Analysis Overview
SHA256
47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8e
Threat Level: Shows suspicious behavior
The file 47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:12
Reported
2024-10-26 04:14
Platform
win7-20241010-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvKU\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKU\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWO\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvKU\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
"C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvKU\xdobec.exe
C:\SysDrvKU\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | b060d3ac8740cacac528b60fafc8d9ef |
| SHA1 | b8193628fc99bf6e703a65c2ab7c59b8322c7b66 |
| SHA256 | bde89ce0447790a6f413a144b5c910445c840be0fde9dd2ab00aa4289b9cd4f8 |
| SHA512 | 0bf4c934a1bb5aec72b2f9535742c9556cbe5f4ecbc4555db634b96b236a03c6a5d08ae142d97ce45be5795164b744648fae21b26bef1f388b805f6a8b266929 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 444b53393ec484f9299586380adaf341 |
| SHA1 | 7b9cdb33449bb0bf4386d1f4c3e6ef2bafe43629 |
| SHA256 | 4b07dd48024a08d91d55318e0b155f265150ac47e2cd499b5affe6390d1553b2 |
| SHA512 | 6addd054a24f7f65221e6190d90e74dd078be7ca3044a1b63045c4d524667426d8e7d75128d8a629ec54cd0fde19f2ff65affdd0f925d1f4539851b1c1370247 |
C:\SysDrvKU\xdobec.exe
| MD5 | f354c90d13c5771116e6eae9b6773cef |
| SHA1 | 4ff0328237d9c70166c553733d4a745f50c0b1f9 |
| SHA256 | e75092304936f5f5119797bc488584271fec55c0013cdeb843c4ab8011ae509b |
| SHA512 | c7a01ab96e7bcb741012fc0dc4bb95306697b5811e9f1eaf608dd0b4dd524a88b0e32ce0daeef255d19bbd5496f651c9afd3ea1d17d870a1e1c8b29dd065ca74 |
C:\VidWO\dobxloc.exe
| MD5 | 3f2c76966604f5dd358a2f7ac3eb3f2d |
| SHA1 | 085ae1be6b3d506afa6b7628ff6161176b78969f |
| SHA256 | 3a28cf788c9dfa9706cac854f086ba9313be573e97f752c2421fbba8f30a865a |
| SHA512 | 0b5fda44de88e7740c9cf80dce017bfefa6712a04f966329151079fc31688f8d505f96038a4343b4d7307c5cf44eefbfe8c496d0ca951d37d370d940c459030d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 626ec70894a0e08b876498e18d0007d7 |
| SHA1 | 316a8346f536033bbd125b076ed2135a08ba7e51 |
| SHA256 | c4bab531472123ba89f5433200ec26e427c9b16e575ff99416134f642c4ecfe9 |
| SHA512 | 0566bb2ebc63fbe53f8e2c625e1c5731e2a008b337ac2a04a0b3f3b1e6653b7bd9948494e9d061e779918e7f02670fc07db29c1444d20a46539b2cb72bfa5954 |
C:\VidWO\dobxloc.exe
| MD5 | 5bece01e4d4e4cf1e5776fa34be2b9b0 |
| SHA1 | 37a8ecb925a42eaec6a36d8cc9238047748e8a6f |
| SHA256 | 742ecd60d83c105e7799cd8a85eeb91c7384a746892cb792c138d62570d46df8 |
| SHA512 | 442831384a66f81639e8c7646c76a6988b7e0e5eea1074c20e2e32fc5a47cff9e6b402bcc712d0bf14eaa2441acdb26bfd18cf5b9f2376fb4427b5156ccc2c9a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:12
Reported
2024-10-26 04:14
