Analysis Overview
SHA256
adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149
Threat Level: Shows suspicious behavior
The file adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:40
Reported
2024-11-10 01:43
Platform
win7-20240903-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\Adobe0W\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0W\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUF\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe0W\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
"C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\Adobe0W\devoptiec.exe
C:\Adobe0W\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | e462be43d49d3df2b11c155d75a5fcf0 |
| SHA1 | 951a8105fa8f9a009be41e4eb8837a15d700f438 |
| SHA256 | 9a81c195d2f67fa87858bed62bdc26d9e3cab1951c11db11b506452953f67fb4 |
| SHA512 | 45523cbb045eabeba0d363465db94116398b2c856eee7ec4ada1e4461621fbc85a3d82461ad4a9bfa51e0d6df2a012c911b5bcc361cf87c0c3213960d1905806 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 03da581fdcb555a312b7f65d9892de16 |
| SHA1 | ed0507ecb47243ef1d97bcc3b970b87a08051510 |
| SHA256 | 57126409dd78902b2c84b4069b47c577fc02407ba498322ec13d899ba77c3554 |
| SHA512 | 2bf173b37ab2efdf4dd53356ba06489e549d81fba25faf78e538a185cbc58bee99f61210e997cbac56712bf1ff17509865c5083eade825f1e17b0df5e6ff39c1 |
C:\Adobe0W\devoptiec.exe
| MD5 | 952a69b0cf05ea7769a22fe20e9c0273 |
| SHA1 | aa134d4f925692548329f2634c86285fd6ed4fc6 |
| SHA256 | 3c998585056ea30251cb20005cd8e5a4c6087545857bd07ece7aabaa8ffebf31 |
| SHA512 | 162177be5064d30cac9185aa43a1c5490a99a258456f2ef4883a8b36ca6565eb28abf6be2da2ed74a71b8e54c0c6319730e73fb251d29496ea41011fd489a9f9 |
C:\KaVBUF\dobdevec.exe
| MD5 | dd579b5c4e5faf4f020b6bffc07f20ff |
| SHA1 | 85c2a2424c729c1528cd69bda7590e7fb45a0f06 |
| SHA256 | 4b28a1d2644754b460a8d71600c924f1e9801c43c9220f4bd08dbab52385ad5d |
| SHA512 | f27e0c45250435dfa03617b76383a55ca55bb292e6e3b4aea75907ccd1b8d8dec6e0c65f93a5c435571096c5240a1eb6077fe63d52d402d1c680b6becb026372 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 58ca626b602baf24a71e993638ec0f15 |
| SHA1 | fcf517798541bc6025beff048e1ac596e603bb74 |
| SHA256 | 3cd1df1975da49134c19659e168fc4f3681861739cac0f603dfe6857c3695725 |
| SHA512 | df363d68de7a2159da4ee77e79c020c2cffe5acad373d27dc0ae442941e3f71881dc00c076a165b2b533f14b8384a517fa8f538bff2b4d058c4071a614822075 |
C:\KaVBUF\dobdevec.exe
| MD5 | ac65d1e7f770f82f011453f3b30548ab |
| SHA1 | 8886bfaa320f088e548f85de79672593257e6ab4 |
| SHA256 | 0b0637aba764434390e131d2fe464ed39db034730fa7e7f2c118b9d40e01e027 |
| SHA512 | e9e6fe1e99dd94cb7b8e44f8524f917e84a1e3a7f2d617b3d5281139e1db2a642c0aec3b883874eb4cf85c05120769523b65ca1d0421f878adcca8f05541340d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:40
Reported
2024-11-10 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDot01\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7Y\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot01\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot01\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe
"C:\Users\Admin\AppData\Local\Temp\adc4eb9f9521b5fcaa2e76a41c76e3b439b897aefe344b6e5460876ab973b149.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDot01\devbodloc.exe
C:\UserDot01\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 00ab11048e07e6b3043a2c56dfa85fc7 |
| SHA1 | 0243ca0850b8ab231953f61820e4e6cf88dd424f |
| SHA256 | c7806b4614d106572703c23fadc2ef1bf88b348365304c27c5c78079ff7aaba8 |
| SHA512 | 17a5241fe7c2b233d7036f7a3f3b79872d4c42bf303c65e3dc67dcfe4d49a5dc10a09b5e33df5f169914fa4e6bf84217e75ce906e86288b88587cb04f0206e60 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8eba4d10ca24df5a52593393fcc65e51 |
| SHA1 | 08ed4b893f38e469f66b1f072db1206b2ffb29bb |
| SHA256 | d8f6b7e11176c5558fae481ff61bd9c2b73753945b7379c7ca995f3504a48474 |
| SHA512 | 67d6092fba249009973c7dee2b8c813d44366d3a01bcd8a3cc3852fbefa45dd793424d8f6b0201806c488150d88890caf28701f14a56d360a603ed6a9e804950 |
C:\UserDot01\devbodloc.exe
| MD5 | d280113c5053c235b7bba6751fb8b5f0 |
| SHA1 | 0e6cd2785d1aa8cda1c7c6d5acbc877595ca0cc0 |
| SHA256 | 3c40048c5b8527f20a3fc74a707aa7cf92f0ee3611b5c34c14b2526f6e4f9fd5 |
| SHA512 | b7ac8cea1b85dca8fa6ee90b0ea99a0d7d863aad49305756c2cf61d96ba0a57b5d52c994a4cf7924b9f9f5873caab24948c79d05d29d529d78ff84632ccc9001 |
C:\KaVB7Y\bodxec.exe
| MD5 | 2ed4aa2646617bb3f5bc199f9a7eda0c |
| SHA1 | 1f67bdf10ead3dbbd84115f902585780f466aee3 |
| SHA256 | db85ab88ede829a146298e872bd0d8fb4c03f766b8c03fd9b512d1ac5c92ed16 |
| SHA512 | a4cc4e9525e4bd82f251f7bfdefa4c224576f657c71dd875b3e623c60aaca685c683c93d5c302bb87beda296c5785bf7e0e3ec6cdfbd2a5b45c2a64489e03447 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e4a33d16356a3301cee5778e4d4c5a42 |
| SHA1 | 93d88a4ec03ce3c30b38e6e1620b77e908d59870 |
| SHA256 | ccdbf3f24f732f807908dff14fec2bce60f282e9349c73ee0369b17c459e50df |
| SHA512 | 69ded3c78aa0734687372aa41d9b2138c21659ae98aff4cc56b4029256664d95c98db9c54e8614a8e4943b639c2066da39c399c09165920a7a04f814b38d67fe |
C:\KaVB7Y\bodxec.exe
| MD5 | d1856b552e335e1122732e31add53786 |
| SHA1 | 9b0b15dde0ae25ed17bb829451efd1dff6aea5b1 |
| SHA256 | ee3a0bb9562401e1cdf70dc5a000bf3dcac61792bfcbd047bce2e1db7465b4ff |
| SHA512 | e12ddb0974005bcb2238b67f621c2b9d976910651256d201e539be146d668d7e4fccf78e790386c92001ac3ed579575cd042d534e2a451e4079e4156556c6775 |