c1c |
| SHA1 | 89e6fdc1a610ce592ccfa46bdb80fa665de8d9cb |
| SHA256 | 6c4398bc5be87e9f816b65266b85aa9686cf87e8c338f21dd7b1ed089671b710 |
| SHA512 | ca31c8e42c3d2eac88f0c5f16ebc52a6618a38af697c5d3215aabf73958b76dd5805186cf6f0a4b5c84b7fbe8ea7906f90d34199f5d7b9201a67ce9d5794a3f3 |
C:\MintWX\bodxloc.exe
| MD5 | f700b8e295e3cef42b0ac0d29f044624 |
| SHA1 | 357b5bee1b200eab479cc98aff6961f2c4f48148 |
| SHA256 | 0edb089fea2048728b91e0ab8af1e0146b36b91dd709001d22dc3196a5ef5dce |
| SHA512 | 0689948de3d66877eff10498c35e82b0f36b506708d13bf386aa4873cecbeafcacff3db3ba24bd20d87ae75489a2e415996ca70b9901abbadeed48313c21b9f7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1d6bbaad2e8a587089e6a801beb505db |
| SHA1 | 05e61dce7b324cde20e52fa3b9cb758128acc802 |
| SHA256 | 395205f4b7199759d4ad56293c1d857b00f4a27caede1e66e7414d4b6c027418 |
| SHA512 | 9b798f77d96cd6951ec130f27501eb6a4e46d0907f5ff64d60030353b893b68209aa6b3f4a13180d206293d6d99dfa15fec14fa31682002f94e545e50a19ccb4 |
C:\MintWX\bodxloc.exe
| MD5 | fbe3105945c809e8bf6e00f7fef8ce54 |
| SHA1 | e4b4b6a33f2126392c845abd1669f10511f5c42f |
| SHA256 | 588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d |
| SHA512 | 50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79 |