Analysis Overview
SHA256
37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fd
Threat Level: Shows suspicious behavior
The file 37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:21
Reported
2024-11-12 17:23
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\UserDotP9\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ5X\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP9\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotP9\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
"C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\UserDotP9\abodsys.exe
C:\UserDotP9\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 614eaac69bc41b294053e961d96313dd |
| SHA1 | dc6d2b566aedec298dbfddb10979fe0416ef3f99 |
| SHA256 | 6d6ee43c9df9b4aa3347288c70c407cad212fa0a352c3b5135c55bf7319a0c98 |
| SHA512 | df6b5e67b6c58dbe816bb6a16c9483b75de664cfa13d511a65220a5eb94e8a11c221ecbb129f6ae769198cdca4c31937a327fb1ad17609e8342674d7a7a6c3a6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d80242a6d0cc762c772f318ff98349f1 |
| SHA1 | 9df217006351cfed82dda72dbc3ead378a702f3f |
| SHA256 | 7bf6baf7cd44036733bca4345690bffdf7376820eaa584f10ff9cb3a63eb012e |
| SHA512 | ca196965c2e5d41d359373616c613acbbe58d916b461e5e319d3f6ba9a2eff565ed8b93632543f188d0122d0c146f7906a56dd6275ff493ec5e4cdbb3c113729 |
C:\UserDotP9\abodsys.exe
| MD5 | ddad73d4f787cbe13851c57d7a2663ae |
| SHA1 | 4693ea6d94291931689c00ebd0422d1c6f9e1f53 |
| SHA256 | 4d9ede245de0fa7ea57778c194459f5a39026345ffb54b34e00fd606214f6efc |
| SHA512 | 191eadff506e35b7332ae3782980437c9493164ce3db27e25b0efccef02f9af96f2ba3a96da7532245ac7a47179ae590e5240c2a06f19eec30f0235ce79aa8ab |
C:\UserDotP9\abodsys.exe
| MD5 | 3ba2532580d2105902edf083b6b2178e |
| SHA1 | 824ced5b0b07032eeccdf667f6c9a749f9333b82 |
| SHA256 | 86ba3a13727fdd5ba440a24e6a0be5a2f7610c4321250735ddbb983111d7a838 |
| SHA512 | e743f792d03f990e606b529e2446639f4da1e19924833b1ef3681fdc11d3b187a251f4c58030fff414983a16cc00481d6fdcc50bd55764b3683dd4e2ff39c2e9 |
C:\LabZ5X\dobaec.exe
| MD5 | 9f4b35a8e79763d5578ece23932a3d5a |
| SHA1 | d45f4d694be4a60d086d51aae2749eb693ae4258 |
| SHA256 | fefa4f502dc77965a08d08b5f3f697676961b5e49eb4cfc8f161adf1d285eaba |
| SHA512 | 0858ff6a6b7a9bac788b4c126b4a9c49c3ac896f461e78d2a8788179611daf953d4cf8ddc48ed39aa5900c42141207efc5537b67161a0057ad51a69691e63abe |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5e8c6852aef7b24c6637a93fde3d1853 |
| SHA1 | 6e71716a507fe0ea32e3f99c611fe6c2abd4bd65 |
| SHA256 | 91f9c37d193c5ad0290938426b3ac55ed8f1ba7657732df6afd83e9b5bb2fb46 |
| SHA512 | 0059625dcaa79a6f306ea823508b2c6f288c48ac32e69c040ced556fd0e831bfbd46942cb09c2e738cbd4f21c4e754bca96faee26c66765151b09ac2586cc950 |
C:\LabZ5X\dobaec.exe
| MD5 | e2b449e9e6520c0d9a0edd5f1786873d |
| SHA1 | 350f842d607fcd9aa6a780c15ad5eda1f2afc941 |
| SHA256 | 7bf4323843d7d4136165fe8b7d99511613f1f64a1a0da0259824e9e8846c3fc6 |
