Analysis Overview
SHA256
1a103394edcd5e659330eb4db0b7c2f6af6979238a46c71fd9f31e7647dfcec8
Threat Level: Shows suspicious behavior
The file b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:40
Reported
2024-11-11 23:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\AdobeRZ\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXF\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRZ\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeRZ\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
"C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\AdobeRZ\xdobloc.exe
C:\AdobeRZ\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 5e43ed3f8428492a1a628aa33d58cbc5 |
| SHA1 | 9d27e551dc81de020c00526274ff1935465eaf78 |
| SHA256 | 1b51007b8f96a1e6db7c3815854397f4f9d99315366044583c5d5b371e0fc355 |
| SHA512 | fb0ad3f68d425920499bfc6364fd0b406a569ebef62e491c22f97b58f92940dde49a395294b363fa65aa3c20ce0908feff25f81680cf3d5264320c3ff8a85939 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5d3ee695ca5f6b0a9b95457dd478597a |
| SHA1 | 6003e8c3ca9119ee9c4134442b30c6430bf5df99 |
| SHA256 | ba4778074c791e8754f2c0d70e56d37ac0c40dcb372fc7bf97d78299764ed427 |
| SHA512 | d5381f4153d5478f69c116d6b4d698cbc9fd2f7c4d7eb16234b88fc4193bd8a575e0e9669187a303ccede4ce60a049033634e6d4082df615bee5cbdd39a73989 |
C:\AdobeRZ\xdobloc.exe
| MD5 | eb0fb1d7a07ba1cb4a3a5b86865c8742 |
| SHA1 | 7c3e5f49911b42e223c3d2a257519ee02fe27230 |
| SHA256 | 8b52905c8ea112dd580270126281fd10a99685c4b864a52556c88810d432a5f1 |
| SHA512 | 13f9a5fe8fcafa6d90f32faf8b85bb9f5a37b11fe6faff443471100af2de245fd8b526f1edc822495adef31ef991b55128c28bd50e3366b69f7c291f3811e569 |
C:\GalaxXF\boddevloc.exe
| MD5 | 99b65db50dba3eeff96a893a53b2c097 |
| SHA1 | 92d085ea2465f204c53292477d5113405328285f |
| SHA256 | 4ff5cb185e105455e090d470cf28e99e44d3967c36267b4f3f872e92044984df |
| SHA512 | 3df470e68960f9615514cfea6412a9308452fd3d9a30f3affec38c535461cf9b93d12c4fba5d01bd3c96888727dda82e10f93b683b373a6fef5e2f2a8cdd4ee4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2a3dfa581a157019fc8491256b4a678a |
| SHA1 | ecb4af8221ee72335c9aa68e82605a44ec1d79ac |
| SHA256 | 35a098db0a7375cc8712e27303e249deb0f19981837adefc5b799f6ceb6251e5 |
| SHA512 | fc4bce150724cab06b75e5728c612b92e96991bd2f73300ecf606b65f4c8e215b18e8904c8587b817c0e5775283706bd1074ccfe35fa8e698cd191740faa5960 |
C:\GalaxXF\boddevloc.exe
| MD5 | 3d87b00043954df060c5593c08f9f9b6 |
| SHA1 | ef8a69389545c01cdaed38b7b037f963205a94df |
| SHA256 | 0caa71936b4430cd7528fb864eaf702b21253597d45115d366c8c0b6cbac5833 |
| SHA512 | 633b56d31a4478bd1bef026330ef1ea8ffbee52e4f17058150a962f885b53c0747a296f8ae15d5f1b8f068af2a1164868182a657619f06b91131b4a15fcd4335 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:40
Reported
2024-11-11 23:42
