Analysis Overview
SHA256
9f162b3ad9ca4820511ca82de5d7b93bda80f37228bff0b996482b207e2c8260
Threat Level: Shows suspicious behavior
The file dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:02
Reported
2024-11-11 23:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocE6\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE6\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQB\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocE6\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
"C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocE6\xdobec.exe
C:\IntelprocE6\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 7c939a6d3980cca2f1b0d21d9c900fe2 |
| SHA1 | c30f5d50bc4a4d897d7af552ed2b26bd800b06ed |
| SHA256 | 0989bfbcc0274bbf53324ffa6d9fe130cd34ef86b62bd09bdf9aa6ad5fe4a429 |
| SHA512 | c55f07809658bd829f84220f5513309d2ae2134df7a3e6c90f471097870e5fb2e7747828d2bf7b30d45cba97b2b36d4b960609e8bfa030e9fe0e9e0a4ba48a51 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3c41735be421f0031c173266fcab47a6 |
| SHA1 | fa2d12e75806e73c57ac769b074275e416ab1457 |
| SHA256 | 2550ece781fe1249c86c2d4ceb36f5de964c49d6b648eb64a01e428809a2c0f1 |
| SHA512 | 9d6de2239d5389a7e49a747a48b4ffec3fd1ceff5fcab47a25f9b2f243870164ca1a2b16ea30cab2a16e4805c4d1f5875866fdb57838c8816f9c8e31a0a5ad6e |
C:\IntelprocE6\xdobec.exe
| MD5 | 97a00bb265163bd1f186415674706d9f |
| SHA1 | fa4f8c1025252b11c18ec0e826e893d9faa4a4ba |
| SHA256 | 12cccd825c92967d8f488c97cd4cb555586873317400553f165afe07903b8860 |
| SHA512 | ddb809f3ad6f33bf6e0964a133a2bd793915582dabd8ed3e76ff470b3e824a2cc5d713a49936ac05faf2226b803f1e22867be10bbffe91ad16c4e68380fd810b |
C:\LabZQB\bodxloc.exe
| MD5 | 21cd422ae2a59f109ed92f0e34ba6fab |
| SHA1 | 868ed47a2d5e31f9e0bb4cf6c6fc7b849d72fdbb |
| SHA256 | 684378f6987ed8be87d5568e40c5b111e3d6ba10c24c36bc7c1e7eadba398caa |
| SHA512 | b650c64718462ae31dab8387c44e54f4825c688c5bbcbe7cb947469889508615f56ce2eb5d0cff3069f68d4ba60e6cce7d1623d36e8b7a0835d0a000a5ed137a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b0c2889f4af3df2755ae627aac2905fc |
| SHA1 | 67e893b26cce1be707d15a1ca7ae5bf1ea6fd8a8 |
| SHA256 | 662295bb5eda94fdb0a1e0db99832d902ae864b46f78058bdd0a2f1bebd5e269 |
| SHA512 | bd35f5f8b203004893c948f4a749c02e76891b3514c7ecf7c45099616cf68a2fd43cc15ea489a597f7656c9218087953f308bccac2a8a99efb4a8078ad349597 |
C:\LabZQB\bodxloc.exe
| MD5 | be144084ffe3fa00ec6455b5ebf48e64 |
| SHA1 | 1dc36a5f3f80d4a75a5d008282cae06cd09155ec |
| SHA256 | 10e07599163ad10f7afd64d1fccc2929360457898f72795dc0d9af98c27922f3 |
| SHA512 | 52359480af1b6d7e0046f179b4289c6cd56e495e6da7d680f095db2bb8e0cf0ece6f2bb172bde590fb188e4c0631e41c017bd7a67bab74732b4173ac8010a1de |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:02
Reported
2024-11-11 23:04
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\Adobe7G\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7G\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXB\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe7G\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe
"C:\Users\Admin\AppData\Local\Temp\dc6d45853d87298e51369463f41874eb029a9c1479bbc8764acd4dbae51fa724N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\Adobe7G\xbodsys.exe
C:\Adobe7G\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | cd4f5eddc43ba9e26c1df2090b781fc1 |
| SHA1 | 4f5a040edf0f2d95416f304f86878a3cfd5b9b07 |
| SHA256 | c1d4c6e0110f24dd5cc07a7468dec5fd6962ac4c67aa63bca49eaa9848583fe7 |
| SHA512 | 44d5e9bca88ed2689ad8b84fd881b816f4ad0f36feff7f3d2bd7f9c1e8e9c69682a9486eef0439c5a526ef36b2fb66994a71f1bda611ee59312bb905240c27d4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 815912636a6bb7ff6b5e88866341a66f |
| SHA1 | 99ba5bf340c1b92572512d21a35c1d28b82659ba |
| SHA256 | fdf009d1c26fa1a7e9c214ea694e3eaf6921831afb38ba862d2a2d8255517da5 |
| SHA512 | 55ff89d5eafb204d1df9861e6bad9a749fb27ac80b67a3daa6b25e488f31bd1b8e9a5b6ad2592a04fb37ab5f88de0e356df0236dd88d9e55cb5d5bd20bffe981 |
C:\Adobe7G\xbodsys.exe
| MD5 | 5ce46de9d1c8ab23eeb8a98bb0b2232e |
| SHA1 | eb2b026ffaf5a7802065fa5971c5c4495fa6763a |
| SHA256 | 0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0 |
| SHA512 | 173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712 |
C:\KaVBXB\optidevloc.exe
| MD5 | dc841518908b59993a7dc3b76f2d8fa5 |
| SHA1 | 11080f957adaf78193805a781975215a008b1e41 |
| SHA256 | b9dc4e1720ebc4c4fcdd2a375915ef115c2ddfb26164fd1c32aa96d7e59d07a4 |
| SHA512 | fe4e06f7a689364c17062b5a8f43776ba7f64659e639ec71584188cf1c2f80c3eef37240e05fcab92fff1af5ee53089a9251005d799060080098bbeb37aaf11e |
\Adobe7G\xbodsys.exe
| MD5 | 6549aa20c876e6bf63cadac932ef0590 |
| SHA1 | 16c184a26ece04e50897d6f0ca3dccc459089713 |
| SHA256 | 69a0d6dcae021488732fa5d434a86b9bc7b4ff9571f55b8d5090b670eb55a55b |
| SHA512 | 261968386848629b0f1000a2ef42810d6c963ccd1f5f422cc0e35296f2b7ec59d0499d1cc50f1580935875b47433102ff57d82eea4766ac7928755286095537b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d1fc3f201e8090f8dcee64c474cd0cf4 |
| SHA1 | 6024cc3ca5aa6ad6de71eadad73d8bb33deec076 |
| SHA256 | a60d58e4cfc3ce5d8a12fcdd798d8d94a7917bb1f845021ae4e800eb9008095d |
| SHA512 | 8f4d8310c3f0c142b2507d3232d85176bfe8dabadec18c5f986d007320b420b7ffa823fe37c66c1b4f23380e3ea1c238d89b4966594b9e547e9f3780cf1a9731 |
C:\KaVBXB\optidevloc.exe
| MD5 | 211c211281a83cae04ba8989e177223a |
| SHA1 | 2c6a912a90ce71ae095e8f16a97222e28964a271 |
| SHA256 | c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b |
| SHA512 | 10dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb |