Analysis Overview
SHA256
668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61
Threat Level: Shows suspicious behavior
The file 668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:42
Reported
2024-11-10 01:44
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDot4V\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4V\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJE\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4V\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
"C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDot4V\adobsys.exe
C:\UserDot4V\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 52aad5152b34da661b520fb20c24d729 |
| SHA1 | 1cfadaa19d566a7d114a70f865d4aaee6e36fc66 |
| SHA256 | 5d3ed0b5e47c42157dbed8e29c6f64aa9ba98b0c6d2e60430fe02fabbe1fe310 |
| SHA512 | be2b5b137a0214e497fb0f5a5a1f6e42d50e0d4b0738e2a2786eef7e220069689138ba0fa271ae8e76ed06c5ea4a045c62deea78ca5b910aa9bfbe03992a26f5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 50cef773ffe689b44d7b1b7cf47d18d6 |
| SHA1 | 330b7308674bc7f70e83f52dd2ceffda94934dc2 |
| SHA256 | 17d8ceb214db6e0860064c7df1f366b0d0a11399fd8866a1dbbd004f8a8268b3 |
| SHA512 | 69ac24ccd4453110dfae2b30a38c90e8467a6bf9cedbd5a535e0942a74b324e814007a131cdddc7cb1cc7ea16fadbd1d502e715457bcd07548c90e07d881c4df |
C:\UserDot4V\adobsys.exe
| MD5 | b1bff5461f6eccee15bc13b90b862c37 |
| SHA1 | 9b68b3e8bd60c2c4b00d1ff961e9c20b00350466 |
| SHA256 | 31ee37ebd445cdf1397bb80f305ea15a1b3d12fced2d3dd773fe436cbaaf9498 |
| SHA512 | fc655a29154ddbd88a87bbe6eff59a7e0654e6306682a7ea2f70c240b99f1e7026089df3a2803df3ec6f1a12c75d0ea1438ffc856440b95121dbfdcbc15800b0 |
C:\MintJE\bodxsys.exe
| MD5 | 5ffab038d17d47771c031d3b701e0cc5 |
| SHA1 | 74d331d26e5210e7e523c750b0080e1641bb61f5 |
| SHA256 | 1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982 |
| SHA512 | fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec |
C:\UserDot4V\adobsys.exe
| MD5 | 246b1ad5d4e63d93358cb17d9c8e6f4e |
| SHA1 | 9b8ba61df6f3fc44323e371a5919f8364f2ec712 |
| SHA256 | 4dd27231988530313ac5252af1c0be1756195c16621a7d5b8e2f6274e04b08b3 |
| SHA512 | c20b4f1d84be999b582343a681c8a9480386e87c7523716fc5c85903b93e87866f19d7aec334c897d0f37c1713a7df3bd874e82440553939c3b09c946f1a8589 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aeb384f1e097ea21d505bf5ca2c7c1a2 |
| SHA1 | 828bb63147b318e28988954fb745cfa007a35e12 |
| SHA256 | 343aa316bc647a2651641fe3ca303ce2030d4c35e426bdc31a4b655797011fd8 |
| SHA512 | bdfe85dd5268ad255e9fdef1286e03aaba2143450a3b7a984086e9b81a2ec8934ef3184044336ff009c30d706acafe79d54233834a3e9381879aefae3607acfd |
C:\MintJE\bodxsys.exe
| MD5 | c18410dae2f8f403e9119c90d20f9350 |
| SHA1 | 3050df89e1d8a12e6931d85290f57310b97156b3 |
| SHA256 | cbc6098f1ffeebc297284f32d23888696b800239c85097e2a83e995736cf01a3 |
| SHA512 | b68d08252e6c0375195ef830eb4013dd69be6b16cc2ddbb1b6cd772e107f3fa600dae9311eda18b728c60ae4c6ea024a62ea43d6e531307df14865f134ee700a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:42
