Analysis Overview
SHA256
76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839f
Threat Level: Shows suspicious behavior
The file 76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 20:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 20:56
Reported
2024-10-25 20:58
Platform
win7-20240729-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesJL\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJL\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBN1\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesJL\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
"C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesJL\adobloc.exe
C:\FilesJL\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 28ee4917ce26accf91eb69e945bc152c |
| SHA1 | a9a5ff02284461c4c44913c5de8cef9b3936b640 |
| SHA256 | 231c708a6ac1129e30760c74b70f6f6202afebdbe7ba3a7221a8d190cb70f400 |
| SHA512 | 9a4582db0dcef56b1d87402910281dd52399a4865338692f2f6de11b9e2a1c51638b74f2d50e4281a786edc6fa4ffe964f04c5ecd53e7616529541271186bfa6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 488696952ac447412f67927e87988d2a |
| SHA1 | 4753a6845d3ca9ed885a19168a69f9d674225d44 |
| SHA256 | abb0586eeedef10651384f6955dbf41ae402733f2d5c542f15d87b7f6a99bfd9 |
| SHA512 | ae791db06340dc7ba18858f9a63d15c90a27fc48d08d36ddae50911df51b4b74522669033b43297f91a997410c78e0ebc461df607407a4d11ae562fc617e157b |
C:\FilesJL\adobloc.exe
| MD5 | 5420619af6b71d690b11530e0f97ffa3 |
| SHA1 | 833829ffda16dc2b431678bb64949042767d4be2 |
| SHA256 | b4ac63438c257b43da5a3edce814dc708ff6bea430ef8ecc4f38b06247044e6d |
| SHA512 | 2b7672650a821bb8ca9452e3293efcb8d1094868cdea025c941e2d3c15966255e15404311abf11f03b7e718dde58a2c80f2d4a3a7799f5227d2d40ceeeb09363 |
C:\KaVBN1\optidevec.exe
| MD5 | ad84999aed718e5193cf0a0bc45aac4b |
| SHA1 | 845e593d8912d8e649dba7bce684d976a0a45bed |
| SHA256 | 024ac27db5cd9499934062ba76fe10a7e4eb093869db0276cd7a5224cd8a82dd |
| SHA512 | 5c90c3404283997174a5df5cc67688ffa907ba5e65f7242b1e560301fe80b4292e6064733e0a224c292452420e2220db9ff2df7abb95b5e73869747b00d8a6a8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 77f1797b47da7344f18ba775f85391b5 |
| SHA1 | 4c54b9af0a96104b280d289838d29e6bc08da148 |
| SHA256 | 3947b181e3b8ce275131236d3925b739f2a2a9470d691435bdf4a63b2e9b7328 |
| SHA512 | 0f68fa3eb6dbf054f2c7572aa621b026da89e3aaa19bba79726b7e738d02d38231692cdc8183e4d3848a6592195f1f5e29f2526e86db54dcfa46f8dc55d6739e |
C:\KaVBN1\optidevec.exe
| MD5 | 1db9737adf47f1c38c2ceb44dc3f530c |
| SHA1 | 376cde19b837775ba8e3b7537006b19a993d744a |
| SHA256 | 156e4d71fabb52acea9a0396cd4dc9e859deaf96a66baef36f9f86230f6e15d7 |
| SHA512 | 017e11121c59ce45b1d4b03e5dfe3618720b158e6fbb637eb3686a3342cd469f897777da1e3c2cc2ef3d3a15f468ba38d5e69c1d71ee7ce33ac37738c8810442 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 20:56
Reported
2024-10-25 20:58
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
109s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvU0\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU0\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvU0\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe
"C:\Users\Admin\AppData\Local\Temp\76c3cb08a2057abbc48f9e98406f89fb37ff6cd08ddb0ba096855203e51e839fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\SysDrvU0\devdobloc.exe
C:\SysDrvU0\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | c528c4c7c19fca816e2ff0428f9cd699 |
| SHA1 | b9a1f3cf9835756374adac99b95616ae8e4f0cc6 |
| SHA256 | 3898bf876cde909f2f157902c06a1c724d8c8c76a80a0220e79ba59e0f6a2399 |
| SHA512 | 588ca43b8398a185d5520209063e7eae9b37a2f7e2a9100a0b582ec707c15cd36ffc4372b6cea767d4655d941425f72c59e8e656f204fc769b106e808c8bff4b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 91dde625ee7622215323f03fdeb2834c |
| SHA1 | 0dbbbef79b6e3d1b218e75c166904b6bfd34600f |
| SHA256 | 4a470efe743205120fab07d4fdb37997158b589ac5a9b5b77d4cb6b1e509e7ff |
| SHA512 | 3385cb0c32e873b024c1bc7731aa5fe4cc3e4a604769776294d4f41928737995781a62530b930f7fd912e7cf517a7c1b9f4ff0a131372abaea0c9325490663c0 |
C:\SysDrvU0\devdobloc.exe
| MD5 | 9a9d27d53d922f68eae23e6a00f21d55 |
| SHA1 | ec43be7846c77aefa1dc849eecf7682af6b21d3f |
| SHA256 | ffaedd8cba535e454095732acfb271293124bdf183165ee5378e3ea0895c1faf |
| SHA512 | ee774f3ac4d54d252aade0b847340c1ac6b65d7d2389a8633d68522b831f07c9e6c7961d89ada6afd7d85521d9e1523c88689a95d19f22f203c623d8771bd2fa |
C:\LabZZH\bodaloc.exe
| MD5 | 0dcf1744109b142489282a985ee63fca |
| SHA1 | b385d23af12211166abad9b6d6d8336e2c0d574e |
| SHA256 | 2fb6f860f25775ad3b21583a85134eda9e032e5fc275b9107e21d71e860d5fd7 |
| SHA512 | c4aaca0415586d78aaabd69fef4314db901a9eb7588821ce4b327bebe4c99ebac35bf603b661f5cbccb7dcb58a8b60b367205ed788e715050715e6576cb9bbbd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6ac4132c39a2c245b035ad29153fba6f |
| SHA1 | 16d9407b84c991fc144a62d13cc23db8e9089a58 |
| SHA256 | 48b970b48500015b0ed3cafeba021ddeec2d6982d9aa120cc2244123318c819e |
| SHA512 | 209e197a9be64799156b1c2f2678e4658be6874c79c1365e34ec8e46c595ee6027d3a317722cfdf5786a85e866e5fb642e93c40906cdbe0c19e0984fc27dc8d3 |