Analysis Overview
SHA256
8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29
Threat Level: Shows suspicious behavior
The file 8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:04
Reported
2024-11-09 23:06
Platform
win7-20240708-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvFY\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFY\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6Q\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvFY\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe
"C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\SysDrvFY\adobloc.exe
C:\SysDrvFY\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 21e61918914be7c51b1001a1aa01247f |
| SHA1 | ab0c77e7c901a6d12c700cb1e892f56875da69e6 |
| SHA256 | 72f85c4236819470b5f323cb6c51460f2a55d4afd7f95c369080fb2746ff0427 |
| SHA512 | c9b75f628c49d8ff5bc5b5e8c517df49662335f55444262bd52fd19d05c3e92fc2e8163d56ba9bc44a6be7234a9a72916e6bf22f734c4e6de85bc598fa823d5e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e6e7d2463fbb62670de256a604648ac7 |
| SHA1 | c14a7126b586527d373d9205f95156cea027c18c |
| SHA256 | 80d02d3b10ffd00019aa318faf65bfe0fac24a8843c7a77ddd4d257c9084da19 |
| SHA512 | a93a35255ac6d0ec363f89bc5c77cb18f5a630622e3efc558e31e90271be2d9661ad8947b4e894d62c7486371bc917218a8c871961b63bcd46c8ebdb70652955 |
C:\SysDrvFY\adobloc.exe
| MD5 | f41d433527a36bf45900dea6f89848c2 |
| SHA1 | 3dddd5b4cb0c8970a76464ed84488224eadc1463 |
| SHA256 | 7bc0fadebfd20af52e5507be3c1f54dbac8ed072cb80a28c58c881d1c54f8c46 |
| SHA512 | 5d76135d7a8856a6896c9aa3629d25b72ee75630a5dce42594f917a75134b178ab9028195008442ba5b584b56a00f7f9831795e8f7aa164e839e8ff45e3578b7 |
C:\Galax6Q\bodaec.exe
| MD5 | 518cb9c5d81757737682aaf7f342aea8 |
| SHA1 | 61f65a92ab64196dcf7d99b9c69e12a1f3639a16 |
| SHA256 | f6743d7572cb329fecf5ea57a8a55106edc8602e67286b1424b6228185ccd2a5 |
| SHA512 | aa004c526393afd31a5baedb3bf3654078494902f8ac64217aef867f7c5f0197939b42dc3ae11b8b000c8ad60613412260ea4f96c4a7e05dcd3559566916bc6c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 99481a3336a1b667db5616b880fde418 |
| SHA1 | 577055b017b4cb46d87c9dd92af6b583fa0b8840 |
| SHA256 | 1c4cacfa1b51f5a59dd7cbbbc6ab25c7f7463d80e3ace310dddbdf5bf5694b41 |
| SHA512 | 390e84ddd9adfb58c94689c9f0a7f4bffa6c1f0484bcb94b874e96e06445e0e0162e780f7e54f2ee61dfc6f666bd8f4c75196ad0ba7ee2c2d3b5189d3ee81a2b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:04
Reported
2024-11-09 23:06
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\UserDot2X\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2X\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ62\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot2X\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe
"C:\Users\Admin\AppData\Local\Temp\8fa62b6169a90c39367be87181f317bcb908d675754a910c34199197c9543f29N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\UserDot2X\xdobec.exe
C:\UserDot2X\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 4d775589215b2a4cfc4fd38fd758288b |
| SHA1 | 06298f07cfbcf7fb2ec283815dd95131b83fb23f |
| SHA256 | 4ec8a3bc3d7511be4270bcfc0507fb676cc57273f1e948ef0c9232e2441dfec7 |
| SHA512 | 540f0cc816aca5eea45568915a565287624ddacff0128fcd92d23d74ed41107fb97f4fbc95adb9b8c8c0786699561b4883d85526de52ff2a6bac4917042888dc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 376974b9f582cfddbf3fd323a3a17ad1 |
| SHA1 | 9275c250ebf70d05a0ff5bcb5aa54ac4e7185520 |
| SHA256 | cf09774945bd55f83a346a6aee331a7b546ae3f0301574895c1e12690dc454d2 |
| SHA512 | 9111eb7c2248858aec0c0d8789fef4ce433793541944fc5145ecfb557b5f33d789ae24bd51979a6f63d6ebc30539a48ed4108463949add8e6de51fa39581d9f8 |
C:\UserDot2X\xdobec.exe
| MD5 | 42755095cdd98ec117f0cff2621eb3f5 |
| SHA1 | b1630d5ca1f59ce1bf4f9711dc59d1099710c38c |
| SHA256 | 9ffc30167a5b15aa5b4c0d377902e952f3fde4828ed03855c92ab09d4eec61d4 |
| SHA512 | 553ee884de6fe4c86b778ff2ee8b77934a8e80aec4cf4924276f62351be05ab82445fa3dbc6cf379fec8f26601b19493b8f7aec0cd06af9910e3ff9f5a57c9a2 |
C:\LabZ62\dobasys.exe
| MD5 | fc69121b6c579861ef492732f3dac3dd |
| SHA1 | 7f449b75bf14917bb846d633efe2e47bc7d6ae7d |
| SHA256 | a562b614e9d33261851d1d27f4adba43b187b657c6da0a41f9c6dfce07566849 |
| SHA512 | 0810222c1568cdb945cf40778ff8692231a7db8e2616176c738cc0f1cc3574fbe40bf4a2b8bfa700f7c5375e315d9e937d05d5b260ebf7dc5fd0ee11924af1f1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0bbd72e1de8cc8c58334e235002667fb |
| SHA1 | 7e8cc50fe7719d0bee50cf5bbdc922c8cebf8e35 |
| SHA256 | b0bfb845807497e2bd29831d47e6fd7ecaacbd68550224cebbab4cc3e9d5520e |
| SHA512 | dafa35ba04fe844a9697b489aebdd18a6a3354f7fdd503a5c39bfd1b9139a1218f5ff97383fcc7c6aa954d25ef79573d8a4eeacbb5208cc024db5a9a0e6236a5 |
C:\LabZ62\dobasys.exe
| MD5 | e805843c4498dbcc51ab96e8597bc637 |
| SHA1 | 2a7745ca8d10c834ed458d19721d8ca610580240 |
| SHA256 | caf4b281149fac682a6b0cbb84e8b794361d72c560732fe6559766b3221cfb0d |
| SHA512 | 5e45aca3be77d25125ab4fc982b5762921c489057821e5a9a0b1fc7cab9b80dd58fc9893726e493984a6578b0a3c06399efe63742896946cc54c552ea47bea75 |