Analysis Overview
SHA256
3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4
Threat Level: Shows suspicious behavior
The file 3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:58
Reported
2024-10-27 22:01
Platform
win7-20241010-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvSY\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvSY\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTK\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvSY\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe
"C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\SysDrvSY\devdobsys.exe
C:\SysDrvSY\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | dcbc682e0b9338a710bb34de6dca48eb |
| SHA1 | 3e0419f127e239bc3ca462d7c27a4ea47e5cddf5 |
| SHA256 | 9b4fd6e9a9b2197f7fd3af4a96f018a0a67a5ad1bc7c3a2b2fc94c45048f816f |
| SHA512 | 72abab34ca5dbba365175d89d8ca3aaddfb203d4c05f2d5c6d5d1fd93667885cb453908914f130eee0044aa188fbe09bf84e764292504028505a240920feffe1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f9080b5956d22eb2bb914686f54f4e10 |
| SHA1 | eb96a166ee88d865af7f74465bed35f232c56582 |
| SHA256 | 1ad69a282a05146d7c58344b17c65603006805177b33c4e7da1151db4cd83c48 |
| SHA512 | 2dd3497039056913ffe57c7adb3d01f6abae6998441d9bf4b5773fc0397e64a240cf56aaabd3e2e3bc8a426017624c0bed1924371df0fc992d5c9fb353589e80 |
C:\SysDrvSY\devdobsys.exe
| MD5 | afcd52a65cda6f20e04a3cf39d7c2b90 |
| SHA1 | 2793f5873a27d9a459e755d6a623ef228188cca9 |
| SHA256 | 2412b35126798686cf7036a9c29d770580355f2ca59f35e21c3498117555a341 |
| SHA512 | b10110df44fb4a0098abc3a0682cf627c17d8671f8b50596762f3b877c29e97462f46f82c037903a105b166f10e445e1cd5c2ed68bef5db8f5e7feaed77dc947 |
C:\VidTK\bodaloc.exe
| MD5 | 0d80c026ff7217667d1758553c9b1b94 |
| SHA1 | 14d1f220d41220a37e1c0a894bbcc390e238adac |
| SHA256 | 3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8 |
| SHA512 | 5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d91d2b27913867aac6028beccc86855d |
| SHA1 | 37525a47baae861348974b009ac933ea606bb955 |
| SHA256 | 2467ae7129aec0284210b067f485a6c212e80ca35b43c59932eddb4206004b1d |
| SHA512 | d6194b95e739cbcf4cebd70556ca347ab4c9351ab8990289afbc7104117d0368b299a08076b57fc85636bdb43c04d69d4bc1a07ba7e5b5120ac29be3a033df36 |
C:\VidTK\bodaloc.exe
| MD5 | f9e6a0eafdb80ac05a0fed958493badd |
| SHA1 | 6c16c0ca9a0c00b4fa5c9e9c7292adc8357b0928 |
| SHA256 | e5ed54e5acd36a446993c0987d548a899a31e1b75cc540ecee3b270d7ce8121f |
| SHA512 | ea95820a68e4da79b39cb289eb181501fbb6c61e6b59ed8e6f0893fc20456568bcaed9993a3fad4f6998af1173c9f4348ef8ad26e797d076f8e9d22da9179e25 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:58
Reported
2024-10-27 22:01
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDot2I\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2I\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxL7\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot2I\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe
"C:\Users\Admin\AppData\Local\Temp\3ad1bb5a3930314fdc8ed017bf5d0a9e96c4276a1454148d7c4bb63a6d525aa4.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDot2I\abodec.exe
C:\UserDot2I\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | b0f3421e9a2188f8bbdc15998c1d4a0a |
| SHA1 | e4b7c379f4c52d1d1ea11c8ddf2d8679463fa6ac |
| SHA256 | 9aa77f6571438d76e9abe6cae84c965869200bba9dfde705c16b88d37ed966b2 |
| SHA512 | e21469525ea202c0298c1fd4ac8941a629dceaca660dec609c46db0b314fc34add016c2b7174466800b70697444c9d11d9f3f5080eccb1521ca6d99b5963810c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 08098a81714cc289cfd19d5b6bb6b472 |
| SHA1 | 37b3f6cb88cba3f32b922a75838f5a52914f2694 |
| SHA256 | 43f0aaa465f2b64ecc6106ac9780bd374f398fba1d57382ac5e260e9b8c578e3 |
| SHA512 | 17c3a36633d4b033c8207c47c3eca10997cc930b5bb581a04f61dabfac7c1105264b56a4b84c45aaf4107e1bb28d791c5c0087eaf5fcd985e83464ede0f13959 |
C:\UserDot2I\abodec.exe
| MD5 | 0b5e051ef735fb19137363056401d7b1 |
| SHA1 | d775fa7c777fc780d6025ceaf846b4a3768b46a1 |
| SHA256 | 177967ad7f12d919a29b6646670ce178cd15f95708e45b3ea4dfabeea30b89c4 |
| SHA512 | eb0d483be63a8e10f721537e464b61e56bd1aa09eb48ffd0cc177493ecf6ca6fb8c571c3dceaae1efc80cdb274823ce97ff01f480e2826593f48176f11ec9eae |
C:\GalaxL7\dobaloc.exe
| MD5 | c1475306fc074d186fd4c687cfd134f5 |
| SHA1 | de4888f63f4c833f506636828fc923a765ad3e04 |
| SHA256 | 01405ed1255ef73293108582a63ddd1536fc4fb9d7d1316b91f5fdbb272c771b |
| SHA512 | c04e8d29b50abaf030178fbb678e9472c756355a5931d72e83e55932ff95ac51ddb19dceefa2eeaa2b820534602772783e56a51930522b2d51bfbf11da7443cf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f8e1d493825973ebea41232c26308780 |
| SHA1 | e43516ca16480fea6a3546eaf9dd8f51c2fd3a7f |
| SHA256 | ac7ad5c9b0047d563b7281629dcacaff2afa860612e25bfb76e155527c2737bf |
| SHA512 | f519ffbe71c1dfab526542d0d4992adbf53116d7890ba6a03fabc1e6f1dd3903b1e85a2367571dc0589067f6d86e9b71f7bc65e65fef6ea6b8bf59d70f738433 |
C:\GalaxL7\dobaloc.exe
| MD5 | 5d3ba7564f095960cabccf69302f71bc |
| SHA1 | e2b08048eb9becbff007157473f185db97bb2145 |
| SHA256 | 1ec038062b4402106ee3e601df317e68e8a5276bb40290a72cd7342e819a0550 |
| SHA512 | f0bad994ea25d03d215260fcabce5bbdb9069abfa2b9ab27dec73f81f1491d0b010a393b39e23edcfc8735fcb912ba269bc70baa2bd12a2281060474c7210490 |