Analysis Overview
SHA256
d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616fa
Threat Level: Shows suspicious behavior
The file d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:05
Reported
2024-11-08 23:07
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeIS\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIS\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH1\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeIS\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
"C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeIS\xdobsys.exe
C:\AdobeIS\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | e8279f05299deb43dee7784cfb09617b |
| SHA1 | 896c17e0a4f6e6b185670578c40d179eed2f1493 |
| SHA256 | e69d96bc4076493c5658091079074071fb375c8485ab92e6a7f0e1a1b0688077 |
| SHA512 | c41432702dd4f46710b14157c8463469af13caee2a7cda2362814813e2fb37f687c4f4f1b79afd5bfc3ca606f44942f66e9b0fc7c4e7a8e3683d55ee0ec63bf7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5cd7d2af0139b97e6dc9b69a4dd6a440 |
| SHA1 | 4a2ef764762c4db3ab5596bbad99f6d09dfd6abd |
| SHA256 | d1c7088bea97ad85e5443fc38a510cacd18728d630132a7c26e89dea550a1bb0 |
| SHA512 | 89217723c64a438c264d8e61e36b2606a6e5dd60562e5dbc53f7050435892aa39a905188388de1a2b6429fcd0f6f436d6fccd586ddc1431d0e98e1488cd4a171 |
C:\AdobeIS\xdobsys.exe
| MD5 | e7fff80824000bc9b8cfd042561deb9d |
| SHA1 | e98524827d8afe81835fe4e94bc061dcf512aa68 |
| SHA256 | 5ef02a2b7fc43d58e1b4be84722980a5513703a2d301cc43eaeb2cb57364512a |
| SHA512 | ee4dce9e46d5b24bac5d03aad29c5d9135095b7557fa3d11dfb45deb9704ff297261434bf1e4a67bb2d97554bd80106c59856343acbdc2aee28f4b6eb64e0436 |
C:\AdobeIS\xdobsys.exe
| MD5 | 08c7cca9409d64a0633eea162b853bf4 |
| SHA1 | 9b5ffb9f52214b4e6e27a153699797b3fd5188d8 |
| SHA256 | c6c7568c24a90614b0bd628f14de89377650b570bd8964c9ddc1d92646dd6ce5 |
| SHA512 | f7fa50e873eb2724fa58051603f69a2de82748dd68e45b8684cf26be474fc83adf9c8b5744b19a1390ff61388867bf9005b7cd08ced44244b0181feefce2d066 |
C:\MintH1\bodasys.exe
| MD5 | 24e5ec3ef012c24d443d65703fb9429d |
| SHA1 | 1c6aaf2db04a94c50f08dc48fbdab187806e8195 |
| SHA256 | 356c770afdf106a86a261941db2319606fbdc986b1141a278f8e6ce2059d4fee |
| SHA512 | 2acee48f03b74208a8b3e073debd1506269acfcc01bd5a5c5370dfdcca40bc4f4820c5eaf7a72b06118991403413bd81521598001cdee0245969ee00443f6b87 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f8259994458e9e4c8e103fb293c90b71 |
| SHA1 | fd0838eba58ede33fb0969050fd1530e664ad057 |
| SHA256 | dfc4eefec35a6f9c5120849d7151b31cda76d9d6ee7768e8767f01fbd9f24a49 |
| SHA512 | 232adf410686e509919219add52e709c328b025647d114e1f756775709ce9eb8591150e4eab439482fe6a0a81d8257a82ab36de53d38cff5dfd0f502bb2207d1 |
C:\MintH1\bodasys.exe
| MD5 | bfe139fac30aa5e103919ac78684b003 |
| SHA1 | 16c1055e78683a2a2584f7cb992fb8859e3212db |
| SHA256 | b92b86976bcaf813ada2874f61f4dc67df81f29499d825404520b21297ae6834 |
| SHA512 | f0c4baf867936845232c7b808a5cc8500b42aa16e917b7cf921a899a8961c49e4c963dba5ff6a3c16880563782619a441bb76f477dad627f5bade232ece91f0f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:05
Reported
2024-11-08 23:07
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvIP\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIP\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2Z\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvIP\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe
"C:\Users\Admin\AppData\Local\Temp\d303fdd4340db151b337df51fb2be50672c6ba6949d4d0625eb73304665616faN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\SysDrvIP\adobec.exe
C:\SysDrvIP\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 4652aa636876a226355f8e175c68f2f6 |
| SHA1 | 1baf50f018f0df14eebefee217b46872ed0c55bd |
| SHA256 | fc9036f2a9fab21be6674afe9cbef8771b1f1d42b98ee1d5ebd0cc333e12bc7c |
| SHA512 | f37f1fbcb46f77cea44d26d2654082393d9138572cd8f45d3d75264072cc1a18c1cf3a54dd8a5e10a9aa66936321d7bd1fd9ce1da0ea4e5ec5e8c83536f52d33 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4ac585dd1e95539a8a77c400bd1232cf |
| SHA1 | 5befdc6bff53b8a2a55879a1a775dee918b2e935 |
| SHA256 | e738e9ea0187ab568187cbe791c96e139826ae7a09606d42f21ecc35ed7436a7 |
| SHA512 | 7de9850558c0086e0b393ce22a47561cc82746c7b3f91cf26ab076409576bea556997d15126c32ca9c2cc228a4ce3f151701221b03c20259f35fcae90bca0f6c |
C:\SysDrvIP\adobec.exe
| MD5 | 73e2dc40b2529d4b5937bc83e18c40a9 |
| SHA1 | ce6704628714b8ffe0bc3ce3b0c485ba19b8b1f6 |
| SHA256 | a810b8b2665c51b77da727b8043fdf20a627c07b8ab7fc8296dafc6802d250cf |
| SHA512 | dd1431cb6963e657392ae9fee6753046e19941810836cae43b6d3e3725eac5e0911b495c66b4dfdd1c6612c80111bb957c8d95449217fd4d279e9254fd15e8bb |
C:\KaVB2Z\dobdevsys.exe
| MD5 | b344f683d47b9ce9a6b7419ea624da4a |
| SHA1 | 60e6208426015932e2514881b45b9aae02ed012b |
| SHA256 | abf5a70b7dca72f8f59c2efea5c14863d8c413f1e5ba859a2f8ebc0edad42f4f |
| SHA512 | f65dd36b9bd9c284013bfe9190f042108cf3b6ad90e1fe984673f63a7986dd8991b38c78e2a1295d0da8ee76acf48a4a0b586b68932aaaed56c9d1eb7cc34486 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 58952ef1fa808af00f03f5b95752a646 |
| SHA1 | ad3fe5f8bd8d4d477b4f25c68e1674ffc4a42844 |
| SHA256 | ce41363ac900911dfb9ceef2a5e2d4338e6cb7277d264fb0f2b453a32200c0f8 |
| SHA512 | d3f481e737f9fbb29d9ed17b341a0322a759e4d3e0c9fa08bced89e1b88127c34a219f9ff0411fc12435026a7f20fa9f46109fb7d70967fad678690fd499531a |
C:\KaVB2Z\dobdevsys.exe
| MD5 | f0a78b1e29ccc2a158eeb19862bcc6be |
| SHA1 | df2aff6d92ce9ba2379cedcea90d91f330592b27 |
| SHA256 | 93a5821dba79846495d515efd307250067d0a9af35125a062ffbdaa017ea1442 |
| SHA512 | 83fad5f7f8582f0ba46c44bd446ed59537280262e5f66dfb66aba108c5bd1b56f6a1b3b978992680ad025774dde3404eb1a98c4bc5550961142014330dbf2bb1 |