Analysis Overview
SHA256
14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954f
Threat Level: Shows suspicious behavior
The file 14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:19
Reported
2024-10-25 22:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvPC\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPC\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAR\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvPC\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe
"C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\SysDrvPC\abodec.exe
C:\SysDrvPC\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 03c3fc5b24274eba474da2ea73e80531 |
| SHA1 | 7d40dac08d3c1a9e9e167d04d160b5a6c6591376 |
| SHA256 | d1576588bf4d0e40c1aa6f672525827877ee4147054c6481c1e9f2f13f5095a1 |
| SHA512 | 1755317ed6ef33a4d53f15e6adf953ee24574bb802b4292c4198c07be8ebb824aef3b1243bce3f53735d1a6079677ade0924f4e8c5d55bf39817147a6cba9b2e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8ec0023952d03d5154e5a19790f640dc |
| SHA1 | 8bbb572cb647c92a2b98a90972713ba315d4377b |
| SHA256 | caa16f9d3175e45b6081e2f2e819a365cf01738eeb67b8865d58e16df9a2cc97 |
| SHA512 | 1d95295863089aa85469498aca46eaef2190c9d6fcc96269cbc00fd44cf8523323f895d0aa41551664533348dbcf4ec448b62b282a1658a92b2e21f47ceeb50c |
C:\SysDrvPC\abodec.exe
| MD5 | c8d27a55e43d5760d947e0ce538398a5 |
| SHA1 | b09ca291345434bdbb60482e34a3e226e35c74f0 |
| SHA256 | 39121d3efd6b988d70f86ab0fefc7544cd07785dbb2b2b4cc93f0177ade618df |
| SHA512 | c74993b3ee6a76b7a157fc410e5b2d8e79befe9a845019f01887aa2593aa8bfdc6fe01351baee4873b18cef51b90537997e9227c8b9e2242eeb2fc680ef01b7e |
C:\MintAR\optiaec.exe
| MD5 | 3f75b33452cb1d35072b449b2faaaf98 |
| SHA1 | e8ef99bc2a97b1b6fbd990674652b963d1a22eb8 |
| SHA256 | dd0044a90b24579ccd0631524d13936036a02d1248cc30e71e2b79e540648b7d |
| SHA512 | a09a0bc12640ea9470627d759ace3912f29c155e396090d472b9d5c212acb85c639df88f0f746dd42436aec5e2006640aad4b546f67a71d26cc39271adfe3737 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 24149af154da5fcdf391c93ce3337c57 |
| SHA1 | f383b70bd730c747dc1a091dc5179b5dcadce083 |
| SHA256 | 1aefd425d284d642d4b1eb4b26908dec77e5b9a53be05895265d25a908d92970 |
| SHA512 | 63b8475ede8672f0945e03c618e63b8ddd7e5e5084a35805c98a0dce0ed75464c781ad8c2769654ee5492c9b5b6bfe9bfe405042ea81f8278e55ade95e38d341 |
C:\MintAR\optiaec.exe
| MD5 | fc9033184e7f5e91d9bd4b3cdac21c9e |
| SHA1 | 532a4ba0abc02b403096a424a0a75c866a4e84cb |
| SHA256 | 2df51d8838daee681ff7a83e0f30a9767c3aea6cfa6091a87a6e61304f472499 |
| SHA512 | f09f82b8b4856c6b0f49cd948aef2adf83c04d3010e1655d49d4fa587463fce0bd97b2131318d595b2a0695bb12c0325dc7b68ea040f997ba4b921e0ff04ff96 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:19
Reported
2024-10-25 22:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\FilesTJ\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTJ\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLC\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesTJ\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe
"C:\Users\Admin\AppData\Local\Temp\14e8c91c1485066da4a6e6e8ad04b9ee3b37272c7efc851e523fb89e843b954fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\FilesTJ\devdobsys.exe
C:\FilesTJ\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 6f2173822007817adbbc5d77dc3b1463 |
| SHA1 | 5b7c11848983d1b45874770586395e5d3f2f23ce |
| SHA256 | 4ddc49ec7b0505783d6d9a478ab328f6abecf5cd304e963686d137e1c0b072cc |
| SHA512 | 20a6004d081743adf22442c2c4c6c0ecce077e35e80497bffd60bc84e7c86582412547e71fb77757d0edbba729eddf8cb6eb8bad092c01ef05fc3a414ee808c0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 80abe7d26ddfbce1c06fd2c687d6a5e6 |
| SHA1 | f4605431f917f2e1464ea8ab026a152afbc53995 |
| SHA256 | c4fd15cecc4cdd63bf99d8eed0c0fe0239bac0dd3efa47ea132f2841cd2aa1af |
| SHA512 | 0cb9e8ef04238c3d953c2965315c7c44fdde0a8e7e52186bfa8e943e6393d0e446244d65a73d240cfd13cda3d7570e92615cfa5080249d9a733d9d0159104e08 |
C:\FilesTJ\devdobsys.exe
| MD5 | d32d254e1f7cedf18b43a6d385c97b61 |
| SHA1 | 32611cb912ef3960ac198706ccbb697c5b3f5192 |
| SHA256 | e3f2c13eb947c4e4361b6cc51448577251c103634d0b345e10afe99d7fbec6c2 |
| SHA512 | 678e7d04f17895779ff9be4c7e085c2c4509aa3c4763da7f540b84161ee3b39aaf62bed124d11dc0054266148dbeaea3771186a4b47096cd62bb4576d71a0e7e |
C:\MintLC\bodaloc.exe
| MD5 | a7005942e4990192be20103d812148a6 |
| SHA1 | 371e2603aa185488087af042a7abb14f4aa61408 |
| SHA256 | 3526f28056ba51bdc64b9f8170a3ddff863ae1f94ce2c5f5f80774a7e055f85f |
| SHA512 | c9ea228e49cc79b04bab1710ace3c53cafaf1cdc35270c1c14ab761d57b85645bbe99d08c0f091d9277f8aab06484d5fe882b926255054837cc4aab78e2eee95 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c3a309b4b7092e4972a69e81a63d9228 |
| SHA1 | 98412b1ab0d2dc12b81f6675d658462bd2de665d |
| SHA256 | ff22e9a6f8dd06231a6f2ee69bc8f689317e7bba58ac1ab74b1d27ad8f6f283e |
| SHA512 | d15a8acddbc7dd313d5b4392a30d86646c28156a5858d45385a19378fe1a92ead2c47c031d4529644ec31fadef1cb749994b75e5f01df32a0196b1b92cee1b3c |
C:\MintLC\bodaloc.exe
| MD5 | 303964367e2602d6a9759a96c6c17402 |
| SHA1 | 972f97ae0591ae90fa5f60ba554955ff19d58807 |
| SHA256 | 7b89f6d49949df18a2a9a33ca7020635d064fed595c335240b3e128b6f5b8b61 |
| SHA512 | 531a41d974dd38524448422ce4c01a035efc813817a402b0e24e01f63fc36e8a9b4d8081511116769143bd1c20b5d3a7d4df236da2b8c7cea924cb9511f861d6 |