Analysis Overview
SHA256
931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6
Threat Level: Shows suspicious behavior
The file 931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:26
Reported
2024-10-26 04:28
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobeM3\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM3\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTQ\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeM3\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
"C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobeM3\xbodsys.exe
C:\AdobeM3\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 5bfa0ea5c4ea84b08a4168e71942ca75 |
| SHA1 | c1cd53fd45ac74f4702db1feb96a154bd37af93e |
| SHA256 | 1d702c27dcee007db646d69e6b0d7985a0f2a322de1f50f6223e6a95608e0a83 |
| SHA512 | a8753cb0ba5e5e86f9e57837ce898b7acd5fcb87bae71b422f7ba3d873d3f2348a6df8f46237e4f61db195275703f8cc27849ceb8b7dc0223163c0b3e4192e47 |
C:\AdobeM3\xbodsys.exe
| MD5 | 9b4697f98a51dbcb5e776336c3add935 |
| SHA1 | a67be0a45bf12f0b683ff3d4e0ade73fa3a030d4 |
| SHA256 | e450087ec4200f7ffff07aa7a8ef0f38c4c1e1ad556b0add40a4ff1214f1ae40 |
| SHA512 | fb6d3218a1a8fe09b72abe6ebcbe51fe9f3aaa37d417bcfd5a4f83ab1f719ff16cf2b8797048b5a5abd8447082b06ec511a8b0249d761d253926013f4c9b94c0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 108120861b264c297c8ee6901c695155 |
| SHA1 | e5386c9b91504be5d579f3a40f141ec81a0ff4ed |
| SHA256 | d05ba070693fe159225d5667ff3251381f292b8e1dfad5f64ed101005e0f13e8 |
| SHA512 | b31168ba5d1d06f435f7f3c5b5054f4a79834540229ffe1c81ac150dbccd75bb7e704de7f4aaf2fb4edafed1612da701b99ad4f2473377e575365e62ba2fa4d1 |
C:\GalaxTQ\dobaloc.exe
| MD5 | f199073bb1aad26714da31ce7d05c566 |
| SHA1 | a1fb63adb9c24f23967112ade629269d5f24b9f2 |
| SHA256 | 9ec63096a8cb9b3dc094bc560678cb63b34eaaf84f4969593c4eecc2f98956e4 |
| SHA512 | 43f86021a35266c5613aaedfddff82a37bb7f5b2b6805bcf3fdf5d5923b2bdb23ec9dd12c5879a5cca3c0f8a06385a34c1645a057759f6e16aa95f8c318c0aeb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 812192a0de9b53732cbba5d5d4a93fc0 |
| SHA1 | c6687a7dfa746d966a1a172363901fbad4abccf8 |
| SHA256 | 70bfe1b747a412be640de2750a6a9be7e021f1eae249c859108f4c96ec69642a |
| SHA512 | 4654f17cbb1de06e01b8284875751fa9ba11d61a629203db7bd2b9a5e39c28f29c5bc5e0c3651903f871493adcad75a7059c99cd6a1ace45ca00fbe675d6c0c6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:26
Reported
2024-10-26 04:28
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\Adobe2S\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2S\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPP\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe2S\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe
"C:\Users\Admin\AppData\Local\Temp\931ea250d4f910eb22a9b0f90898bed29b36a8a3920fd7c54ede5cf36aad4ee6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\Adobe2S\aoptisys.exe
C:\Adobe2S\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | bb3214d13e6cceae764f067cbb7955b2 |
| SHA1 | 44a2aadddc4fb6e45025369f7a857bcd82f222b9 |
| SHA256 | 5b3d7ac65f360664a58a5e8e0395ba3dfc16cc0fc318efed59f3f9148711e986 |
| SHA512 | f55609bae070d2bff26e4a3c982de2af606d180073ed2ebbd05bd4def99b9d03173a3486e9ff3c4db602c43dfed0dd06d85d499c7c63d736a42286681f5c3992 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7871a413b0ceddb4a077e4212407ac2c |
| SHA1 | b2acc5c3a585959f71dc770864770d51d00515be |
| SHA256 | b46659c7d0c276de9160072464582a91f28519c6ae4480fb25551cde7964439c |
| SHA512 | 1736cfeee16e27f6e59806502d4596f1c634798aa70bfa11da62cefae490d5a8bc62fe2215c113704aa512c7a5eb8c019ba6d8744c2fe83656aacab2500bc234 |
C:\Adobe2S\aoptisys.exe
| MD5 | 0989c9bded972507425cfc7c9d6e1d52 |
| SHA1 | 8efb4781988c951b3315b45be44b1e37eb6c5caa |
| SHA256 | 2003557d36e91b554f8ff23416425a8d51479c3f222e961e6e1a4dbaee30f344 |
| SHA512 | 7aad8ca771efb217dc445a132b98e143b892332c8f242768d214a6d2fadb008fe6713d664f8eb7e5c368fbccb7e43f774aa57e5fbdc98ed426026af80c9a4564 |
C:\KaVBPP\bodaloc.exe
| MD5 | dc9063c9d844a831416e915be278d64c |
| SHA1 | 18230f54a21dd7bc9b72ec322e6f974e294df9f5 |
| SHA256 | bfb2474ee9490d23dd43dc3e6f56cf433373a8179f75f0997a51d4e6dede1e1e |
| SHA512 | d1e39f2bd6c2a90f92a80f4465691cdfda4984c96b6bc6d6dfcb69c86fd571c8792043a8c2b128cb9ac6fbf458d808efe662c39095a28aa8868b90a25490b43f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0a8ab44ba78003d3b3e9ce9c6d3284db |
| SHA1 | d60f18aee0c8ef388c185ae6d857a6293a6d39bf |
| SHA256 | 6da6e1af935af6630d9ab7dbaf3188f7a3cb88eb868d4c46f20b16da436618d1 |
| SHA512 | b6222f4a8edaf1f716d7ec9cd85d8e8504a3b1cb26f3dd4d1fb400c428cfaff67d0d1f783c509b1f83723204c26d5bb86ad2068d0a8fd437ab0664581384e3a9 |
C:\KaVBPP\bodaloc.exe
| MD5 | 3a9ea6e303e7bbdad270ccbe8d43749e |
| SHA1 | 62bc973af0455c45452b139e6aa1dd898d66e306 |
| SHA256 | 30006f1472757406678fedabb2f8bea131cd070f4b80a8c861207dc4d684871c |
| SHA512 | 2a18070bdaf810a6e6c117b80cb244a4a2e9539d43a22306d4632071acde27fa0cf06e143e8b9c199e4ae918edcde0d777820fc85086413efd97458b2dcad1c8 |