Analysis Overview
SHA256
fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3
Threat Level: Shows suspicious behavior
The file fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 16:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 16:58
Reported
2024-10-27 17:00
Platform
win7-20240708-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobePE\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePE\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP7\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobePE\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
"C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobePE\abodec.exe
C:\AdobePE\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 433da50c4114d276ebd94f86c1e34c02 |
| SHA1 | f2dd02ab08a1c7e45860dfe32a589e49498d0767 |
| SHA256 | cdb59dd2d708f3685e7f4c813da6c0d00f248885f48613c2e8e95f2311c1ed04 |
| SHA512 | 04d9781eb779301970c27facb92740eba8d6fb49039520056800ba777b133a3d0160ee1c04a3251963b12236c02878bf796cb0e7d612d4e5efc381f128542ee5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4c903d255c80a955bcfd09767da75318 |
| SHA1 | 48bcc10d56aaae2af16483d8e34bf5bb0ce813cc |
| SHA256 | aa98593121332bba01772abc258832b83dd06988b28d147935ab9951b0ac9fec |
| SHA512 | cf6f425ca957bf53151dfca2bb3b0c469e0806e7716f46a63c6c19e2db7f9948d82b8172d52c261645175cea1189b90287507a7314dfa3476d46eced34b0fa7e |
C:\AdobePE\abodec.exe
| MD5 | e895e667bf68e89ff37fed6cf19605d1 |
| SHA1 | 0b3d87a0556d0cc2b6f445f6cc93d05607b3398d |
| SHA256 | d78f5779f21b217770e6add6f045d9e3d0afa4821b5d5d8565668061fcb8ddda |
| SHA512 | 2be9db3dfad74c77f8ad02084ab7bf6a500ef0a13af51fa33772343390d4a9d97f6093352c3686632e16228918f3b6c25dff1726643c6851ea1d8dc5b38e9768 |
C:\MintP7\bodxsys.exe
| MD5 | 06510a26bee2ed170962571fccf9bffc |
| SHA1 | acae196b6875532c9dde736a885cb4c252f9d6cf |
| SHA256 | 4e4fb896431ab770ebea75879259afdb506ec4acb58b5426e2ff1d4e2cd9a6d2 |
| SHA512 | c4c9cb21604fdf3b4917a463f2cab475b6fa5f2ee5a3d34aeee88c6fbd9584b372f6bda24cd69b9484c503c1996393d79f0b1f005dc6f91fe0eb7a6d3461e18d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a60363e2819832539c98a6b384ce52ca |
| SHA1 | e91dc1abc3dbff47635d91ee90be0fd63ca4f9fa |
| SHA256 | 43a56088484ccf4b1e810a0c71db22b447925fa634fd4b2d8bdc8210d8099cd1 |
| SHA512 | 2c345eca41866dc4972f959b8a96f35cb7f96d78b5a14b9679079e4da99c99e0e6a87381cdc2e7ad6de818fca50506ac6a2a21af301569dfba400b27ba1b77e8 |
C:\MintP7\bodxsys.exe
| MD5 | 646338675afa7f4f916cdd19f15e7ddf |
| SHA1 | 481738d4670f9a998e173e3dee5be78b50eed8af |
| SHA256 | c8cb6a65fde8e9237185db6b793d9d4445649617cd227f5389789a2f6d22c572 |
| SHA512 | 7bb8050808ba437a5ecc33cf54dc7cfe6c3502f71f6c56e8a8863acfddb0fce67d823bd915614310f64709dd00e1674906b2fdc3f2e575a647f9d54a4542f7da |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 16:58
Reported
2024-10-27 17:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
107s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Adobe5F\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5F\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZ8\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe5F\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe
"C:\Users\Admin\AppData\Local\Temp\fc96c3bf1400fdb4fbb1b0cdd175db36baab9bdfc3755608df562ff0693c46c3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Adobe5F\abodec.exe
C:\Adobe5F\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 0a31595e5f145bc00299dbdcfec031b6 |
| SHA1 | f4af53ebfec6334c72d58941318f9252c9856ac5 |
| SHA256 | 608e9c97b3f562c3c41de51160c83765c2e93c456d613758ccb2b7b1cbca23f5 |
| SHA512 | a0cbc680418c3d33b67caceaed1d14d59574ae0c75b2a19c13e67f8a4db3adb077876b94a59f88c2a32995fffc295b76214861b71a4e4a9a8d339353a06f04cc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f4832135c040d5c29bbf1e9fb758be16 |
| SHA1 | cc91a57b58eec1104282e8ec503f0d232dfa6ca9 |
| SHA256 | b7cbf73e3b451d39cf471cde2186cec4c9fc9bc51fdf41f4da3f84eee5864d6a |
| SHA512 | 870b201cc3069392631b9a7f3d0d795ae1c6d9fb60e00750be56c55d45b5d7a7f0d65a9b454619cfedde3ea022fc224335897381c92e8c8bb956642528163f67 |
C:\Adobe5F\abodec.exe
| MD5 | d52314e5823394ce339e1e43dab187c0 |
| SHA1 | 3337aab4f387e1e3737cd3c9893250e3dec84832 |
| SHA256 | afbef5739a14ca7354a5799950cfdfb49a779b47b9b175b2da9e85618d4d3dc0 |
| SHA512 | a7e24ef31f2bfeed62b54a5b35e036bd1832fab7e3872295b94daa45b2f8c6d95791f7634045e2c62c94c5537991155632a4c1119ac155725913cab8eee04544 |
C:\MintZ8\optidevsys.exe
| MD5 | 456b280f9c2701618aa90b66b9316033 |
| SHA1 | d644b5f98013aa34c901096748ec2ae6919e01c6 |
| SHA256 | eb207498d5a2a4937d739f9a9709d25f6d517d1b5c82481321391c4c4243624e |
| SHA512 | 6238b5580bbada1789f4f0baa3708dee16de56515575cdf2c2de5e61b969d933ff78c4ddef13c92ae2d3a5c7c56d8df37c882f1c19772199dbe4e8e100002d4a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 630b3ca2827422f20e5cc7bf924cbb91 |
| SHA1 | a98a98173d7fa0804d1880e03ab82c9baffbe3d5 |
| SHA256 | 246ccc16fb01609fccf72fa0afb32d883b55997253163bb2ba4697b811120423 |
| SHA512 | 5e11cc35a08eca1e23566bd3445b071f8ed898ede35900c1b752f3d61731669004d8bd59a0822988176d7a3c93f9035d8fedb58a8ccd001277739624eb35ee36 |
C:\MintZ8\optidevsys.exe
| MD5 | a9a38eb9e2b2e4dc3f46ea60c6eaae25 |
| SHA1 | 25fec12e6bc90517b9051b368b8bc3d3f6aaaac9 |
| SHA256 | 68b1b34b41cca8bef09b39d7003bc6a367ec110fd36b3ddbbd41ba5112add63c |
| SHA512 | f218c1efbb4099b741c86089a307525857e03be9e0127c2dbaae355a01a02db9da34dad10aa8f102b289485c113d86a01ecf8a51b5ceaad1f5b6f4c7d249695d |