Analysis Overview
SHA256
b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05
Threat Level: Shows suspicious behavior
The file b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:36
Reported
2024-11-13 14:38
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\FilesDS\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDS\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFQ\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesDS\abodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe
"C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\FilesDS\abodsys.exe
C:\FilesDS\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 66f102a92348772d3df93bc562b42394 |
| SHA1 | 42492890f2dd52c821555f3a070ccfd26af33505 |
| SHA256 | 8c58ec768271217a652587cb190cce26713593f223bf65803486f700b23bb78c |
| SHA512 | 1c68610129330d29403273d7bc03a52ff1acd8a981cf6973dfc7f48a5f55d80caa7a77c0aa265184a8accdfbbfe13d991131219d93a1d04d3b9011311dd870ae |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bcce21a781cc9b9cf2ba72077985a2b3 |
| SHA1 | 50a0e1390e5572c9841a03cc768729d68d5bb372 |
| SHA256 | f728d6cf7a038173799f6cfd4f09c947f837d1f5be5db3dc287e7da822babd12 |
| SHA512 | 02323d73fcfea2ae948a0d20d1cbfc7d5886046b7eb19a97614a9bb3e18272d5cd5ba9efe89dfa150aa27fd866956021d7ce0bc6efe28f6e7695590af1034c8c |
C:\FilesDS\abodsys.exe
| MD5 | e52fb9d1def60009196d2a1ac8b754e3 |
| SHA1 | 3193a2d0238252e36bf03e6e89567f2f573566ec |
| SHA256 | 4736a9eeac82f7c03dfaed974d927d405d4d4a395c6f924c3ef9a5c06c63f5ee |
| SHA512 | ca078c2736761bd0b1afa0c1aa3730a3e3ea2637e5ae000f6f6a905cba9f1b73eebdc0ff2e4905b71626858faf8bd15cde70cdba1120cff915609c1389149a01 |
C:\MintFQ\bodasys.exe
| MD5 | 614c779a340bc63bbb2c6fd44b690a8e |
| SHA1 | afc2af3aa2647905de3ffbdfdd2298611e627c6e |
| SHA256 | 0bcd4c1676d7c7b2869f5823102b8d5ab5b5185d56a9ed14bac5a403b2b6f41f |
| SHA512 | c92e60d8488e2d88c1bb5679870786c0614aa2026a2788f11b255ddabc6e73bb30569fa7487befa7a8d71a989cf0ceebcac4e1cf59d6f79df76a46a6c805e4dc |
C:\FilesDS\abodsys.exe
| MD5 | 730a0c9ca2d108412bcc81627302066e |
| SHA1 | 935bf59a87da43e027c20788cf6040a7422fa0bd |
| SHA256 | fbb29d7d2682ae6cc2af365b1e31b8754665571071db5556f84c86380695f041 |
| SHA512 | 0b6a78a84896275012c00ae92168fb8441e1c4bd97db3f6a901c6f5fe3ce2deb99aef252bb1d853be04cf5ee37b1db764af3ad5968ecf5ae6bfae39ea15d3fed |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 944c122d611d57895cdc1c3cbf376455 |
| SHA1 | 97893b1b84e607691bb2edbf19196a92c011cb56 |
| SHA256 | 87ed9abb66848be380d7577e099ecc8043399af32910981ad46fc6b43daa3e4a |
| SHA512 | 70cb78b8f03db7d8255b162bb7514fac8fc6e745031ee49f29183ba4987fa30e4197695849fb37d330bd3e699b4f6b92a6c13a089e7880236eebf6fab3d468df |
C:\MintFQ\bodasys.exe
| MD5 | 326f40d740fef7d8007e75d4a9a156a7 |
| SHA1 | cb6326e0b5b21fda1baab8af391fe46d96e33417 |
