Analysis Overview
SHA256
68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c
Threat Level: Shows suspicious behavior
The file 68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:28
Reported
2024-11-13 14:30
Platform
win7-20241010-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeZ7\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ7\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2Q\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeZ7\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe
"C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeZ7\devbodloc.exe
C:\AdobeZ7\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 46d69c17230b2a1021b9bb9fca5e9a68 |
| SHA1 | 5ed98857e675158c4097eb0c4fc78bbe691d62ce |
| SHA256 | c61c52523ef0e3f7920b691dc67d2705d8a41859618d08dccf1984f90a1e2ae7 |
| SHA512 | 0388983deba44317b2594157bbfc9aff207ff836639c21d980f2568ac981b13743d9752089423f937fbb8106bd64f59ae83f4864add8816eda7e903eef129e58 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c270c50901188d7aeb8ba6f607d0e77e |
| SHA1 | 344535a99e4cdce89669af314c59f4388ac3c3d3 |
| SHA256 | e664d34ef849f18783a62e62d4f261482ff9bdff1b0000b4c632487d6801f53a |
| SHA512 | c24c5128c7e8a255f84f54e4742fa835befc20b525c0f8d6dd150eee11b1a80c545331bb3aa04fb83d7249cef9f274a39e0c87a009b472597d00469bab83f7e0 |
C:\AdobeZ7\devbodloc.exe
| MD5 | 0c9500b679dea201aa4f250a3737d49d |
| SHA1 | c4e8d388a8e7e4db127c609e933bbf30e240cd29 |
| SHA256 | b4e0e4c89a39100d38f84ab3cc7d1deaf78b8a14c5fbc7b636a2edf777137c42 |
| SHA512 | afdbe8f273337a8baa93c21a5961ccef81953b0f577ee1b429b0eb068d7c5e8c1d1382fe20936e31ff75b4d606370b9bb4efe1b4d1e918786451a3160e4e15ba |
C:\KaVB2Q\dobdevec.exe
| MD5 | 71e327c9a79fe08b0540e42954b7710e |
| SHA1 | 61646e6fa2fccaca6715b4a276c0d9d380eea602 |
| SHA256 | 2439d39afeecfc5012ed5910ba62e60bcf486ee1ce865144c392667a113ad666 |
| SHA512 | 2f1e445220b0827f9093ed3e952d8e65e08c21b293246be4b58977e0ca8a3a6411827b3a96154f6f88d3b814bc0b82c2bcbfee5d5de3fabcfc65fccfab900713 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 07fd6d89f814b0a5f876a692e09010af |
| SHA1 | c7b084580a0345792d7e7e4574264ee3b138327a |
| SHA256 | 65122fb9f5260c3d8f37074601f5ebe2307d9eca328fff00734c0a74cd782ea7 |
| SHA512 | e8e532a5b2b8d09d8eb555f0479ceeb9842d5231de94a6926989962f177550b7ca179ee293ffdc0fe5fd7faedef7048c1b974430575ab7fc5b870f270c96ab12 |
C:\KaVB2Q\dobdevec.exe
| MD5 | beb3d41877cbc089a63b912f8bb21886 |
| SHA1 | 293f7e02253967593d4cb09a7b4c6f8873d9afeb |
| SHA256 | cf8b7831600fb5068cca22c1967a7c6fca552483d16ec49b70f6528c06293398 |
| SHA512 | 2c3a193c3b5278953a9197902212261e52169bcf1e6ced9490e2178d5437376a57e07f184e8cf9211d686a8bc6342c68b371a0b0275100290c15388683583c4b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:28
Reported
2024-11-13 14:30
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotFI\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFI\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEL\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotFI\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe
"C:\Users\Admin\AppData\Local\Temp\68bf80a67dab7607db3fd1b774f4335626ea912b9ef1c4a1656c6b6bc9b1966c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotFI\abodec.exe
C:\UserDotFI\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 2081b1ad846d57c4bc7dfdc1d10de77f |
| SHA1 | b10e5e9a3dca038c00069cf5fb01ef5cc0d9e5a7 |
| SHA256 | a75f74c5789c5db3c8802379d1820c5945740afcafbfa31896b8a6cffead6f5b |
| SHA512 | 4b15d05527816b6dbdd84f675bc856b90649728ca10692a361993bc4e5cd0d4eb771d630c530ce4c042aec8d51da1d166e520c3ffca8b1932bd3c35538274f16 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 35754ea1ccc35b47f915cc69f2a4f8ce |
| SHA1 | e7c02139f967244e8bfb02de3156381b451d9373 |
| SHA256 | 0b65474316d5474035824edf8ab75206549a8ce1a2da67283d0db221af25c7b0 |
| SHA512 | 1be351b9c6a97c622b87f562d596abd68179fbf54862f13349285aa0a504be167f2c82d03edb5459ab6dfb263fff3d19db7b3d58d72211dd56036c2037c4ea84 |
C:\UserDotFI\abodec.exe
| MD5 | fdf0774222ac8067bfdba870e0641911 |
| SHA1 | 9302eb6368c7d4e0df99a1f08e628e8da3ae5f1e |
| SHA256 | 9b1731febcc613b380c82a8ecea26593109b803bbc667f71f420682b58c049b0 |
| SHA512 | a4b8e1973aa43ff479bf29c2ccf2d6b9f125c525b138742eb2e3218dcfa054188774f4067185746576dd238aa4c5820a8f053272c5aab059f2376b9dc21bd6f6 |
C:\MintEL\dobaec.exe
| MD5 | e22b275fa23143f8bc7cfc125ba6ed9b |
| SHA1 | 64f6b239016114c66e7c7742e360130dac3de191 |
| SHA256 | 3c42ec79a1ab20c08118c41e4069f22951e04fd0bed059f267ae318ec9212439 |
| SHA512 | b53b6ef5a005a2665dfed5da04953028bded19ff292dfe8f89e7ce7a02ad5e88aa38a07b5663fb6529da742ba5bc2bc39c2667ca01baedd732b6897ed7cb509d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 51de5397bf0ac127cf9ed03108960081 |
| SHA1 | fe1065ed977c363a4427745cc92411e89869b6ce |
| SHA256 | c28c8b7e060126f126fdc4362146ee7136899e1477a6b936f927461973d0f129 |
| SHA512 | 057dbf0d3b0c7d2becbbcf340e485192b54e669eb358ad8f88c59d07095c5167333188ed6fa94db4f606ac0c9ddbc4a3d89bdfec40ea07e44ffc2fbfe1d7f279 |
C:\MintEL\dobaec.exe
| MD5 | b54af1867dc07fc22e0fac6277034bb2 |
| SHA1 | aa01dc1e13e7be6b3768fca1b93d627be8452a2d |
| SHA256 | d9fcc32ec9ab719995088b98d7dcf15f9688e9ad0e5040aa9924a538cc47f497 |
| SHA512 | 97618de7cb9622ce499080ea59c5091292f16976345511572b52a70de82f48e8615dc869ad553aa53361f0841e445881e48047dae3d908d62a8d0cbaed387275 |