Analysis Overview
SHA256
0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59
Threat Level: Shows suspicious behavior
The file 0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:07
Reported
2024-11-09 22:09
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocKT\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKT\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQZ\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKT\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe
"C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocKT\xdobec.exe
C:\IntelprocKT\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | eab1f78b2ff057c09ee773b8a285a082 |
| SHA1 | 4c3c13d798768f8c377fd6826f1d9c15f48a16ab |
| SHA256 | dee4e7d5b3ca361087cc43f23d4a70ed7fcf179a802f4e51b3162c662887c497 |
| SHA512 | ce094bfef6be130e4bf6248f2baa4ba0e0d17afd339baa357c7f7b4cb51505d1caccacb8b97c45c712615a0ad13924ffa8e81d8dcbc999a7fce672256c30101c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 06f370af9732cf665d6651dd6ce5335b |
| SHA1 | 7568d18c536f61f43f605c68d4b507e16653a50d |
| SHA256 | 0be0d0e1cb370e91241c36d888f54dd3b904835fdb468ff059dc700cb278b7bb |
| SHA512 | 0fc39da54e812487b65df904d850aa936773d9dec00677b23ad533538e582cec7b46762eb2fc44928982b82548e7c769b513e2c4bf08fc824b62ae15a8e9262e |
C:\IntelprocKT\xdobec.exe
| MD5 | 014b9c0e00168cbc5c9505dad61af5a8 |
| SHA1 | 07a164b42954ee1a9eeb8820db6d4cfef21f0a5b |
| SHA256 | 73fbe9e55f4fa9b00eaf153b892de3c27b9a56250cc12960cb6230105e731f91 |
| SHA512 | 4342a350502be033fee7b7ad3854d6ee386a8cc63f6496b43469b3f13d160911b036530989a2b4bb56535b544c286b6e2a490b08174e627ba32fa50b1cbcc203 |
C:\VidQZ\boddevloc.exe
| MD5 | ea473a4e5d06f95bea9d2ef801881574 |
| SHA1 | 27c05b25df23bbfa2f392c1373a1a39ae10afd50 |
| SHA256 | 05f28f249c37be88bee29267ce07f43ba550cac8415443f5cae2e266bf35cb46 |
| SHA512 | 1ea9e8a42dc06178852c07c8af0371ff74b69a8ae89ad241dd9c86e917697fa252439278afead13bf0d35e9e87f453c1a487c62cd84c597d3105f7c2ebbf12a3 |
\IntelprocKT\xdobec.exe
| MD5 | 5fd748fe6df0532b25af8962a264f41d |
| SHA1 | 46227d1a6b261b0b127f94d1c58f2578dcb663ad |
| SHA256 | ddbc1e9e3fe23651bf9eb6c5ad92b9fc23b20a46ca9ad4a7f14f0d03085d0c8c |
| SHA512 | 35c145fab05a8d653a0b8355257d0a8fa76dd92ac234d3348764e648a1f6baedf0e887214c68c295997939be35b9153f20ff0824362b70a2a5f69f5ddfa2fd3b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ee0d2f62646a71604426b21aef165618 |
| SHA1 | e2824c3e249f0a84d7426f7e223b5e858270a1d2 |
| SHA256 | 490214d5c66986af042293eb9e8cc518a1b8a8097b9e529e14262082ae9a20cb |
| SHA512 | f5c1d26193adbf42d0f066f743a9dc5460c3826103f2773bc2343e7692e12c81b24c2c727e22ca8e6ae7fbcff7afecf370ab2f23e59ce4de2fa402e0ed340baf |
C:\VidQZ\boddevloc.exe
| MD5 | d94162cd3838258ebc17657efb30a843 |
| SHA1 | ecb22c5c490cacd0242e279426b3687c76089efa |
| SHA256 | b86981097bff025396725d69c76653be0ca165c6a660aa98a321d56a16cf8237 |
| SHA512 | 6e190bd4d12bc83c2b380dc79225c0298850cb3579875fb585ab6070b920b574d4247bfd3c327350b7a1b4a4e17eb5cae643857152fe23c3ce15a602303cae91 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:07