| SHA256 | f2834886a0f533e9e533ba2aeb73b6e473e4d4e77ba2995c057b95a53909f6e5 |
| SHA512 | ad0e3d0fc7f309a261122b4efd3eec6bfd5d54d6e525e420027340f571efb2b346b059557e1ff991b9e11a36d201af8eae2b4a12f93fcf80c891c909c96a4c34 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:36
Reported
2024-11-13 14:38
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeQA\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXU\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQA\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeQA\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe
"C:\Users\Admin\AppData\Local\Temp\b05a60ffca46119027ad542494a5011f283045b10d3dd08f12c812b03547cb05.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeQA\xdobloc.exe
C:\AdobeQA\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | f21175d6f8b263ce443e94bc6f65430a |
| SHA1 | c92b1694ecdf81b1138f56d4255204d4eff4e62d |
| SHA256 | b2480c22151168077edf6077ed6f96cc1d3415d2db3b3f69351c9e29a13e295e |
| SHA512 | 8d6793a766a334da289194b88dd0fee24f149b82ff050a2ed6d40ba727ca91b9e378f3e27fdc0eb0dd8a66bde9d16606be8473a3f8035cd5168138683d6e99f5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cbe6e6574257c59a09ca1effc854d1a1 |
| SHA1 | bb5449cb6ae15a7b78d3aa0f53f99f873c26f36c |
| SHA256 | 2099a5ad9d47a837eca56a77fa1d0c65c99bea58354cecddf9a9fa19b421ac58 |
| SHA512 | afaf366a4795740b4d6cd1ed7d57236801bb95b6ac55f530e13df40a3eee816dae9b8b3f7867fb3f2a23199d658c6cad4908045e6dbde8c71e9d44af56e5f9cc |
C:\AdobeQA\xdobloc.exe
| MD5 | ddbde549cca47deb16e44351136956eb |
| SHA1 | 04724da25043ac76d96b02a71e7aa392faaf9fdc |
| SHA256 | 0b58b4dc58a399086ef3eb5a58a2021f573ff2cfd31f8b4ef8fadeac34cef9be |
| SHA512 | 11664e70202212be31f4e5ac7bdd26e11c22679719cb94b5f6585888df2c0816a6b8fc326d0e7bb5d4882e26541c385d83e470b56d4e0101a9cb26faa559b4f3 |
C:\LabZXU\boddevec.exe
| MD5 | f5531375b0cdacf6d2ddc08cfc01b01f |
| SHA1 | 9376b333286008079a0360c9b484d60ccb1b40c7 |
| SHA256 | b5d9a0312c49bc1d797b5eade2e3b2ced945d074247b04efe5caeac37d036d15 |
| SHA512 | 2aca0c0947b5ed26fbf287ee94aecb685e94c022b68945940a20d49879b0502a91f218673b69cd6aa70f1511f9f53511ecc1eb1b8abc470fe24b92a8caa22dff |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ec49585943344cf2abd8246f4065e4e4 |
| SHA1 | 5b20408f66871d4474d215b9e2070b3befa2f8dd |
| SHA256 | 09e676a1d5dba62964c0d82440b20a802f4d89cced4f4334305123edc1660519 |
| SHA512 | 4f041524c6525a9f213cafdfa0b5b69e6b5ba9262e555ceaa7a3b86f2e45452fa11f56b89369a271f855255c4fe15d13809d7012adfeb2683bf157bbdf8d699d |
C:\LabZXU\boddevec.exe
| MD5 | 9b89672a23510b5c2714a8fc34c800a7 |
| SHA1 | 776789f477a78d81f0beed09bd9360c1114af8f8 |
| SHA256 | fb989ea8bb6bd60965fc299729a29e82d9b2b17ce98a8ef14594f22939a08b99 |
| SHA512 | 759521b88d70fc84a9649717f669d262abdd783b0a9d87e26932255b2b4abb3974464e2d31fae532caa51cfc86cb27af2b604b2c6f8086affaeb41d971ba5d14 |