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc7Z\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7Z\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc7Z\abodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe
"C:\Users\Admin\AppData\Local\Temp\b8981642b2f32edcb24bafb78aa4a31d003efd8d2916598b69b6851b658f065cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\Intelproc7Z\abodsys.exe
C:\Intelproc7Z\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 330d205e3ddebbbb6dce7683cd1661b2 |
| SHA1 | 8ed60bc6e10e7577ddf4368792e88789bc647738 |
| SHA256 | fcf2c91fcb9ece4f2802fde13665ea9f5dfe72f06777b38976addb4982500cac |
| SHA512 | ad3ffec47a30648778b10680527c72dd55bd18b5370eb6542a59f3026a7be64ffd3bf935c27c75c1f81c73a72a1038b1548b0f67f7482f4a295754adef94aa01 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d375844367e3f417ed3d7a15e80eb050 |
| SHA1 | 020e6acb873b7b1556136e720fd6d44b02cb5769 |
| SHA256 | d81069b80450fa307fa959ca8164e4ecc9cd3b4c041ee7074fb1fa0292af0295 |
| SHA512 | 37c206f27ea2fbebdca4aa24f21a92e80986c18591d89f0212fe5213d7f8f0420856fe9a12473b26298e40ab525602b2d1291b71a7fc220c32815964216ab2c1 |
C:\Intelproc7Z\abodsys.exe
| MD5 | ca19464d7a0745e69831e036f9433af7 |
| SHA1 | ea4cc82861e4b3b327c21eb4b50ee3dae27f3438 |
| SHA256 | 5352f9c5d0d24fc9c7f1cf693681928d19cb7b2d0dfbf1d89d6c2dcbf50eaf50 |
| SHA512 | 17e551e3896f678dc97ad87db02adf7ccf7887b0a2d7a9a47485fe74e6e792b430010a4477a10da9c8871c08f395b09f127611e8792b5172a11b4878c7171e1c |
C:\Intelproc7Z\abodsys.exe
| MD5 | 5503271a899bf7569c30ca5cb735b1fc |
| SHA1 | c9bed33b6dd70fda2058191e33ea0aeead5c7e40 |
| SHA256 | 67210a7e5b1678bac07860a65781d2e763f27a6bb43d9c8592c3a0efdc8dd5cc |
| SHA512 | b5596f65c6c18ada1c31b7e221207ae27cb855470005af1e14948a457d3c1a24509a80c2e0447df1ee33c25925a9673a572ebd7b20b136f475ca16b6a3ba54b6 |
C:\KaVBUX\bodxec.exe
| MD5 | 48f805b7d06218f08adcdfc7dc4cff32 |
| SHA1 | fdf34bab3f639607a6fa8bdda358e9a7877d7248 |
| SHA256 | 34a30a8664e1832b7616a9b10b9b7b28f1fdbafac4e22e54db1b1f556d5dfb64 |
| SHA512 | 0bcea93c4d5efd09217e7938c254d03ff758c8b066280c1735e970287c1acc579a016bbf8737242b6ac7ce5be8393a44c179defb6c9606850052c524b86bb60c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b8541d68cd4714b1048cbb39e194b092 |
| SHA1 | 129ddd79233f73e96061c0997166b6d4bac063ab |
| SHA256 | c9b2ddc8117c8be0834202a19004cc09e609b09b58d132995e0de61cb423aa7e |
| SHA512 | cf00f51c8bd58af7dac4d8aaf4f72bd860523599b3a580581c614228abe4721e7814b92080dfdcfaa4f8a02d4e5b089e18e49557672dbd57c8cfcae26eb5a2e8 |
C:\KaVBUX\bodxec.exe
| MD5 | 29b2ae0e13ab7ceba24dd078951245b5 |
| SHA1 | 0777602131df34a6bc094a712f3b916bb96604be |
| SHA256 | 2a2b8a7f689f30b282dfa807f09256f427ae99ddf8145ae6726ba8a6f07f845a |
| SHA512 | e412a05336831e835fba5129c60644bc250be17af5052214470d91a134415e4676a0f8d34c932170f811b0e1d25efd117ac15d3bfa1841f2be12ca534c628180 |