| SHA512 | d6d929fd9b18a2fac312105de50c1c12f59ae5812eed3a0a7fe8f087872ca41769367bf5a178cd8af66963de9c31177c00ce44c076d4897b86e968a6ec146f97 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:21
Reported
2024-11-12 17:23
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesOI\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBR8\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOI\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe
"C:\Users\Admin\AppData\Local\Temp\37ef92cf4a975bb676fa6016c4e714b3f22d2cc0a2bf6f720ad2bc21c11841fdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesOI\adobloc.exe
C:\FilesOI\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 4482bd1d66ece96f6ca1219b0aeba55e |
| SHA1 | f4f72da58a1629dd21b684ef1cba102ac3428d9f |
| SHA256 | 2f1f7808701c24a72ce5ccd0505896509cc7217ac5da44b8a0bf0efff2185455 |
| SHA512 | 8b17e32675f01a374b6ed21f0ccca39172b173f1db021559cf7b7e9d9e60750045c0b5e40ebcb567e5d82dcd43005f4cdd5d0b98dd3c7b3d6e14af7fbc94ae50 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6379803b6c7947d428bb7b3f0d77cdf5 |
| SHA1 | 0b6eb8f10afc95a812f2ca9b7cf67dd7dcf7e110 |
| SHA256 | f894f00eb30d5552e5d07250152894dffce784096c243d2cea16f80234772045 |
| SHA512 | d540f1dd1d1e0635b1abe6651390a7b873884e7cd601a3af3faf3fc3317063a9018cb93c133ac5bd77a6971186a70764a577f06098d81148bfc14d4b503bbc33 |
C:\FilesOI\adobloc.exe
| MD5 | 0d80c026ff7217667d1758553c9b1b94 |
| SHA1 | 14d1f220d41220a37e1c0a894bbcc390e238adac |
| SHA256 | 3e19dbc8a98353863030300221ed12d9467946007da720ddec917a2b170c54b8 |
| SHA512 | 5668dc066d36fdac6fc594b3bd11041af417aa62285919777cfb3602fe018599d010c464467465c525804c7e0b501ae6ee2fc1bec049267f5e18bb39d0aae82a |
C:\KaVBR8\boddevec.exe
| MD5 | 2a2e03531d8a9adcd30bac9865e90388 |
| SHA1 | 20e18ab441b57953aff6fe2db3652a43ac17b3d0 |
| SHA256 | ab5d5ff420bc351cf77b49ee8eb6cfa815bddfe0ad8bfbd4270cab194588dfe8 |
| SHA512 | ee7d59ee9f6d0d8348254581998fd6da0bc9a5aabf9583b0b386a34efea57340bc48681d77d27cea07142b173e0977d3cd9cabbb6d3f13c06ed5558deb802f15 |
\FilesOI\adobloc.exe
| MD5 | 1cdbef1077540e31855151dd38884ade |
| SHA1 | 085dc85aa80590c63e538176424493eaf388cddf |
| SHA256 | c065420606b281cb1001dc7e5ef19062b4d43ddc83fc2e3bb7ab13bb7febfe56 |
| SHA512 | 38e9f888d3e356443b5d8c65bfc4031017f55230b26a9f0cc02870626f2062fccf6c36c6d16128181c9f9fb6afceab8641a4a6efedb70bd77843b32203b2b1f4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 11914196df9e2415a5cb2585e340c77a |
| SHA1 | 8bb5a29e362e6b04922b61842cb8dc18c258bf01 |
| SHA256 | 6ce17b0ad5ce838b37e65df833f3d652b2f64a9b1706e8e66072790f7772209c |
| SHA512 | 198d860cea18cc2f90e7c52f64308d8016ef249108f5a7f51feecf8ee51b4961e12792e953d9532b0ff694debac5aa4ca98d03b053213cf3b0f8e222954f5ed3 |
C:\KaVBR8\boddevec.exe
| MD5 | fdd12b5bcf5418f38e20f4d111d0156b |
| SHA1 | 20b668176d325aa3418f35846f50d85d71f0fecc |
| SHA256 | d116ca6dec6255354b4eebe606e1d493fff41a32832f0cc2f018e78e30fcd612 |
| SHA512 | a530ae673933eb717d93b0c177bebfd415bbc4f05624b45cc7a13029d9ce09c6df4b5616f0b0b319464150fa2eb44d08692ec058de40c84e9b3d56587b2be49c |