Analysis Overview
SHA256
83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9
Threat Level: Shows suspicious behavior
The file 83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:27
Reported
2024-10-26 05:29
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
107s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\Files11\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files11\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX5\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files11\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe
"C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\Files11\devoptiec.exe
C:\Files11\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | d1a6c9cf624815e6b3059e753b01ff9f |
| SHA1 | 25c78224d8862619db39923b5f2a08ed9930866d |
| SHA256 | 286a2bff8a9629ed52a6d1ccdb9fcbb34dabd8efe84d92e027d605edaf3e09c0 |
| SHA512 | 5cdeaa0eb62702dbccaabca1a0b464d05dc4ade41912698b2760ff5a5b9cc3b9b5c83adae9189042968317b172d6f815f6c6d2f246c5a6a2a90e6badfef4537e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fb6471cb2dab9d184c19daccca544ef8 |
| SHA1 | 4553a5f3e3e46870aefa6a8dcfaa4209f7ab535e |
| SHA256 | 443a3c074b3f9343535edd89266353227e672d817f7c4d0d0f6cc6c119c14244 |
| SHA512 | 259d0ee6b85a40466e6c8fff490d8446bbef9e2cff1c6fb821b0348624ad7567874cb3b5c5a3d4f00364b25a6e9b39cc8db65aa9ad8680e2e4f59ba4f32b25a0 |
C:\Files11\devoptiec.exe
| MD5 | 02daddd4b8f765f0ce14fa6c88bbb03e |
| SHA1 | 1f644239957f84a873cc3bcfe0ac44ee9e55f72d |
| SHA256 | 6b349ea658b4db13ff23511cc721c985ab31d635e0a0d9af3868ee8251141a34 |
| SHA512 | 3620403981d47ff323b206b88a37a2a73882f5ed9e135288410f10bcbaf040981cfb3b8b81f7edb1904f68fd7f32eb95c24fcaacdee1d359be0ca411718e8032 |
C:\Files11\devoptiec.exe
| MD5 | c1c80c42dcfcd41bbd909498cb2eb245 |
| SHA1 | c0ef9b54f7e94c314b55f0701f5bf6d85e8f1f1e |
| SHA256 | 7d320873da492516f04ac9c22b3e76ae572b63486d2413395646b490f7372a94 |
| SHA512 | 505102fc72e2bfdf957442b4adcb4bd47f9f31ff870d5ec401ce23497be4c8a48def8f66b9d41ad356e35515be373db89147bf6cbb5d419a77e3636daa7a4b21 |
C:\MintX5\dobdevloc.exe
| MD5 | e251b0411be0756bc518d4938843c3ff |
| SHA1 | 86a6501db6756ede137c8a6e5dda11501015d99e |
| SHA256 | d2f1104f6f1b7219cfb1b2529daa97a81e15e07cc495fd1fb48af95a5bfd6272 |
| SHA512 | 777c22275ffe28035893cf4ab01a4e620d80ae6bdd3446756d65288fb22bb2a25102b43ace92d0f8393b09427f6e8c29b769188d159a10220d752d5cdfb2baed |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 48384b6ceb6d9c4bd251153f9122e361 |
| SHA1 | f663f0406e8929926c0e953263e7d26538edf642 |
| SHA256 | 2718206891f87f7fcfb3be09757ea609d0d4e4311ecbaa37278ca90695d6c81c |
| SHA512 | 0f65745aade5804a9a7fece1b3632167d72f30d57039ca63fb334d8fb853b0e85eaaad6e11e2a3074b07e00f3c70cfb958a83385d744dd170c29debf95b168df |
C:\MintX5\dobdevloc.exe
| MD5 | aeeafa4ca87b0d82eda005cb1a5c883e |
| SHA1 | 78a4bde65d5b54ab594c8694e2c4b6a7aeacad5a |
| SHA256 | 9be4682050fb47ac60597b3de57e780b664360c62c04481d42f69006b1d72bbe |
| SHA512 | 0a5de8953f205a9babb7d6ddf372cbe84d02c2cdd615bbfe554f6653b2d25f7a9c146f81f6a1ebd02b30935c4ce7a82c92c73d8efb90c6c0359bcd712c205f23 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:27
Reported
2024-10-26 05:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesXB\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXB\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEN\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesXB\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe
"C:\Users\Admin\AppData\Local\Temp\83d11847a43c7f2687237969dec4c5d10fe8e085f3a7cfa89c463e9109a2bfc9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesXB\devbodsys.exe
C:\FilesXB\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | a2873a2788579e02e61faab689a41d93 |
| SHA1 | 4bb6a101760c89e72bb3499aa8108dc617cd47c6 |
| SHA256 | aa4e6dd395f1b75db9646061ed7c9495ec50c7e143e9f517249a5cb58a34e490 |
| SHA512 | 1d08e766dca8c7c91e21900a127baedd6714be531a4a5d64e91d8fc96a6b1db3489f5d4206c352a52d59438cac7f91b984dd8a33673295576fa776e36ee3cd11 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fbd0b315ee0e75c71854ed9e3759485a |
| SHA1 | d63fbc7d6e277c079596490df0d77ee844f4bc66 |
| SHA256 | e57ff0f6bb1df995a0134c4fcf5ceb38a7135f814b475dd5c086bf3c6ce891f3 |
| SHA512 | de91eb9992ef2be6228a0f46e688bc726068589bc872b009830d44e3ba9cc76bcf6dde021f9cfd7fcfccfa1a4fc2ede4c321fcaeeee0902604b42d52c991de34 |
C:\FilesXB\devbodsys.exe
| MD5 | 84aa7ec4e10313769fcf607dcd68841a |
| SHA1 | e42af8a8957c13b67d0b7720e9292cc7cab8f45b |
| SHA256 | 2478cfa1a6937802d78a26cce583e2682c2d9dcff37551a807819e79eac1475c |
| SHA512 | 8a2c4c38db83bc30c2e1f7c1eed105429c0988a4c311c94086327bf9758e8f944673ebfa31e6fa86e4dfc8090358203e25f2a34ed0661d3c7f93482d5a6819ac |
C:\GalaxEN\dobaloc.exe
| MD5 | 350f32f0770e138eb3599e6b6b0c6ee7 |
| SHA1 | f1d7a782d3c1b2a2ded2e2962424f98cac713dee |
| SHA256 | 245971e8a1238d26461738e109c3122a190161a2dc020daba916f6522a29fbb8 |
| SHA512 | 16ec854ad6178ede6b70cccb49ce083c0f9992ede4a73f882083271efec3639b57f7521ec25ba9dbedd0fc2ed42898d7e01b053342e914674f86e4d0fb6d0577 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 39afcc400e411fdae4ee9ccce019760b |
| SHA1 | 371a981391917d1eb959488e4677f9c04212d19a |
| SHA256 | a5cb4e928e3d5ab53eafd0340e442e67d9743779280dd16e29d7705b16f27159 |
| SHA512 | 25b9a62f99a34d119d8938f23baddc0bc6ced6494f9c0df922617e0fdddf90337d37c7219f64f5232b743fb05add26dbc3aad9d1e8411d7e0c78a2a889d7e0f6 |