Analysis Overview
SHA256
01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3
Threat Level: Shows suspicious behavior
The file 01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 15:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 15:14
Reported
2024-10-27 15:16
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
109s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Files0S\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0S\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint36\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0S\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe
"C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Files0S\xdobec.exe
C:\Files0S\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 7961aa79c73098819e1c5ba962dc5cb0 |
| SHA1 | 01617872b55c83cf4f5c4f28b0a33e64fdb87610 |
| SHA256 | 587c39ffcf55cb1c961a1fb2534cecc4587ad090468aae1d5cf53b34505bb90a |
| SHA512 | ec0e9e8b6a93c762f30ce466f517db18981e04578f74caa607906c8915864a94740e989fbfa21f7edd929d97a5aa1bac7224e48a8fede4f61f3fec7e324a0452 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0c61d165e8c9476683656cd2bd3ec682 |
| SHA1 | 1ce5c75bb76d7c94a17274123e2b7636b22e0263 |
| SHA256 | 4f15e53cffa5d5ffd2b3df2aba6cd8f4f226b678a3641fbe19fb5fbd0e643e3c |
| SHA512 | e1a87829bf0074ae14849a6dc63d39161ff3468c624b2c97fa9a2cdb6b1772501255ad34eeaaada981c0309f9f19bfb20157b9642a0df66127c2d1cfa5a24e19 |
C:\Files0S\xdobec.exe
| MD5 | cddfbc0025ecb6ed1bcb10590b367a8a |
| SHA1 | 6d40133b7e64ae3746f05ebd823e6a2933c5a51e |
| SHA256 | 6730004bd4891039994914d8fb8f04a3ae65ddab9b6eece8a16f55fd72fe3830 |
| SHA512 | f20327cb59d7db785b4cac880afc873e85548520307700ec473b348bfeb0eedd75f3d0a8c992bad1f4323961ee43bc6c01ce1a0896751ccea57670ebd0844256 |
C:\Mint36\bodxloc.exe
| MD5 | 31333a286e4f7811ccdc3a004bbca56e |
| SHA1 | 8d4a185af87c74fbd96b0821a253dba8755f064c |
| SHA256 | 71008491826bb7bcc8edb14d036e4bf85b0facf4f9a3f5a6167159a804cffd38 |
| SHA512 | 994221f0c1b4f2d00a5d767401dad29467a79dc24e5a95d9ffae68401aef47c164f0b00144cbe25732caf0511cdfe673fff53e769aa0ae3d6427e85cae8db543 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 33d527ed7b2c82e3a15df00762a294fb |
| SHA1 | cd790a6ff6319754f7146793f44aa0dd000be048 |
| SHA256 | a3a10d6bb61ec16df7f0a8a3a69c890e26365e87ccd631947187cdc6e51e5282 |
| SHA512 | 3bc5098b656a01054afa31e4d8c86770e9b8ef8092575532aca23481bc6959ff726f0152b151b9884f909193ab0f64d2e913d4bb47f1cce0854f860d42b8c0f0 |
C:\Mint36\bodxloc.exe
| MD5 | 0bd929fe8853d9001a608ff1f6086291 |
| SHA1 | 834e3543eb957e73c78054aeb3edc640141cf009 |
| SHA256 | 7af0a9cd1a28f9812d91420ccf0916063fbfd3e22e70685db3e9cecff9165b44 |
| SHA512 | 3e4facd3d6538ea04a008611b37de38bce1301d6196393085584ed25808e12749256acdca4f17c889a0424e82c248d89e03c8ca0f0b8a1b7bfde5bed6d343599 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 15:14
Reported
2024-10-27 15:16
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesDN\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDN\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYZ\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesDN\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe
"C:\Users\Admin\AppData\Local\Temp\01fb133a8605929c3495d4619bbf9bc43485a59d6787be8faccc7312e942a4a3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesDN\devdobec.exe
C:\FilesDN\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | ad6e67f62c95a519080914f049826909 |
| SHA1 | 68b160b06d90a1a106c2ff27b563d026ef187b05 |
| SHA256 | 2a3c2b60644d05b4f701d64330bff3e891a0f517c19bbc7a2881c872a9fdf082 |
| SHA512 | 5b85568e4a9a209dae60cb6ec99a2d7bbfacbf7c43e0ba50ea576f5ea016e4a8ce40439490d8985edf54cfdbd0956b5b17b78bcfbfb5fd76aaa1d7bc115ae09d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ae1f85db87eb71fdac88b9bb3f2046a0 |
| SHA1 | a4000ab5d1b364af773e0a8295dcc84155f3f25a |
| SHA256 | d363cbf05ab4e44648173632b122b6b02188b11d8ba45b5dcfdea08ce01b0569 |
| SHA512 | 1fe0062c04553ce63b1a6f8fbd444590190fa9f726bf48534de55fb569f71f007c0746b8ed144f2c00167fb8b3b3f17c818833d214d43e27ef2d5fd19d5d5957 |
C:\FilesDN\devdobec.exe
| MD5 | b57870b676432f88de3867c04b83ed9b |
| SHA1 | b4fa6a442d8e77c9f53a79326983c19b3df4b4c3 |
| SHA256 | e4518739abf442f789ec05d17745e305b14e5df6c22b68bac3a1d913c7e3c694 |
| SHA512 | f77a8a11c99e60dc63929a9505a77a6d3d704f7a09afa99b70cd6b1324327a195b51cf737bbaa2c4c4c9fc4ded16a3c1976c19712c5161719b73a7f90263d8b1 |
C:\MintYZ\dobaec.exe
| MD5 | 43eccbaa46351ffa8c785acdf5e529cc |
| SHA1 | 1cc21b684a1d93d4a3a2e3f57b29172a09731172 |
| SHA256 | b588b9baeb2275a5e758b43dc0c0bd136cfaf7499a037bcd8283f06d22a64700 |
| SHA512 | 82e5b028061d9eeb446c98e675183279e8c54e4a5dabcd636f6bfdd56981cf6d0a1929fca5a8f59f1818d5c143fb97dd589077eab176a247212cb71bb31a3c91 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eb5ff5f039f1789368a3592ccaaf3835 |
| SHA1 | 3c53cef5cb2665a360a79c24d882714214fa379d |
| SHA256 | 337648159fb236dbe39cfab79c27bd68c0d72aa25007116900c5aafbd7b0ffe5 |
| SHA512 | dc955c92f7e6c602dd02e543a7f1485505dd70aed542f5d12869d7ac0790920bd1bfb583bb197345ec20bb13d45ebd58e5ae61103d117bd42e3c262f9a6fb224 |
C:\MintYZ\dobaec.exe
| MD5 | 70e072e3ec3c3b4305c9d08637df2374 |
| SHA1 | bf17e35cd8b635dc3e2db4b03c5c382ef50ad5f5 |
| SHA256 | 4a25c1deabf7bc6ca493bc9cb5453721b55b9e22ee6b6d5f8562f834d2d01418 |
| SHA512 | 3052a098e1b1245965f68f038ea4002167d29797d199a1a30f4c3637cb6d4aac7cefd14fcc1c5f61437f51f95f619be668aa341a45ae34e4075cb0cff1264f48 |