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\FilesMM\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMM\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7X\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesMM\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe
"C:\Users\Admin\AppData\Local\Temp\47b1ed484aad667a84bc929c6e43f3f918042df76336635e21d28aea8f18ff8eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\FilesMM\abodloc.exe
C:\FilesMM\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 19ec1c36a62f9cb47f374c2ae988484e |
| SHA1 | 5373c718948767e266a64ecf59db9e4f937d4d96 |
| SHA256 | 6c2a366702e495d509f94e54692b38f53afd1076f77d3fd11e12ed3719fd7e34 |
| SHA512 | 33ea116976d31f24a969fbf3c195e63b58268a4951c27595bb0375aafe4b661e5f991bf7d6a5d26faeb1291641d77779c70759890203799ede7bae0a4559fcd1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6f7a736741eb844b1ebc87fbee4ae9f7 |
| SHA1 | 1b01bd026638a5c08574be5808009ab73c8bf0e5 |
| SHA256 | 917030f1778f17245978b7157345538c0357b49aa9124a07178335aa925999c2 |
| SHA512 | be9a67e1c3a8ad2ec10df552d3e4945345378c7bde7ba17140c5e79a99ccdffa3a8ab63e16d7bd36f593bdac838ec630c72ea78117488382cca1e759536fcf65 |
C:\FilesMM\abodloc.exe
| MD5 | 588c92f6f007ea9dfda0013a82b3f6b2 |
| SHA1 | f585081343aa3869ebc1ed86bf7805abc8b9917e |
| SHA256 | a0e9fbd1638f2ae85b1881cfc8a07d4724c49a0dd8560710eb35c1d486d27f48 |
| SHA512 | f08cde780a0bd03db5b18dc7ffa5ee01e810a2161e61e9a1dfaa7b3f19b2a893822b4cae3b8d627d700f90d7a67ee72d403ff69a3f937d67caf424c2ed08ca76 |
C:\FilesMM\abodloc.exe
| MD5 | 19c30179b01b9eb6a6027d078fd9e42c |
| SHA1 | 47adaffb74faee6ceec93ada1d96c05bd6860fc3 |
| SHA256 | b429709503063e2f05ca76bc5d5e9fec11a0bc3a69aabc4064bdba627a9dc673 |
| SHA512 | 91e4462f0c2d29fc38cb545c44aab88f319dd7ff17ab1c2b9430afff7951b7e4f2429487417a07f8e008c9faec6a12494d50b5bab8be4c9ab298a4d751763276 |
C:\Vid7X\boddevloc.exe
| MD5 | 1196388aed32996b10e51572892c0495 |
| SHA1 | 1781377fa83fbe69a76b183c86b5766aecfa29d1 |
| SHA256 | d0b83cd28dffcc45176c54477313049d7919bee14b846fea36fbc77ccfef8585 |
| SHA512 | 431dba4bce6a9bc374b3460728d7a9943a055da5416d4de8c2da814b56b4888fb903be804211a28f49bff6536175469c08487ef36e57e29c99e8666706fb6f09 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d79ab039689bb32ca868c1f8761756c |
| SHA1 | 324fa5bb85fd8393a48ad446e23f50bac9d56425 |
| SHA256 | befcd4cb9d17872b97a83b773ae5c34041ba38b395df0058dd147579d74ebd65 |
| SHA512 | 09b299089daec0aeafaa74cfb852efc756b134482da62a1faf33a1f54785c85208426220aec940914ccfe6cc077b257f2b2e199eae0ceb5215c6f4189d8a1b0e |
C:\Vid7X\boddevloc.exe
| MD5 | 62bb3576e21ef9a6eb275a26aef0dda0 |
| SHA1 | c1515f786ebd643c3322b826f4426bb9fa06a8ca |
| SHA256 | 74d9385df541384f93f2ac5a93c746eb6ec9adff2fb9641ce7b06bb552f60763 |
| SHA512 | 47eb601062d88281ecc30af0c77367f224fc5e16de9ce4bf28f1218f325444ef7fd5143bbb2b0ddd0a84524884e08e8e5389ba1311f8bc043ddddc3223795429 |