Analysis Overview
SHA256
8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac
Threat Level: Shows suspicious behavior
The file 8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:29
Reported
2024-11-13 14:31
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobePE\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePE\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP7\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobePE\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe
"C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobePE\abodec.exe
C:\AdobePE\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 92249eb55aadda35bb17426b1b200138 |
| SHA1 | c250826d3c16085665800337a20e265c1ed39c1e |
| SHA256 | e5811ad1afbbf8ae3facf53d81b5ab30799f06af50a757e9ba26429bd5375b7b |
| SHA512 | 5479cdc79f03651f22386e0ecfa505bfb5fac1cf5ffc3be23eebc58be1d2d4cb94ecd4f48fdd41fe4cd3f332e27011291ee2de2b3fe09e1220d8e04bc18c1999 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4c903d255c80a955bcfd09767da75318 |
| SHA1 | 48bcc10d56aaae2af16483d8e34bf5bb0ce813cc |
| SHA256 | aa98593121332bba01772abc258832b83dd06988b28d147935ab9951b0ac9fec |
| SHA512 | cf6f425ca957bf53151dfca2bb3b0c469e0806e7716f46a63c6c19e2db7f9948d82b8172d52c261645175cea1189b90287507a7314dfa3476d46eced34b0fa7e |
C:\AdobePE\abodec.exe
| MD5 | 5719e09b82ed25b0ade536caca2cb717 |
| SHA1 | 3cb01ee135130413f4c2561b9ad8c31a4767ee07 |
| SHA256 | e667a9125f8b6713c8c1ae463b6435a08103d48daba6772db2cb7e43b4609904 |
| SHA512 | 8d94437ef855668f0264872d6038b389bb27a05e3ba522f1127d245b76aad645e36da60c9b19e30e204d4a1c2bdd4b7561ee736bcfcaba45bf42006898f13fc8 |
C:\MintP7\bodxsys.exe
| MD5 | 01f0fc6032703d7f459fa3170528b955 |
| SHA1 | 951ee7e238e620842501f80cff5f3037482a73bd |
| SHA256 | 214d997e687a718d2c5b735d54d8fff16c786f613dcf21e6972b6e6a46e60531 |
| SHA512 | e1cd8197f03bce3cc585494adb12f078189acaf4a83daf4bb6aa251d4791e21eb01ce3e1b697282233066fe4b1988c7a92299572070fec8d1ed6ab5d6c2905c1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a60363e2819832539c98a6b384ce52ca |
| SHA1 | e91dc1abc3dbff47635d91ee90be0fd63ca4f9fa |
| SHA256 | 43a56088484ccf4b1e810a0c71db22b447925fa634fd4b2d8bdc8210d8099cd1 |
| SHA512 | 2c345eca41866dc4972f959b8a96f35cb7f96d78b5a14b9679079e4da99c99e0e6a87381cdc2e7ad6de818fca50506ac6a2a21af301569dfba400b27ba1b77e8 |
C:\MintP7\bodxsys.exe
| MD5 | cc800ea3d96ee875dad6d2595b57b1a0 |
| SHA1 | 3777f14ee6a637f91a78078f1f3dbc25a3b1397d |
| SHA256 | 41d04dff6b8cf2c06f91e47fa4f41bb7e4dfca62c2860baa8e49131d4cae2d47 |
| SHA512 | c4ac37c470cab1f09e902c39a11fabb3d574b4ae53214f5600efa0c098f3edf35d9c2993ce065a436902b69e75e2fd6533f099aca118ed8f4ed25d8315b9693e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:29
Reported
2024-11-13 14:31
