Analysis Overview
SHA256
9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7
Threat Level: Shows suspicious behavior
The file 9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:58
Reported
2024-11-12 17:01
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\FilesM4\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesM4\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSC\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesM4\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
"C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\FilesM4\abodec.exe
C:\FilesM4\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 0eb6c6742160d9ae8025af3cee11d239 |
| SHA1 | aff5292226ad96c80384dc31b8327b5378be97e1 |
| SHA256 | 779be9749648355102c691c4e93f0a48842e2de38571b48aec08f8f59c1f2e4a |
| SHA512 | 9b2d5617af325e8a4703d1c6bf8153939bdedfa875ed07cb15cba46e7c2bb88cade4a616ce57936c83f49066f112718a3ecfec895f35e3cd5c4352cecbaa8bbc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ce293a451f54f817baa88cec4fe3404a |
| SHA1 | c7eb629243561dda0d514b9e2aa681f67ac651b5 |
| SHA256 | 2000787312bcf5f9743e0ada643c153f0d3bc083333205596dd9b291277d9750 |
| SHA512 | 81d26a1d6d0616b306a240663faa5f3f343221396bfc55392e06fe74f4ff90d4fdbeba56c0ee7b9233a7f023e9d02426111cb7cf39ef4c1a2edd7ebdeef83ffc |
C:\FilesM4\abodec.exe
| MD5 | ccd479d4fa28eda3d977b64e196d812d |
| SHA1 | f0df62176324ad05231bcc0427a0733f451beae7 |
| SHA256 | 3e32d921b590b24fc4a76b482221ec9072728e6fb44d174b4c4d8678d23305dc |
| SHA512 | 20746cd63bb94fe3c42c661997a19a20a69433be8845452d46281e8fd91933d909e1a9bb69e622ac8c333f8c3e5766bdfb738614d96d0f8d522aacffdf8de128 |
C:\MintSC\optixloc.exe
| MD5 | 43ff907af645e6154c981c1c1651bb8b |
| SHA1 | 2a4f2b3f2c73a0ad149f40163a73513148a56ee6 |
| SHA256 | 1bc79f9af65d4d0740135bb8d9cd59193f200a270a030742e5383597124c1be6 |
| SHA512 | f32f68fefad50f29382b3e042419d0a91b90487c588fa7a72bc74f42d41eb91f50bac7c7c08d7b42b6211741f61b207912a2e36a00efd573dcc639645ec1b172 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6c7f40f3a78b44c680defabf9c3fa758 |
| SHA1 | e96b3eee6cdeb9723ece107d19bfd986e90f2ea5 |
| SHA256 | 387603d41eaa8bb38006ca4e5182c81527b433ade991dbabece040695e9d8d89 |
| SHA512 | 7d983c2037068fb0352a6afbe812c74bf1ffd2d11893ef95ea6b00ec320d800e0c7ec12db61c1938de2acb9df2ec4a19516fbd719d638084afb5284ad0505617 |
C:\MintSC\optixloc.exe
| MD5 | ccd4cdf08fba67c70073b8173b0c3de9 |
| SHA1 | 5eed234c984e512c5a348ab75ff627bf55c54a8a |
| SHA256 | 979af6a4ec69b0202ad8456533fe344738c6466433659697683038e1314e4de2 |
| SHA512 | 10b0ce5c0edb8fcc84ace866af854f6676f95c85d1204475ab484a51a5f2b09aa30787e42df29b7614f86926833884cf8be296759351cb28cbf7652d49b66272 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:58
Reported
2024-11-12 17:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Files0T\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNA\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0T\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0T\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe
"C:\Users\Admin\AppData\Local\Temp\9377d975533e1297b8aa716ed933dee93da840c265f2ce8a540134f0797befd7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Files0T\abodec.exe
C:\Files0T\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 1ba85a904228378cdc9d3c870dc437c2 |
| SHA1 | e6083268837960564ee4adb3f8d2e4aa35a3324f |
| SHA256 | 150ca3365c989f1a6dab168bc9db19479dae4880d5528a17bfd5986aeb738cd2 |
| SHA512 | c0f167f5da28b3899752026ab06c586434be5d6d41c6d859355adb798cf12662f8bf405c26ecb3754f35d6c515e51f5994bde5c96c70f126350dc9f5937733f6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d815b323e1939c4e4c92141f12982a0e |
| SHA1 | 9448b2e2ce3a3b2e80da2d6abdbcbe1fc0c6deea |
| SHA256 | 8eb99c21d5745e43665c4849da6bf57dc31517e2dcc6670dc41c95cb4a6708fa |
| SHA512 | 6dd5eb959b929788f55d153e2b7eccdf88ac4632703a914cea79cb0237ce188bfaad6436dde2b08f476e9609f2472894f476426519655887bd92991e4ca67305 |
C:\Files0T\abodec.exe
| MD5 | 5a87572878dabd3652e734e9cf855065 |
| SHA1 | c5680884425386174908e45b82e8774e388790fe |
| SHA256 | 0d93615a7a3146141faa27413b9e8d8b65a6ab474987576feb52ef3124e82ddc |
| SHA512 | e3ae89e995b510989fdbbc77110650db648ae4c1bae911c98b4f146db762f2f954193a55f320761cf613f9a5662a32c7514cf26ad07038b1efe753633a3c1791 |
C:\Files0T\abodec.exe
| MD5 | e254de7a8046bf0909f4d57623d8ca2c |
| SHA1 | f6d564dd9da7996920b95bbab4713918cd2d46fa |
| SHA256 | 0799b6dbc934091aff5fc36e272783773bf7d64300f90675f9e29104c4f7707c |
| SHA512 | 1cad29284ea80073d655c396e0bfc4e620203c91c6acf99ba3d02696c8da0d1b807f176e2a975a830a92f126ab122766e9905d8054d876fdb3802d4522373bfd |
C:\MintNA\bodaloc.exe
| MD5 | 45fe14f76839e9486445fd54713736b6 |
| SHA1 | bd546833fac1af06f2d752ff8daacb898316a121 |
| SHA256 | 0415455288f159e32b3190fef979546d56da9fe3cd7a593a07e3275989da3a9d |
| SHA512 | d3c49ad36c5ee3a8cbcda62ad01fc5576c602a3923d42d73a80af4ce6c9a4f4b62646923b11f40d50cd85d83ee3973dda825a51fb1ad84c2c7ecfee6106c8000 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b76054aa8228bb20620cace6d8d39509 |
| SHA1 | 3c1b7967356dd998c7831032cc3a74f7b2a489b4 |
| SHA256 | c94991e43dc24b17e254d862515463d519ef8a6c9f9de896a3acdb943db90133 |
| SHA512 | 1813a8dd3b6879cebd2e453b88c7141d41359922f3f2ceca836e5b24cccb1c4597a981682e7c78be5277a91f731e55930ad21b9bdf321747cd72ec768881f922 |
C:\MintNA\bodaloc.exe
| MD5 | 804af8f9cebf35646d8dfc9422112844 |
| SHA1 | e4a46592b2e5734f5f48b931e94cddb8e096703d |
| SHA256 | a69f2713b681b2dba2797156f8280c9986ed2cdd480bdd968ee948a490dfb7db |
| SHA512 | b163c77178a8103448ab6e34b89a90b5c3dbbb365baa5025f3fd9e7582b3fa49aec1be96d165102a8b219c6de8c05fcace73af33c4c9080e0ec7fbfc758cbe68 |