Analysis Overview
SHA256
f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3c
Threat Level: Shows suspicious behavior
The file f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:45
Reported
2024-11-08 12:47
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocBH\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBH\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBZ\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocBH\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
"C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocBH\xbodsys.exe
C:\IntelprocBH\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 9c3cbbe72db06f2fe9e03a7835194c86 |
| SHA1 | 2960265378ad54c4ef65a75e0351bb9c9a4e1204 |
| SHA256 | 57bf6c092a7b8f76f39579b99e988937f45075598c0632bbe6333d3dc558bf45 |
| SHA512 | c9e1dcd006734a62740331448ef338d161e847d280bce5b7639d4de7c240442600e5becfce16330792ca3551820ff5de3c6af5a01ba8f501a2ee37adfade403b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 55e0dbfa6eff772945c470db86c29055 |
| SHA1 | f76162df69191c8f7d193f3fe114225162b435aa |
| SHA256 | b03ba3c418a57c8c295475e0218ff8acbc8a415f81ba27ed9374881db1811aa9 |
| SHA512 | 542a9a8b949511bf2ed1e33b6c040036634d4feb06f60090348825ee2a021f7b2212462dda115d0693cea4bad0d44d4af1710225b017a112f02e988bb161386c |
C:\IntelprocBH\xbodsys.exe
| MD5 | fbe3105945c809e8bf6e00f7fef8ce54 |
| SHA1 | e4b4b6a33f2126392c845abd1669f10511f5c42f |
| SHA256 | 588c56e8f6a9d537a5bc2c80903c4b2fdfd2efb06c55c8a6c1e1039a485fae2d |
| SHA512 | 50cbba09c9369cf432e58eac2131517db247d9a0625def1f06f2359a45a2015fe879017f05ad29c35b344e132039515dfda1d9d5a69c9cf07dc94b14c9bd5a79 |
C:\GalaxBZ\dobasys.exe
| MD5 | a23f73456cf57f6942ff1fe1441b4cae |
| SHA1 | 2dc6db7f1898ce8fe16042906a0cca3004bcc464 |
| SHA256 | 46a4a60f35788c824b4899fe1e178c160bc9f309a484bca43fa7273c2806a411 |
| SHA512 | 862f33ca57f221b0f66a5fe456eff7a2deab22c377d53af64984166a25ef631f136997e8e3f4ab64cd0c55a335e2ea69edcce5dbf987c795617883b972d8bbb4 |
C:\IntelprocBH\xbodsys.exe
| MD5 | 678c88b8f84541a82ed965c60b03fa2e |
| SHA1 | 6ad087048da401e43a73cd2611db275a98523223 |
| SHA256 | 980eee12aa3c1f8f2051b5db18c345c86d53ce08d734905d404f8351413a9427 |
| SHA512 | 399764b3aa81f4bf790cf7d71dbdc1d99600e7eb2edf49b327a479f7125c2bb369860cf9fefde8961c35deaf8bd4b587726dd0c53b6f8ad84ada5b3f4b166126 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a2c8139958833a967304ac5f05b8908f |
| SHA1 | 897c56e3e6ea8df50be483e6d1d38daa09bd17a6 |
| SHA256 | bdcf91815db69460eea86e529a99b2da9ad2699808e15a71ecb5c6283e8b892d |
| SHA512 | 3729b1d1d71e2719f6543b5e2bf65dca3495801df2cf4307016e06ee79e4b800db7db8e626ab4dc90a907d35054b7190959f93153b7ae3706e203ae8abcd6a62 |
C:\GalaxBZ\dobasys.exe
| MD5 | 5bbbccac963520a478f51eb3417ffd9c |
| SHA1 | ef7d8f00495c497203c639c8f8533db933124f3b |
| SHA256 | 7e4c897d5c957374ce2b5f609de037ca456829f91352347ba0c308f02edf06b8 |
| SHA512 | 4550b44ac7aa5db140bac24d740da9f1fc59f93188770ecc18d94a52d700d20a4d3b8d19f82626688263cfa0b6e4439ef8854f20689c800ccbcf21ae1b934c97 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:45
Reported
2024-11-08 12:47
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotMC\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMC\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZG5\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMC\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe
"C:\Users\Admin\AppData\Local\Temp\f2dbf915c9dc6ff5cd5e87d5e7c1b59415e49f0204c28d972563469903d2dd3cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotMC\devdobloc.exe
C:\UserDotMC\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | c0032b5e1e6bb4cd09131791351f1c64 |
| SHA1 | 3beb56afba04d39d660f321b28edb17cab9d23f5 |
| SHA256 | fe56ce5895ea379e18a1e8a8f7c5d9a45f738b3f5594492801c4f616479d4c39 |
| SHA512 | 93d0979667f22fd91b5bfddd24f778824a682997093639dafa923e55355ecd1633d1020019f5b502c7b868e680b5a0c56375bd78cd3bf1ba669520551b4118e9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0a70ba75a803446a0dd9b69a9d5b8b1b |
| SHA1 | 3bf821b50d0faddbd23199fd84f23da34c3a7cf2 |
| SHA256 | 86b3d5a61a4d865f4494a7e55595644cb96ed83f2854cc578b961a52fbf8ff1a |
| SHA512 | 5623a64e3e57f6792010092aa9058d88a836eb019f019ef491b220e722aa2e68aa83022b63d3cfc618c4e5f6304f77435cab0882d73c0b0e14ff8f44a50f3fb6 |
C:\UserDotMC\devdobloc.exe
| MD5 | 12388a1d28c3f73f09d093fa650f55e2 |
| SHA1 | 5d8a98fe71749573fcb94125d182018c18161533 |
| SHA256 | a165cfb9793f8caaad87ca126c94e168f76ab6be0f8bf4562fe9f050672b88c2 |
| SHA512 | aab9b0f407c164d8f1a16280112d977196b966d14297f352597c6e214cc04175f9c0f5f4b9b5bf9ae99b11b704be65a5688cd2db03bdccfab0bafa278d9cc487 |
C:\LabZG5\dobxloc.exe
| MD5 | 858c814a6660013bb5ab014a288e8d5a |
| SHA1 | 5b4fcb43a8893e4ff71b817c592ddf2e0945dfbf |
| SHA256 | 15aab088d7b1a73c8cfde4d78f272340e34545f6d593c44082a2f56cb53c5126 |
| SHA512 | 33dbd76747562b75809186a6e8ffa0beffa50b622cd61c7a5c2aa69657b5137fbd17bfa6bd5e235b1ec442482d5fb19fae5261695d933b4db3a3462d13f69c51 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3ea100a13cbc201a1103478b0eb0f0b |
| SHA1 | b48679f64d4e6f243cf724dc5a427e034b5908c0 |
| SHA256 | fda351f1812515d59aeaef74a2c0f1f6bf1f3bc246f4b5a301aa6aa5aae44df4 |
| SHA512 | 13bb5cd325a4b40aeebfc6426a6717d78f6351f71cccb35e36f3de992f9d3603ccb70cc63ad147c52873ee2fa2bcb8fb9e4ab375bb10399328c0fb66563bbc40 |
C:\LabZG5\dobxloc.exe
| MD5 | bae5eb085a9f023b8d36e2a083933bdd |
| SHA1 | c8f3b383d6ce74e8606027a03db4b0ae08c513b1 |
| SHA256 | b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab |
| SHA512 | 93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3 |