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotSG\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSG\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZC2\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotSG\abodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe
"C:\Users\Admin\AppData\Local\Temp\8f986c813cabfd3f828548b42676a95d8a321fc00d70e1de2728ee79b9528cac.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotSG\abodsys.exe
C:\UserDotSG\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | ad901fb4693d42f920d04dc0ff86cd07 |
| SHA1 | af0cf52013344b2edebfb892b5f9912a61c6e13b |
| SHA256 | 2875e105a79e06b9820d4571cacde4463e62f709639e23967261a7e2e4e031c4 |
| SHA512 | b314a555199fde63cafa702b11f145f123f838934a4994afc24691c50451b21b3672f3dc7fb853877dd6a33df45b630aace342ad9b59a41ee3e48839e7c1578d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b5f6b8f3a73dd4c9f23b0f820caa83ca |
| SHA1 | f8f31d15ae10eebc1704f72be4c1598ba0161b3b |
| SHA256 | be45c91efeb6f1f49856f41de6e225dd49df54b5a7eda14f9d5bedcb6fa531d4 |
| SHA512 | e45b6d75e0602c7a01caeb55845c23504225276eae82fce331b016b20f4dec5b17ad01bf94aca90c5658de51e089971b7e08f75fcf96628f26f731daad2f84e3 |
C:\UserDotSG\abodsys.exe
| MD5 | 768c4b74117aa0c9a9912a4ea90ce6aa |
| SHA1 | b2b652ae0aa5a744980ffb1320fd8388bdf4e5f3 |
| SHA256 | 4de7fd9441fc0fc69c2c0ca7343dceee376b87da9418b0e05dd2f30d87d685bf |
| SHA512 | 5a782509953044cfaec6f23854e73dd80a031e62f613f66024e14012114d7c8599df0ca8f3f2315a997001ae7814cad44b1db7a27e944b0d83d95e3092a5639b |
C:\UserDotSG\abodsys.exe
| MD5 | f4afb4002ab216974919bb8c8c0ec1dd |
| SHA1 | c53e6976d3ecabac94a681bd429e95303fdcfc63 |
| SHA256 | 83efdecd9203bb1e20d6a5286323e4096e2be9c42fa23d64be6a0b1c129084e7 |
| SHA512 | 292cba7c985ea82fea9cce713f151a668fe315f9bece57fcacf306eeaece2f51222967200962749297c20b68f9554bdcc8a02251a87d68d1e72d8e797c3fe6a5 |
C:\LabZC2\optiaec.exe
| MD5 | 07e8e6588596303269ddcdceb3ad34aa |
| SHA1 | 8ea56bcd819a51119b696419a81a6f1e53b9463c |
| SHA256 | 01675a32ca91bc381b63cddb509064c2431fcec8b5051fe4cfbd0f3ce498aa99 |
| SHA512 | 78ed38bb7ce12b3590ad96893978e6bf16a177721977855f2d5d09395f25faec22e10b5aae5fb6ef25ef2b3b30c3c0b10bd544cae0285d473ac5524eb4d1e5ad |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e57a8870fd34c88bbe1b4a719f0ea629 |
| SHA1 | 28669d945e79b214f36fa28da0478aaa5ac532f3 |
| SHA256 | a2734e9095fad0d35508b6d2d64650b82b39cb7cd717b3d46169d38955f38d00 |
| SHA512 | f1ad73bdd366d787263a294ecb6b02f70f332bd93870c51245cff1e0c0230df9ad54ca56f641d77323663eaa9a15cc52698f47878977131ea8035059f1fbfeec |
C:\LabZC2\optiaec.exe
| MD5 | 3fb018f6611b60eef8d679ece9fb2d5c |
| SHA1 | f3d626167874a726fdaa959e2289fc08b22d64e8 |
| SHA256 | 285690fe8971b3dfa66fa7b3f0e18fc7ff22bf204fba99c6230e2eb79aea2b9f |
| SHA512 | 158ba3b67c90ef89945a1fae1e2056dd18f8fd1d7d4fdce22290c6bbd2f801d47f07e3fb9282150dc1e39f7959787d50480d1186e01dc22fe0db390b9ea0094e |