Analysis Overview
SHA256
2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898e
Threat Level: Shows suspicious behavior
The file 2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 00:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 00:06
Reported
2024-11-09 00:08
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeM4\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUN\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM4\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeM4\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
"C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeM4\devbodec.exe
C:\AdobeM4\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 3e9633299a846c444a3c93961ef6e60b |
| SHA1 | 266f6eda79eb7cf64f491faff24fb524c9f4a3ab |
| SHA256 | 55f47b6d443c3f515a948c3981750e7af5d121e3dcf12876ffea73b9376ba5a4 |
| SHA512 | f062206f23f8001144f020ef26c7c1e750ae40904031ca0b13f7a27b9316660b74d35b58a536845ac92c42ea75009a4b6f42c2ae68f051ce224d1a408e0a9b1e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d91e13bbc17005003df7d2eef8b8241 |
| SHA1 | b6aa947735391a18e7991f28b061a76a9f0fd927 |
| SHA256 | 577d44eaba63691b5a33b63a754c95a1528b2cd5292543f8677800d541769c0d |
| SHA512 | e1db7fdb7e351bd22fd5ac9282f195387dbe0dc6a04aee7e65f0586f5b5dfaf6ab2b7dffa4f05bd2dd0eea22ae338144ceb9f2a537613f9e8f632b8799039b34 |
C:\AdobeM4\devbodec.exe
| MD5 | a203f730d039f868127b217f5125ce0c |
| SHA1 | d6610dcb497afe1129443627084919b25442c19f |
| SHA256 | 1eff88926d2539d816dc99df45ca7b2071c5df39e68e28ad5bfafe14042db3d1 |
| SHA512 | fba99c25948df33d0821960318a9c90150003c3c32a2b63aa866f5bbfe9af7c9dab5754b1d6413b8532f643cea16c173fce4091f8ef57d8dd1a2b1976627d106 |
C:\VidUN\bodxsys.exe
| MD5 | b2454d2d5c9713710e0b625fe6ec2f9e |
| SHA1 | 74fccc3577e18d90473c384d570b42d2c151bc9e |
| SHA256 | e7583a13ea1e31d7822215e924ec5688229f16855283ec984816f26e879cc81b |
| SHA512 | 995dcd5b712a20d83066ab57f9a92ab6775954f008e6d93f80a46b5aa5e394eeadfc2497e35a5f30b7db821b5fc4639113acaf0c7ef8141d51f8c5ef1758d7d7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4ef9de9c3dc5025e5854a8312f408e14 |
| SHA1 | 238d182336d62a2175703b0238b8c8f4ec6b9c35 |
| SHA256 | 33d4486004bbb28bf64123efe490b7144a28334b0f0d530030d995ad67a052a2 |
| SHA512 | 777164dc9821d89e6ce04301713a286264687071b9e841d27d8914fa0f411f1676d394d5eec7f057986fc0ceff29b88e99da0831b2ceced4a71e75415cc5c2ad |
C:\VidUN\bodxsys.exe
| MD5 | 50e9abe8b096be1f9e9b04c31845f87e |
| SHA1 | 36407aadfcdc7aa153f7f28664f615277ef3a126 |
| SHA256 | a4953762eeb2cd6c423b609f0fa1a46983bfa594cc8ce2236244988bdeba268e |
| SHA512 | e1feaca30201b210e8347a0afb4c958f96b5affdc6712e3fefea6ff77974eeb5698c024c22742981ebda400439fa8bd66270787fa71342ba5a6716dec194b868 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 00:06
Reported
2024-11-09 00:08
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesUS\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUS\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax21\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesUS\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe
"C:\Users\Admin\AppData\Local\Temp\2b57a6b36f0f6f1e714640973ba54d138d63007c0e4b7815337070d2d17c898eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesUS\devoptiec.exe
C:\FilesUS\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 533c6024f3174cdd6ff5160a2715a018 |
| SHA1 | 0febd7ee3dea7a43ae0c478bfdfcbb9057296ec1 |
| SHA256 | ee54c167f9d0093f501fc1a348a80bba7612aaf4c7b8c282bf4f1e95fc2258e0 |
| SHA512 | fa6d708d7176fe25c6b1e11b52d66db9d95d33e327f0bce6bc9e418a71638a3c70787c227d557cbb7e5b2420073f7928b20ce6e3b747b5c3b99d1e8292e05d74 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0a836e9bea9293e6881ee87ce0ade9bc |
| SHA1 | 695494b96c0791385b168d624e8bd921eda56bf5 |
| SHA256 | 8b18e7074cefd0f602a940d81f11b7e023ee93d103f3003fc487c2923ff2aa57 |
| SHA512 | f0c7a52122a95f364b3f38b9352c5ac8dacee1dfd3f0877eb243bcb6ff413626c4a4ff5b9a612bebdefa7f7d5fa9e0965376a70355fe9f5d1833f329984e90e3 |
C:\FilesUS\devoptiec.exe
| MD5 | 7ba42336e0b7c150e5fb19e0d750467d |
| SHA1 | 533c53cc42656c0a3c05f6508b4ac04c64a5c587 |
| SHA256 | 63b29a5760787529f861a2402ff0d80b2cc56af8a3fadf48d48cbd1def4efeee |
| SHA512 | fb20f6516c7746a5d0c02f2b947b1cca1dd2ecb2cd2c6e0c2b32875c748703fa23ce7912f26891090a2304d3c0dbb65811b3db4f1a62e03e003147bf9477f0bc |
C:\Galax21\bodxec.exe
| MD5 | 8c2c9efb4adc543428bb0f2de655a84a |
| SHA1 | 60c8cc50c99f756989d4cb77ca829be8bef5fca6 |
| SHA256 | 44289753e65116cd3be4a55bb944dce4b3865f9090a11a319dd3b9ade7172928 |
| SHA512 | 01009e54a27c5733d5d2d2f928da6e60ef877640017512bf40046aa9a6d299bf82e2d7585b43e7ca1684ed43672b576f10602ef8ecabcc4ce5f762750d635297 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6420dd230b9d7833fabf2666c2d1dd5e |
| SHA1 | 54b8523c696abc12a44a5a96def61d171efc60a9 |
| SHA256 | 4107017b524e76bdc3b5ea23df5ce6287e0844212a69733bfe49ebf2e04ed504 |
| SHA512 | 9e6d82d8850d8d200a1414e16388135c1095927d8f77255c1698f6d1006d8b57a1691535b92d4f3a24031178a5bc22acddbc39263ea3fad97e53b3eaf881090f |