Analysis Overview
SHA256
d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6
Threat Level: Shows suspicious behavior
The file d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:34
Reported
2024-10-25 21:36
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
111s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobeKP\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKP\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVM\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeKP\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
"C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobeKP\xbodloc.exe
C:\AdobeKP\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | da86300540664e84459a04d65d6bb719 |
| SHA1 | 6896ad429fad7bfd3abfdfe35221a5be24f9a315 |
| SHA256 | c800a1c253321f08c490408114a75fe5e994038fc7cda58064df21c0e6a4b843 |
| SHA512 | ddb400f9310d2a90d6cfaa2e138b2854cd0e839f6a4f656122328e5e9fcbcc429f4b5a184e9a0792a2e49c22f7395265e2882c3fc963343a9e387103ad0bc93f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 75914ec5f28e1ffe8b0b6d6c7a12d09e |
| SHA1 | b99e14d4e4d9975a6b30311cdbea958ead71c336 |
| SHA256 | 0fc280959805515cde93c541dc36ed4bb7c7d01d690d9177ece69992feab5d5d |
| SHA512 | adeb776b949f699fc032d72e6c86e22141b98d527ad52c7723eb3e4a3209e6702665c01265e77996403f250beb6bfd2305917a82139c627a20cfc98d67cd087a |
C:\AdobeKP\xbodloc.exe
| MD5 | 394a81baa5c33277860d8efb5bbef6bb |
| SHA1 | 0ea2876ba93f5ff54fd6c9517fa6f74fde430cb7 |
| SHA256 | 1994c354dd141c1b3ee5740f50e7a99387e5d29284eaab3a3d413a0da367bf86 |
| SHA512 | a2f1efdaf7c5caf81bc184fbcbff3283989e05fe9cbd70ba59808f734fbd4e66ec8116dcfc21773d7bb078ba537beb0bf01de478f0ed02299ea751e4d76f8766 |
C:\VidVM\dobasys.exe
| MD5 | 4c69ae19ec04d9955eb3652fab20356f |
| SHA1 | 21f2526ece26825c7c532e0878f5854b64374f39 |
| SHA256 | 99cb0bd61937ce0187355924fba8d0f31952d2e2de4eeea8df90ddb5ff97085c |
| SHA512 | 7c7c366fce27d48922fcff87ae445ebcb5d9b76d02a067f311f4894ad93fb144c9cfc3d33b6e41dc3f1cbe91c32d797fee03b9ed9647943ac6407d8617411b0a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0b668ada093c59ab54cb04e2d2156ab6 |
| SHA1 | 7fd6240427ccf02c3c567ca56ccee3f6e2497c19 |
| SHA256 | dabf9ea1e32488aa3e8e1d02b621d0a6ff2cad91401cb56d9da08b84237af27a |
| SHA512 | 45391a00884125a1fd3cd9b748dfa09f0c42f8103fd1765ed3675231d92b180f51cc90343f6ff764b3c08e3ce60135f8c7d2cfc808e1fcb85f663639a275924c |
C:\VidVM\dobasys.exe
| MD5 | d2c017e67769b599330f4d8906b54b02 |
| SHA1 | 681bc9decd5da8eaab0dd86b931582e96f1f2050 |
| SHA256 | b05b2cff8b6174d9363fce05507993cccad7db3b183a48cb81ecad2a0d8ca317 |
| SHA512 | fc35610064106195e78772e0c9ebf59c6f3d50a2d1c5630ef9c9e8cd43f5089fb3ef83332b6995935a4e4490b81b021a94270a341bd7b22f8425dda208c9ab96 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:34
Reported
2024-10-25 21:36
Platform
win7-20240708-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\Adobe43\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe43\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6F\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe43\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe
"C:\Users\Admin\AppData\Local\Temp\d5e99c574bf2ac3e2497887e1e71b6748599155de9d767664b0a781de60ac7b6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\Adobe43\abodsys.exe
C:\Adobe43\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 76fa0bcec6aaced2e0b8de99e1d852a3 |
| SHA1 | 47e27668eefeb82bfb7356e5ace5c0ce9bfd0634 |
| SHA256 | 0fcdfcc56ee61e2c173af92756a714dd5aef943acea51dcfdaf7fd2c5dfa3ff5 |
| SHA512 | 2441e1c8c4ce4f30c77dceabf4850f03a5f91b3106a64cec5821f3826cca4ca5161cc06c671738fbd428e81d92fa6b4d1ce847d6bfee326c2b1fa204d90b0132 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dfd612489f30f3df94c15521cf941330 |
| SHA1 | bce50f377c19773946e2e378f54386ff9219ed42 |
| SHA256 | 4b18c22cfd972bcb75939e46a30053b5cb54a4dbb0702243faa7f908f05ded17 |
| SHA512 | fd5bed2b3bb13757e20f62f21b4520345c9723831e9c9ee46a7825d8bc6e64e5692e8e4c87edfddd6c63f2913beb3192800cacbec64576645e8bba71010221e0 |
C:\Adobe43\abodsys.exe
| MD5 | 48ca986a272f8904aa69e043b2dff8ba |
| SHA1 | 4c1876eb8bc80ee103056f1b5d43aa99cfaf8153 |
| SHA256 | 490657fe19bcec782eca3b0f3d0276003b8aeaeeff040437cca3596d2959ebb6 |
| SHA512 | 01a54fb11cb4979ca8524b634d341dab5929f0036e8a5ac82adbda25b7feac41a2f084e05b6d76bf00ed2d0c4745c1b10ed24aba1fd1d33c17a5839f43039c81 |
C:\KaVB6F\boddevloc.exe
| MD5 | c81a498326cf222fac05a50654af96ed |
| SHA1 | 303f6fa82a6857b35d8f5db1808ab64d72bd874f |
| SHA256 | ff2b6a0ebeeafbff01f700a497269dc81955129b52d078d25a41c97a4c9ac8c7 |
| SHA512 | a14d5887db6f2a76ef277990bfd963015eedf46c48947c6f171d666b1c31635313b59d5fe027dbab2d7e34e06494738075fc2f105239fe1316fee85e776624fc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9eba27f3e790d71b578ecda74910881e |
| SHA1 | 30ebd3e51009f7ae91aa73606aacc3d2785b9759 |
| SHA256 | d084c429a69ee9d76ba37e06454a35d9d4fb3b18443f5c1094ce6852851966de |
| SHA512 | 750377c89d434509e7fa5ff1c344356f498b5d5c81dc9a8270ba7b6d572ca8cae0aa62d3f32f7db32f21f69abd9e97c9b335752bccf0a796687793ab6339cc78 |
C:\KaVB6F\boddevloc.exe
| MD5 | d905c34792a992e2221551884993acb8 |
| SHA1 | 0e1689a89153b4a612b338921ef4549e0e5082dc |
| SHA256 | deda582c2ec7e0e78f5ba54c7851a8c18fb4761bb3faca17b793b7186635cd7b |
| SHA512 | 6b0e87aad848ae93fde74314bc39aea20c4c11721974a28ddb0f7ba89c69fd15eaeb8487e1dbb9acd2c350c34ecc1ea5a219decb59ae8c7ead34b8665ad39715 |