Analysis Overview
SHA256
34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371
Threat Level: Shows suspicious behavior
The file 34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:45
Reported
2024-10-27 21:48
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\SysDrvHX\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHX\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2F\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvHX\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe
"C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\SysDrvHX\devbodec.exe
C:\SysDrvHX\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 8efe09b29a5b6254bfde7b11fb485c75 |
| SHA1 | 0816738d78aeed5d2c2d10d3db40002c0cb391d4 |
| SHA256 | 6d2f608c23ccbdb22043fc4fc2320fcae2b7a8c0cccc360b18fe8894649fa946 |
| SHA512 | 710666eb4422adfa252eb6d705428c1d57789f51df93007c97628a999fcf84b71153788fd884b4048ed0ff65777b13090067698e11983318dc3429ed2914e9a1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b07613705751159c5f1035e4f9ba4dec |
| SHA1 | d9837a4da241fbe2e3b8778cdd50ccbc4a2bc5ab |
| SHA256 | 9ad415b31b4756534c1079398856fdd81dbc3b5c22c1cade11e68aafa189c52d |
| SHA512 | 1372a43e812a6e0dfa96c7b6182327e42a63ae35837a56f00ff8c9f863dc3abf773dce72c4e886cd26af9d25acf22dceb6178978aa51f1c793130579b551a044 |
C:\SysDrvHX\devbodec.exe
| MD5 | ce9960290b03ade582fb8b7f811fe142 |
| SHA1 | 6d24d980a14aec877bbb401365f62ebb0d419751 |
| SHA256 | 6fabc3ea1e31e69144916fc4679c85a8174ab5b3248b190cda8467ecfd5ea50e |
| SHA512 | 92399cbc45e66eac4c0c77a316115abddb8152e01e5fdbc7869ca461a207020abe3e38cdec54b73eecdf2758e858d41cad4f85894d76dc9bf66bac0a594ccb83 |
C:\LabZ2F\dobxec.exe
| MD5 | b48eb3d7d5614ddb556f92bac65193f1 |
| SHA1 | 6986de9fd091123aa5c9994940d68df339e0eda1 |
| SHA256 | 4beda9b61b49fe28a281d34f3683ef9530d5042e0fd64f2adbf4e656270c5a83 |
| SHA512 | b3b69f3b3b951c64163fc5cafd9f73a3206e3e72a5f4aa67778f046dad0c98c86eeb4f0b8ead93abfbc0145827087de6e51629f9b0c85153dbd3d72c1d142430 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 38708e63b156c6360d90cf2c66ebcf83 |
| SHA1 | 99b74063f29d5159924b816de7163f437f784c40 |
| SHA256 | 2d377a723a15499b27c470c00e1cd9b6cc9f56aaadbf7c195cf27a5468536a32 |
| SHA512 | fa4c72fa6ff3838a4bd36735ceae83e938b23e4a815ddd3c4cd1203463a9093e4d66900b16128a8d7a2dad27c354f0326a1f71a23b39a449cee7a795ab63da13 |
C:\LabZ2F\dobxec.exe
| MD5 | a0d33bc394ef539daa2dce628b99a0ac |
| SHA1 | 1302f595fd870dec6bded1e1cae19972c55155b2 |
| SHA256 | 17ba57d7435c811bf49557fcce7d4c5b5e0ae508783cbbcea35fc4213e50d0ee |
| SHA512 | 47458bc52a805c2cda7862cdf596e7c55365721d5cbc4d9962786167f8aee9ead6c8a5f7a56b145109e6c0af0565d611d48bc118c26cb38d5d275b0a4ac36234 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:45
Reported
2024-10-27 21:48
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDotVP\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVP\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZJ\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotVP\adobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe
"C:\Users\Admin\AppData\Local\Temp\34fabf762956addffb7a9f722ccee6e2aedcd08c54561dcf866050e5c3d1b371.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDotVP\adobloc.exe
C:\UserDotVP\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 638b697763a0c315ca5c852704179eb9 |
| SHA1 | b76e973a98c8829dcbf55ec2dbb15b67f5526bc2 |
| SHA256 | bd7770d461a83a88f91912a09a14f38e4d95dee2bd8fd7937aee6436523542f5 |
| SHA512 | 1f09b65e6c64435e8d2ed852b2dea5fdb0718100976f28fe90a1a2c8c367a677196b2099e03340724de8d7fd5522636a49eaa426c151bd69e5edb5a939de2283 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 924c1df92c2972a703fc41a5f9dd1142 |
| SHA1 | e87c0bb9714ef5e1524fb45fbe97211cbfd52b97 |
| SHA256 | 6c5fd35e989155e26dc0211d2bfa8e02ced13e412e896ad5429a54079ab396e1 |
| SHA512 | 3a6e50d98ecca3b05de456564dc6886ce89a6e547ed3aa307a45e53ed7169418f0d736efd01853fa9f5f42c2fec7e19ee6b52c9f7c45e383d8295d922339c271 |
C:\UserDotVP\adobloc.exe
| MD5 | 94a0609e463eb94e3af65025ec2a3057 |
| SHA1 | 32a72b910782fda571bae2e4cf220b42896d44e5 |
| SHA256 | 9dbf5cd99a8d349a1d8e8622c8c83d65aead31a367be1d46d4b6e8ebcc69db62 |
| SHA512 | 54c1f3aa5abdc71a3df62b1ed7efa1f8ed58578e721412de7d7e5078b4a08720d839622e7b817736d6b64c83dfacf3b355e7d65129f37e32363b99b1d4c3fcd6 |
C:\VidZJ\dobxec.exe
| MD5 | a7b36501040a727ef43511fe9a0dbaca |
| SHA1 | 1e6a713fe303da560b9657c4f5e7363d1ec31d45 |
| SHA256 | 477d38516c6bdfd22bf51c57d8f4203f7e82eae236595ce629b9f0f32629b418 |
| SHA512 | cacd2b0776dd6b8cf415ff3a3c1d4ae2c3bf6077a5660ef61e594c8e13c049946d5e777a0f3e18dfa9a90b1e194c3299a8870f38ba2de7b6fe9a156ebbc4d671 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f9117eee618ab2f518669fc9e9ac0b69 |
| SHA1 | e46b8ca88d18838e0c13d41f73e3efbb9440e350 |
| SHA256 | 2e5f1564c70b9bea81e670441d620319cfb53b6bc75e08ed4c18c648478a0037 |
| SHA512 | eaa194082870ea6696f1cfe8ebb59c15885af97f3772a9f42cafaddc4140024197e90153214f737c5697beb52e775a452bd26e2d4056a265701f81adb1b7d6cf |
C:\VidZJ\dobxec.exe
| MD5 | 610beb5362d8d8db9524db27adc0926a |
| SHA1 | ae038f05f035a57afbc9dbb6c0ebd2ba51f4a5b3 |
| SHA256 | 51326ed0d9fe9ad18166b61b197e785c3b8e533c1bceb41b4ba58b920c276615 |
| SHA512 | 01067b9b88f29d1244d666393b22d469135a346afedb571694f25703495081ed00fd69d3dab0c0e94eb5122a261c82dfb10c7c98a4b73b66694b6f7cceef6860 |