Analysis Overview
SHA256
1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0
Threat Level: Shows suspicious behavior
The file 1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:16
Reported
2024-11-09 20:19
Platform
win7-20240903-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvY5\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY5\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6N\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvY5\devdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
"C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvY5\devdobec.exe
C:\SysDrvY5\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 2b5e30427ee299541d459b50869a7e68 |
| SHA1 | 22b20d0d32e6a7cabfccdd1982a5437ea667eab7 |
| SHA256 | 95c60506b2e93e796e068b255674df1c6a168f8da3e2546f3c6cdcb5644e8e6c |
| SHA512 | a4e2f4125f149ffd21da2b70148798ff625969f335958275b341dfbed374af34dfa339c5c6592db13ee599ef42d07249e9f8b318485750a09e286770672cee62 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 53042dd46a594493dd1be073cb201417 |
| SHA1 | 088907f3f3c75c8ae7e654b00b598b8ae20c11ad |
| SHA256 | ef69422d0852f478dfffc3a092bfffef71802d9f07ffd9bde327407fc8088b6e |
| SHA512 | c8c4ffc837cf54c9f4206070575472d66786824ca134a608a9bc96a93b2c044f2e7c2070c751fcd5a6e26bf4759ec66533b433bf320511659cf0dea37e1a996a |
C:\SysDrvY5\devdobec.exe
| MD5 | 31f1c6b73049d8dfbcd2d508df314b93 |
| SHA1 | 397770e61453d5079c6ae695a09375da086e6c52 |
| SHA256 | 7d64070726ddbb8d33eb4ed0827756f06b4b4cd3c2f26d309fe300596ef498e7 |
| SHA512 | 992407621276faa43fc94ad2b141d51319d34bf49b861e006d778b29c984b784ce03943f06b187c57fe48afd612913eb0e14050396eed7c014f2147fbae42455 |
C:\LabZ6N\dobdevloc.exe
| MD5 | 58a3f67b7e0547ca04aeeb078b8d3027 |
| SHA1 | 1bfe8e7515ebbc6c0b78f91640fb772b8cfe33b7 |
| SHA256 | 0f35220f56c2c852dbcfae4793d5f6ced83107f180bb8adbff11c8986a9d51d7 |
| SHA512 | 9748dbc6a510d64a9051a5e5a5e23b5c59ee0879cf5d0c49e80126544b794e0d2eb39dd998d2fb3349731e892a76b4dbe978242b13b494d8d9d7322b2a59df4f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aa8b3c3faa39618e547e32fe0b2774b1 |
| SHA1 | d0ea88d57b78ba57f5bcaeac85ea2d4c70a23d1b |
| SHA256 | 58f80448decf025b135af3a191331d04ad4f5e6b8fb418f0de127756e8ca442e |
| SHA512 | 2d9866408aae6bea30b5c41b2b15016ec50a52d2af64d73789d43f9f4ab65ac82087be3365c624e04f836d7fb0ea08a36aa07696f80b1db418fd060671660d22 |
C:\LabZ6N\dobdevloc.exe
| MD5 | 5bf70e49a06df99f48614b74b15d434a |
| SHA1 | 0a0780e01d0dbaca69955b712964d42f74ca2aef |
| SHA256 | 55d8027ea15d27c9692d11168e3d862b2421308f989f183c88c402fd7dc1d4b1 |
| SHA512 | aff449100a7513dd74ad1ef8ae34bc7d9deb390faab35ad7a29bc9187fbe3f2df7b8655d86d666a73f881414ab219994f2b00bfce979878cfec1e8859f9bac52 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:16
Reported
2024-11-09 20:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
135s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\IntelprocI9\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI9\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid10\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocI9\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe
"C:\Users\Admin\AppData\Local\Temp\1d7ff2edd621d68e7a649b1f05c8021a47200163d33de48e5878a78db2fb52c0.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\IntelprocI9\devdobsys.exe
C:\IntelprocI9\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 4cb6ee0fefb1afdc96e34c2c288bd63e |
| SHA1 | a204c2ed68c762d556bfe5519139ac9806c1d65a |
| SHA256 | 39765c570b74c9adc3e9396c4d6033763b0ad57ff7706881a6d2e3d8ac29d5b4 |
| SHA512 | ba6451669f472ad36e9d20dfe8fe42002522620d5a684ae0133c119f6c25c6e30b72d13de2a0d53c5454445e949ef21ee1b6845308647dd8c494ffee8d00f4fa |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 72d37e07bb35476f2262d300f7168966 |
| SHA1 | 62a1e037f2fec7b36119ab50b61229ad234faec2 |
| SHA256 | f1d0cab30eb47d6e63e982ff0c4976806ad6132899b820e06303f7ee6f5380c5 |
| SHA512 | 89bff6e1ead0cb41edfc8e1ac52726724807627b47b2b3e2f22ebdd545af0c77d7bbc4e9d06d5643ff23de02adf0a7989df5581b2644881db6d7b985a6760f5b |
C:\IntelprocI9\devdobsys.exe
| MD5 | 38302d484aa5e8ed101dfbecff7e95f9 |
| SHA1 | 0cb065a03f3c4f7e595a1bffcde921279593405e |
| SHA256 | 697def89a6179c2df9f4bfe3e54d37d612101e7c69c3f8edaeba2935915bfe3d |
| SHA512 | 65e47f6289c8f3e7faa8cf7aeb978eec1d3008bd785490961e55be61dacf2990b78e4a446f5496c1173b1ed9002ef20c9de40b672f2396f1264360a7fe5e1d64 |
C:\Vid10\dobaloc.exe
| MD5 | 6e994e046575c87249ce971bf644b0e2 |
| SHA1 | 02f69a3bb942ffd12081609c5e0a6d2b85bdf7e9 |
| SHA256 | ab74584e9f3723de382a5c1e9833e4dad300084896c358de457890003bed5c46 |
| SHA512 | 6d4ff5a44ba5d047c5338522866cb615874c79a16e196196b58f9162a0b6433df2e9dd98c5266797b9a7f8c1616bff29aaddf99cbdb1f1e5cf8c181bfe6d8944 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8cfa684fd7d4f5801a02a41ca7708de0 |
| SHA1 | 4129299dd9e3d7bd62f3cd0a938b27696dc921e2 |
| SHA256 | 2ec8f58303ff32473324584d5d8ce6bed57e5f92354f4a46c9b8cee0bd65e970 |
| SHA512 | 51054e79c371edf8c884f8d393214a0fd90baa02f8c6bda1b6b733b4560eb2bf44c75045cf8c08b511c019cca14de5c393bb1eb55fd9e244192f6ef04ba4e331 |
C:\Vid10\dobaloc.exe
| MD5 | 6e48912c750d2a4af218228dfe476e8a |
| SHA1 | 8f0359cb3b03fc05f8d0ae4252aa2f0f938f5489 |
| SHA256 | 6b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40 |
| SHA512 | 94858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5 |