Analysis Overview
SHA256
b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08ed
Threat Level: Shows suspicious behavior
The file b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:19
Reported
2024-11-09 23:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocTC\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTC\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHP\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocTC\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe
"C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocTC\xdobsys.exe
C:\IntelprocTC\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | d7c489bcbf933c12099382d72d2447ff |
| SHA1 | ccf6addb13d563bd526dad3acaf0f7910a87ee72 |
| SHA256 | 162eb85e08c0bdfcef66b594e503c91f74c6217627f475b0d9bd7663408f673e |
| SHA512 | ca41c7132add4177398ddf168ec8d0615ac0224e7c108c606b78e8ca1958bd16a1072508ad20a49731cb1836b2acbdf365f070ccd966f72b2107c1f31843e1a2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7422085b6e20515cfc9f991a3fda908f |
| SHA1 | 973fb40e233bed80be0443419bb0620e0af24aba |
| SHA256 | 4e2d3cf3dddd1157884873f42a91fa37c0e379b5d9408baf03bb6f06cdf24454 |
| SHA512 | 1b188bd2cacc2afe2ef0581062269dca815cdd8cd3f0b0590a2d01ba5d2cc5336937da5139da233e5834251004a36f01af5b3fda61893807aec4bd2bcbf81eaa |
C:\IntelprocTC\xdobsys.exe
| MD5 | c0b26001e5f517b16928f2dd5865b690 |
| SHA1 | b38b350db87bff5e1e224bb856c856a655adbbb3 |
| SHA256 | 7e561dae744e747d1e408c8aa48d17a6e5d1167be58ac603aa23fe7cbd0bbbb3 |
| SHA512 | 9d473a8b6ead6ed463f60b76488ccd5e9c493c2b323bdf03ac1331de95b24a8aa02ceab24c0ac340e5f54f2d1c4ced6bb144acb2b646ec68e705c0be061bde0d |
C:\MintHP\boddevsys.exe
| MD5 | a805f51d4cd03aabf5ff60855148b020 |
| SHA1 | ed8d836dd58740d32e2689a9e96b951753b7f15a |
| SHA256 | 994af0515a21ccf70b365efe334ac373885a4128673eaa4ed9ed9f253457edcd |
| SHA512 | 769a0d9a1070f7054fdb4b28a423f60d713ff25f6ca8834094c91c103900478dddc782d1267db49aa946c05ca40ca68b70e07a41092cb646f5a4723656b0bb0e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3cf89be7627b4e7f785f207797a01cd0 |
| SHA1 | c907ca41150126403461c9acd8c00583fda2922a |
| SHA256 | 6901e611bb1f8ebd814233c1bd63949a0bda75f205c933f077b446c56e39be8a |
| SHA512 | 71fd92b3d680a7c7b8e3850c3d9adec4d0dc17712c873c03ff22deec5003af5cfe137eef051c8a11d2ffc3ab52705d763ec11d398ed48f4d7dc826a8ac5ff6ba |
C:\MintHP\boddevsys.exe
| MD5 | 58d9b29ca3319a0146b445aaf33de67b |
| SHA1 | f8b5de46b093ca524b3dfa2f449d9d4bca3dc535 |
| SHA256 | 66abcfa74dbf28e6380de7faa66f52bf36b324e6f8e4f910106c6b72c0c75770 |
| SHA512 | 9da70c0369941664142f4b2eaf45bcf3034a0aab9155298514a9164b97f928e07de31d39fd516760470f24ea130976ab242d085f216bb2fa066331c4a61d0894 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:19
Reported
2024-11-09 23:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\IntelprocOH\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOH\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxF1\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocOH\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe
"C:\Users\Admin\AppData\Local\Temp\b8a3601b2a5de5ee3088a8024ba1a8efb5d0149677646e5a4c2486a3a0bf08edN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\IntelprocOH\abodsys.exe
C:\IntelprocOH\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 725590bccfbab247de630e847a10dc8f |
| SHA1 | d7f1380e00940e802ed6337f80e86f19adf3cac6 |
| SHA256 | b7fa5ee15eac3af5981449af538ada53b49048cacd20019d172aa525512bab82 |
| SHA512 | 38067346e6e7048429800efee7b90455781db4d60699ff90523c296bf019a3714cb68f02d84ca430022f000b44c2c71d13d28d9d75452c8a758cafd6445beecc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7c611d99450c541451a9f90a09ccb13e |
| SHA1 | c035a9155b3db35d0330d0112427ced868a20d06 |
| SHA256 | 91f2a1478b8b92607ebe20de25b9a2c70e845f3ca3cb2f0889e7dc52cedcdf80 |
| SHA512 | 75169645d0e3ee2b50d8ff0b2529d8bf0fa14edafd85838e0aa8b52736cbe4722cb46884057b95f9eb69149337625407d7df4a2424d8840458d1a3f4ee9eb87c |
C:\IntelprocOH\abodsys.exe
| MD5 | f9df0d601a147af3df7da3bf0c026680 |
| SHA1 | 064f9b5464bb372d9adb13f97c74a2fb7f7f412d |
| SHA256 | e965c3c24e0dfa9b89b50d7c2e007a557312103c8a7e0acdd99ae6dd5c4310ef |
| SHA512 | bd37944742dd00bf2770600f5c3efc4f8fe282fbf4ad44757843219002e14f4be66953fa0d7ee30d73bbd762bb8fd8f986d3183ee1eac356162fa24998787826 |
C:\GalaxF1\optiasys.exe
| MD5 | 38fc72907cfc600276836749bf80b23f |
| SHA1 | 65c303304ece5c05f3df5db47eb5750c9497794b |
| SHA256 | c7fc762fb0c997e85b4564ecb4a4cf05cb37dd190a354919374d09224caa799a |
| SHA512 | 1569687d18a61fc6f85905cb0a2ea55a6fcd5a9a502e693db654593e2c8292c88d9ba6afcafaf0349ebfc0626d97fae154744bd5637728db37e66d726d7c1417 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 902f479d074e2eeab149febd3171ad46 |
| SHA1 | 0adbe8823e35a6594064cf3649aff1b8e6507350 |
| SHA256 | 198c5ca49eaefa7d308122d4f49adcae535b3d73ca0b0d75c4d21835e89a6c28 |
| SHA512 | 2795061c8a0038bff58b584960f89343322701ea9aad35880cba7c7912ed4d91584c8f8949507fe5ac2d830e0014a35300a7445d07bb273a2b0dd7a5b8ea8c6f |
C:\GalaxF1\optiasys.exe
| MD5 | a86336805b3d53c18600c251ef3cfa32 |
| SHA1 | 69594cfc6347aa438b9319dfca41704cf4607aa6 |
| SHA256 | 8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5 |
| SHA512 | 2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93 |