Reported
2024-11-10 01:44
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\SysDrvCY\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCY\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFP\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvCY\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe
"C:\Users\Admin\AppData\Local\Temp\668577856b4b03c3dac5b5a56fc23d61fc70b2399848a8a97071bcf01f123d61N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\SysDrvCY\devbodec.exe
C:\SysDrvCY\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | e333a298aff8ce442bddb527bfb2108c |
| SHA1 | 55872f02983dc0625f5754ea9283b4b324316c48 |
| SHA256 | 80ad627aee4612d13d1a4cf6b4472ab15aec5516b2c9408d0407ceaeaaae036b |
| SHA512 | 587eb00f27d7cb6533cc727e65919aef0744c03f0d777e5d9015da1a867631ec64db0e25aafc79e628e39f3343fcd1f66a6886d2ba3746e74a97f4a6adda0932 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 51830f4f19ef68ed5822e947622324ce |
| SHA1 | d0b55c525cdc1a62644acd3da91b23b38097dd1d |
| SHA256 | b0ff4393d62922ebb054a78ffe51758e1086f552e5b6c5217460c9599eff9b85 |
| SHA512 | 66f1abd8cb570fdaf9972051637eb357cabcdef78cca937f56b90285f18469e40dd796c1121955951b38db01ce06a071500343b69dc47454e203fd33bb1c48a3 |
C:\SysDrvCY\devbodec.exe
| MD5 | 665950aa252892be60312cf3e53ae228 |
| SHA1 | af5498b6db64251a20f415701b7781c696bec1b1 |
| SHA256 | 76d5b26a8f51dac028db6cb1dfeeefb86a2d7429f76f80f55b669f2719b4b4c2 |
| SHA512 | 41182484adf804ef2dffc2f7739469fa23c7c5d1cedb70aeec3a305b4da40b50ba9cf89b89f6a74532b76b7258fd63375d39cdd880e831c38aa8c784b7046c2e |
C:\SysDrvCY\devbodec.exe
| MD5 | 1780c52aac8424bd6bd06134a9f5278f |
| SHA1 | e86e58ebd04f94f43c216278beddd361643b59c0 |
| SHA256 | ef528b4eacde9533e50a102cc8ba50e145cfb5dd514b13acbc9bdae0f1d1b5d5 |
| SHA512 | b5b3629df086cedf205814a2495d878cacfab5c757111a3bb8b4fcf6a08fbb9629ecf6b5d0d6ffb6a091b7fc12a7f09751859c60464db5d816c1c785b8f991b1 |
C:\KaVBFP\boddevsys.exe
| MD5 | 8722a447f61ffe9d22d59fd0342ccf10 |
| SHA1 | 826bbfbb0ed172381a61dc1904ae4ed9c90d02ae |
| SHA256 | e5ea5445b1355be949760b8d3409b4aa831b521e8828d60b254e6c91b67800de |
| SHA512 | 2dfe8e4a37d48d578fb19ab4c43ba773635f285acae7f154930f240179812021c46c16eb3a4fa7a846e4f8bee98eff71eceaabb882cb45162a223ea0724956fa |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 66716451e65c0b4ab7d2009794bec75d |
| SHA1 | 9f329d24f2b98ffc36baf76ed36c8b898669f76e |
| SHA256 | 4d76ba7fb07c03f3b194d1b4d79d7171badd4662dbd3d01ccb0f4e7a6dd14f48 |
| SHA512 | 7749db2c2069522344a76eb573511f65c7a66d3c9cd11f703a8b111d752db331aaa3b5f6bdca4cbac84ef8c5cac6be49121e07dff7670e04db3dd7310eb74b22 |
C:\KaVBFP\boddevsys.exe
| MD5 | 3627eab6936fbc3551462284d0743d11 |
| SHA1 | 4a0636a537e0f5a4b6f88d54509b930f5317c9c5 |
| SHA256 | 0b1fd4086ec3a95c55f56cb1b9188025f9b301ca1f52bcef9a6b2a23c2827934 |
| SHA512 | f94feedb95683d05923f920e2402a5a821509c4aab54ca56176e8c25e4b76985ac7a3931362907e8addd6e880f2e05d70dffd66fdfc8bad46fea70b9172696c5 |