Reported
2024-11-09 22:09
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvXR\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXR\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUP\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvXR\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe
"C:\Users\Admin\AppData\Local\Temp\0789840d138c11384ff7595341e8b0ac09cf0bbad91bf16986880ddd34a2cd59N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrvXR\adobsys.exe
C:\SysDrvXR\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 553835690e907137424c12630eb73b38 |
| SHA1 | 1e6e0e19aecc68135eea2dc45f8788da4c85f278 |
| SHA256 | 1a6b9af9b703790c5a9959b3b197e26afa54fc5d09b782a74127a4275ce1796d |
| SHA512 | 9f6c97567df488c779a192d4ae080da020ab9e090c48adef0f9e4dd0d26bb17bb36a8016769e8474494f40dd9d1062aee2e8782621c2d169372b2c24d3a09dcf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 66b04b44a92d6918b06abfb11be9bc2a |
| SHA1 | 087e4b7777e375ff172d5cf2bfe21b2cc53da145 |
| SHA256 | b6d472f373a01a104854b003275074dc7da8c14ae9dc3045f0956c3d1a950ca2 |
| SHA512 | 42465af00fb39e14e851d8d5b5193c40cf745504d45385c18236e859109d7a31bc0b5541f0e947588af3d45397d6839beeb0d36e75e199f0f9f294f5a6d57ac6 |
C:\SysDrvXR\adobsys.exe
| MD5 | 5abc15c7ae356cd3f21728c42c9d4360 |
| SHA1 | 9e285e3a3f78855dd7432a887682fe6a79be3ecf |
| SHA256 | 90bd94470b83aa9d5ff4761cf772fb20780e79114428a429d6ad113f9725ff28 |
| SHA512 | 6dba41944f998078d17f03a87c9d3ae8f643cd798c1604da599af9df27eee2e1ea30a06e4fae686579f0d49d4309a9082598bc32e1322b05b831e26164053327 |
C:\SysDrvXR\adobsys.exe
| MD5 | 0d21912b5903577145e4426f6882e943 |
| SHA1 | aa7fc2094c4f8d7baba9b8ad9f9128783746f220 |
| SHA256 | 1a5cc0e09739b58c9e0a3b83158be2329faee2ae38c7bccd14418c1875697118 |
| SHA512 | 192cbecf3607e7041a54eca1d858f4d8e467c881eee8933f7444548f0bdc3838f8b060317feefc7e99736e777114dfc3296de9d047456c25e32dd3b68ddea089 |
C:\VidUP\bodaec.exe
| MD5 | b7db22c0cb3e110be654b681c38a959e |
| SHA1 | 5cfee5d01ed9ad18e7d42b2e417689f3df8fcc69 |
| SHA256 | 177226c38374c822acee1fa64d3b427c6375eab66e5eeda625df01522c57bd76 |
| SHA512 | e284ed7a1a745757cf882fc85a2f6465ac9476ee0f033d104b63ee8acb22b9e19ca36944d940b9251ab620d6193921e014adc93f1aa23c1ca4adf772d072fba3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e65abe9a9e63bf07677c3a3826d9c615 |
| SHA1 | 899ae64fd14198d7202b2c4ed15c7d42b2913b55 |
| SHA256 | fdef7542fc54cb70452032965f6fb1146b65e907233527c69a77827524a36e35 |
| SHA512 | 8e18798279424c68718faa3629d25d2c2037dc49a52e6bfb541989ad5950d9cbf7defb0fe549751e09dc46c4ccffb26946379eff44031c1fbd046fd5b76b23bc |
C:\VidUP\bodaec.exe
| MD5 | 79ad62b0553cf996765efcc3e26cdb14 |
| SHA1 | 522907dda870268d397c9c058976025012c7679a |
| SHA256 | 823f1629cc16031e238c0cea3f4e59e6cfc4f3a1906f49a956b287e3e822800d |
| SHA512 | a1bea316cee7d938f31202e82cb4bc94a9c42dfcde54778e9f3c16d394948c2c1bcc25470129f8bf5afb3bfa6721647ae064ce7eaf2ebcfc9f69c0bdc38f8865 |