Analysis Overview
SHA256
e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499
Threat Level: Shows suspicious behavior
The file e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:09
Reported
2024-11-13 14:11
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\UserDotYY\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYY\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintG6\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotYY\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
"C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\UserDotYY\devdobloc.exe
C:\UserDotYY\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 0d58208ef1afaff6539c942e568065ea |
| SHA1 | cf7894489ee188e4d540ccf18b73b20cb001d023 |
| SHA256 | d8385d0294f6c3ba43eb70245bb6236699e3c054bd7bf34bb9f422fb32f62af8 |
| SHA512 | d7e2a3c9c14dc44e61b6d1827526c61e3f4491f8aed00d6feb6101225d2d5b2a11ba6980d8554aa0f5d8a7d3fe3a024ae6208fe3092b74e3391845b1577a8dca |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a7af81c20cb6dfc1dc359a0254481e4a |
| SHA1 | 42ee04dbe4a724959f3bd69e9accee067f01603b |
| SHA256 | ae37b33824605125f038774b1ea27af9be33c28e118187e9efa3abe68f998c62 |
| SHA512 | 16b8d13c51088b0ef97a7a387adfb242bdf2a3ed4e8e9755cf81ecae5bf5bf59902500d9a342ac206b7de43486ba68a4fba554667ee8b6841769674044bf140e |
C:\UserDotYY\devdobloc.exe
| MD5 | d89c526b4dc4d164f53bd773ba009719 |
| SHA1 | 968593667fc3a788eec54d65f4e5d7923a69f85f |
| SHA256 | 29b544bc3111379791cf0f4b5b6b76c96efe2f46c92e4869addd559c04405be6 |
| SHA512 | 70f6f9edff438b7a0a456a6c2955a8c9338b26d9100f7fe9877f0209fbb5ca2d8025954ceb6067efacf4dbbd40decdd75482c46b1c1d73f7e9718c9f81d4918f |
C:\MintG6\dobdevloc.exe
| MD5 | d073526555fc343042200ec442ae4b50 |
| SHA1 | 798bdebc02614ba49e9f735feb2779b195db043f |
| SHA256 | 924b00269737567250da884aad697302dcf6c51bdbb7408759e7b476b20ee1a0 |
| SHA512 | 1dbeef5a673f34363f24e2b08172cdd807674843509456ea740de5b9f31ed3ffdcfab796bc6dfbb6718b8ba9e505e8d01d3d9fe30c418cd6bb57e800aca4a80c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 419ca0b481a284c850d01f46dc93ebe0 |
| SHA1 | c5ee9ba4e5bedab1ef19433b806da71cd693110b |
| SHA256 | 37d6f4972e355e1891eb10b8e8da4f1399b7c14beb63ed43ef4295fd967dc8aa |
| SHA512 | 703ce544d73b1d141585cdaa6e7a0093abe7220a31eb77dc48b8fec79843dacd80e280b2d5cd1e9ed4c2b769d257692ba6117582c44db0ea34eab6b262add9c3 |
C:\MintG6\dobdevloc.exe
| MD5 | eca5ea25f6a32a95c09d2d11f140c43b |
| SHA1 | fc7c4ffc46b345747cc079073a62c80c129f2442 |
| SHA256 | 7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17 |
| SHA512 | 27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:09
Reported
2024-11-13 14:11
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocEO\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR0\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEO\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocEO\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe
"C:\Users\Admin\AppData\Local\Temp\e5ce1d33da2a4e6b14b2e56dca44ac5eb978ad17b0018f730b8ddc4fda992499.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocEO\aoptiec.exe
C:\IntelprocEO\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 9da79e5abf6f685eeade3c8b008ab144 |
| SHA1 | 0a2fb053cf719271a1db789b37950aab10c730dd |
| SHA256 | be0546b5e970545604633720785db9ce9a1d5bc8e7b4edfb13ea0daba3485694 |
| SHA512 | 376c3883f67e2649c9508dd5b5130d3e0bf3ce0fc6f088b41bc5f68c93e14aac4bb6ffcaca91c5a4d22b7f9434d0296cb9d8b98d3b725670243fffc58c78ddba |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 54b3f6e9cca19a5852516703391596b6 |
| SHA1 | c815af9a7af8799cef3e7e92c5a25b3c7b019056 |
| SHA256 | 27b4d1977ae0dabd01b4ff34871cc939819e019d0a23fc8f1f39d7d3453a3cfd |
| SHA512 | 68e356dd620b3efef0f69ec0438cde28193358eee04ece30bccbbe2a0f454d50d3a91448bec5596bd43cdf0b6662ed70afa4274850a770f707542db09c6b8659 |
C:\IntelprocEO\aoptiec.exe
| MD5 | 6ce45a97733bbe6763252b964cc91f79 |
| SHA1 | b00dd2850e7884d3105487877c1a421c303673c0 |
| SHA256 | 9c1f967816fdc708bba981ec90558960bcce292a6e74ad899f4e761861689777 |
| SHA512 | 8aaddc0217002cf114b6285dfba1e2117774be73fe08622baed49519255022202c99d6067270006f1453567c5b714d79d35cac8894ef9db187eaa23acc322b96 |
C:\VidR0\bodaloc.exe
| MD5 | 67167edbe9379130277de18ea74d6170 |
| SHA1 | 47f2289285c3c35ff15c60a923d76b904c23bc7e |
| SHA256 | 369a0a7a5e2c74b99c51b43fb0dd9cb7f0cdfc2fc67e35c0065aea29d128418a |
| SHA512 | 97e043ec6602bcae6d1a0727e5cdb3ae219c4918b569b2c92ce1b04c95d21fe8fa607ed1bffb9544de4a7e88effe1e4b9a3bfee061068712635c713c54ca0763 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c1613dea6b42b88fa54d1db6e7a50a31 |
| SHA1 | f5db89ab9f3168dc6630e16e523dde738bf48b4d |
| SHA256 | 1e28fbdae9405765d611a311c9b491f591256a245e062e401ba2abed6e5f6ac5 |
| SHA512 | ebe743b30df05a4928e42d2e01bd0981b121eec4e743fdef531fc32b9cb370beb1e2b1a869778cfae71dfcae8e0cedf6dd36d09e5d8788eefe01362cf0eb5cf4 |
C:\VidR0\bodaloc.exe
| MD5 | 9a3ebce8a284ff6bb17819c4d73f8313 |
| SHA1 | e287bb2909283ab208c3d36444f0076bda6f9660 |
| SHA256 | 388546c781f83af433a03a0a0fac9d19929747bf07b6b53d3a07da283595942e |
| SHA512 | 21456977e3a5941d71228843cccc3e19f3e4d93033a8c6c7d0ca786f4a972f1bba5b7a7b89ed006b6baea8841b5e2b3c5b14d17da1f34ccf8acf81235894356f |