Analysis Overview
SHA256
7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098
Threat Level: Shows suspicious behavior
The file 7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:34
Reported
2024-11-12 16:36
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvM6\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvM6\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUL\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvM6\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
"C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\SysDrvM6\adobsys.exe
C:\SysDrvM6\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 19edeaeac68a0a42c6769b981f7f4743 |
| SHA1 | 9d3c091af76091c8df69f4cfa0f74fea25c8d580 |
| SHA256 | 61542906bc9a6c2c9c68857aa7f68a871600ef1416b1d7f1e2a6f9cfdbb34717 |
| SHA512 | 0dd8aa10bece4d79c5369309a0b6c867cf4c65258b0090e219953f3433bffbfc06a5e063af2f9c6b23c88bb0ea63892f731a35b0faec46d0f915c945a3da48ad |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4fdb89e4cc44ba1dc006549d8ab3a025 |
| SHA1 | 287ffda7f8790d87d00a31a4cf985ad20f22627d |
| SHA256 | c37031d1de1c8944a3402fe529874a21f9cb0bd622aaf171fc744960136ed298 |
| SHA512 | 699ad5c17c4fd090e8ac722279279e5df47701697d3aac57f8f6513012b0df97cbe97eb9d707242ab8df7c447b8bd2ece61ed5cf69fbcd5cbae917d3f165a20e |
C:\SysDrvM6\adobsys.exe
| MD5 | 9df520ae6a107cbc1950bedc2054b653 |
| SHA1 | 24c8080315eb26ecc72c1b5fb9cabe2d74f98a49 |
| SHA256 | 5b8dfeeb10ccfdb6d451d82bcb8af5e206f2608d811cd99e253ff1126b71dead |
| SHA512 | c4bd1c33a3b29084a5f213995176f306e47e1b7da4a63e37d7efcff6d6c8d87416ce6b47571d9a5d8c77a94be05cbd07bba13c30e0a40ebed32080bccce2199c |
C:\MintUL\bodaloc.exe
| MD5 | 4ecfe40e660a4c63e1206a6d85527685 |
| SHA1 | 1961094f10a23027d3c1bf665ae0503bdf317f21 |
| SHA256 | 26ab1f7f302eb50842b4d61d30f76d0f887c4347ff732504967238ef1b4020f3 |
| SHA512 | 92157b83f0b9435263d7e25360fce40b4685d0d63f7152c0cde81c5c15b3aac2fa13fc1f05de4ede3377a296905faa7d428edccd16940d32d866184d9830c01b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1eda7d3587c86e1eaa7a9f1192981a50 |
| SHA1 | e3210d99de1ab1dbed737783d55e934727378d1a |
| SHA256 | 9a3b96ce337f48538e497b3fcb95f27d3a54d6737558b9e17009158b53925518 |
| SHA512 | c99abe354d38ccd5b3d9dd3cd669c294af43bc1e329ce2dfdf18005dffbc4e47afdf52b84f73d05825ce594ce01b6713275523a74daaeb261743a48b66bfdd6f |
C:\MintUL\bodaloc.exe
| MD5 | d97bc12445392c64481a08b57b9d458c |
| SHA1 | 450f878beef8256da090ee58defeb3d32f3dd4f7 |
| SHA256 | cb4c499ef9c76dff644979815678c265a0621e2639f7617013b5be5e0a36da02 |
| SHA512 | 5fbdd3b250be5919b409597f8bcb6dfd8d94db70d848e825480b48719d40372d52047ab19e21b4697d3d6e0937c8173b855b2a0666e304b142084d6b18263e4a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:34
Reported
2024-11-12 16:37
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc9F\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9F\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJB\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc9F\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe
"C:\Users\Admin\AppData\Local\Temp\7234935b6f6307dd75b09a3706623769e39f61fe82171e3efb9f456e93cfd098N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\Intelproc9F\adobloc.exe
C:\Intelproc9F\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | ed8ebaf280635d5cc4b194b3465d252d |
| SHA1 | bd63bd627dcb73a4b6e67e2cea27ce63f461b9b3 |
| SHA256 | 3162862d447752b51a58c54affd46fe4a86adaa121d5e3fb66d0bf74112abaf7 |
| SHA512 | c1f064cb4921e91444ead25d79c51000eb71343e25c23139261e10d0d6c24554b1e2c6911a679fc278b76ef46b34c08307c953f140c7deb938ca6b4faa85d1db |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3d12847dacefcce53dcac7d1348acd3a |
| SHA1 | 51b185ac0fce96138225762a37ed5e1a079f6079 |
| SHA256 | d3c285170f05ece82fd7f468fe0ab84e748157fff4d585df8e447acb1f41eb5c |
| SHA512 | 08d40f930c7403b91006232f97106daa939a12f67833d177068b76d7fcb53e53171e1a6d273a92bd3ca784d58ce094d304c859d2f7b4ce7e64929cee5f9ca50a |
C:\Intelproc9F\adobloc.exe
| MD5 | fb702db1f93f18f3f868d49e519e4d16 |
| SHA1 | ef3c93e210e8c74c937da11755cbe276667655b0 |
| SHA256 | cce86bee7152a770f171c3753b52ea6e273730100bd5c032a7b479e2b575a99f |
| SHA512 | 04589e24768f33c132d0f9b86b6b3646d07d59fc2ffb78b9a4fdcba824329f769e124880d9461e52a04d829a81f0156f3a029f005f50df7cf97f2325669a3b60 |
C:\VidJB\bodasys.exe
| MD5 | f6b60415fcb2a411d24a5696e80c5d74 |
| SHA1 | 2c7825a4d2e6235f4fcfb5196f80235cf56b32a3 |
| SHA256 | 1ff4f566f12e848fc49f9770b1acd6cc066b778ac720a0648d0c9199a4790621 |
| SHA512 | 8195e8a86469d9cf3872151e4baeccfab7a39bc730fe074eeddf33afbe1da8d9a4ee267d6831daa828b6de1d183f526770f47a83787462225a5fea2e69ddf6f4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4c1657d99fa370c250848f3191bb827a |
| SHA1 | d0223d52f5cf12ce2ad81efb4f43f8efb2d32404 |
| SHA256 | c4e6f6d95af03567a3a023bee01b52b2247de737cc6768fbb25462058bd5b5c6 |
| SHA512 | 94303e5fbd22a806ee161c96b4cce3d5603e8d0f2fbb223584a3a22b4b51d55ac66e13b58c1480d844d58b2ce2df6fc3c4160658519af1c9a08bb61c1ce3586d |
C:\VidJB\bodasys.exe
| MD5 | e1de8b30297d5a3d1f7db8715ff53bce |
| SHA1 | 88d32c76dd4cc1fa65d86093caf7285abf5df9a8 |
| SHA256 | e2269e993847747d80d2fe7df02621c696dae5528200689c220bc58e1b39440b |
| SHA512 | 9857ef146fd40c866a005c8f0d4fe5907402b164a1e0520602a74de41808a6f600a86fb6ef4d04bf19d4df8e0506087cfc48a0e6913e2da902e6aa3e1d2c91ca |