Analysis Overview
SHA256
0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec
Threat Level: Shows suspicious behavior
The file 0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:45
Reported
2024-11-13 18:47
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\Intelproc3B\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc3B\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0H\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc3B\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe
"C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\Intelproc3B\xbodloc.exe
C:\Intelproc3B\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | e20c791401ab3b66838c9db96535b0b1 |
| SHA1 | ba2782e73bcb15cc75873914d323c4fa3146c409 |
| SHA256 | 8e418f975b27387b2f75738ecdf8b44b314329feb1cbf32f49a340cf09206ba1 |
| SHA512 | c97f9425b63aeeade6044e413487ae09c47c8d47d0378e77b0d96a687d7bd76d48447ebf464d2984ef644bd9b7b376909b263a8153389e2e70770a1ee5dc19e9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d48c596fa54eb425ed8987b79651f9f8 |
| SHA1 | 4d883e2b4fa75bd9bb927e9b1769f4d5a380f1b7 |
| SHA256 | 9d489d3044656eb4cdb02f86481bbe4d0aaef20e3ff0238488b181a900ac164f |
| SHA512 | bef0145845fb7ae24aa20843cc870a8ab2bcd1c51b514b8628f63c332a82e58dff4cd7cb3b16783e37a82b34188cbf9ead97e8a3daf0859984580795c9119993 |
C:\Intelproc3B\xbodloc.exe
| MD5 | 4ee91af88fc96d6e372613774ea98a8b |
| SHA1 | 7ee85fdf2037ebc8cc721fd21436af1b3aa761a1 |
| SHA256 | b314f0b320a4cbf617fc507d930e9472fd26caa7d1ab832f1b3275f8952abebd |
| SHA512 | fde98825161db99bddc3241014b40f6cc4cd155d475f91f96918ee0392c1dd1de28780094bf0c5a11c9689b6e536af7a79a1f99596da1eaebff50424c7184365 |
C:\KaVB0H\dobaec.exe
| MD5 | f6fb24ee2e4065736a019d405cebbcd4 |
| SHA1 | da060b1e1bbdc563bcff7a6b9ababf87beb191c1 |
| SHA256 | cb0083369390fa783eb36ddf66f758b1839f6013bd244450e04d23dc9ebfc810 |
| SHA512 | 66fcd8fed42d41b6073b1b8899fe617cf5054e2ccb15202c058b2cb44234cc8ff507ffdcf7fdbf32252cbcb582446b34f128433d4bf31a72e482bfcb3d364125 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e7bb5564e2e41082f647dd9333c3018b |
| SHA1 | 8b4774da638aaa51570f791db94767011de5548d |
| SHA256 | 3ee1ddc6b8d28f667bd602518702a5065f74d7a2ce3c9af08dd9d2aec7b1f7a2 |
| SHA512 | 637cd0885081e3627c21f4445a8946e38024fcbca8db03a41827976366fd6585fd237d7b6bc32de534e6daec70f0740b2b07777898d1944993b697d83b36d1a6 |
C:\KaVB0H\dobaec.exe
| MD5 | bed33c4e383aff3036d1dabd9ddf04ae |
| SHA1 | a0946792d504e2f5766f8d61d3d79d046d925574 |
| SHA256 | 29643127c5b757075f532d2167f1a3101cc0e509573a1a7a7775122093c70d05 |
| SHA512 | 4814313c2b5bd8fddc0b8aa69deb1342e57dcca6eb6f8373bbd5fea95ac63cb583bb1151f71c8d210f30d93f44dad93c8cb3a82f253f5e165fbf183411b584f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:45
Reported
2024-11-13 18:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeP5\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2E\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeP5\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeP5\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe
"C:\Users\Admin\AppData\Local\Temp\0848eadd643a3feca5f28fb5a130b04cb97557fe96286f956ca358b6a44495ec.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeP5\abodloc.exe
C:\AdobeP5\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 3ec685ba6622138debabfcc8900924ed |
| SHA1 | fe767b39ad096e9e2decac70d6709b8a1d3b3334 |
| SHA256 | ca39384d4ccfda92efe9a7075e9fba1b72891a429dc1148a09670d3f3f2c7f50 |
| SHA512 | 1053478de2090ca53ca72b5653c1251e40be24625a071d5e4bd151d89304a58c791615c9491636084167460b8611bbe4be986dff977811333a89e9ff8da66d28 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 743844481d85a48e71af935735d77f03 |
| SHA1 | 9c9caff60bb35d08ee70f357ad3593b65fab81ac |
| SHA256 | b26c97f5390eca8df690afb51048ceea0af3865aa5570b85a4158b9b1265d88f |
| SHA512 | 064ae4427da16603dd7f783cb5c9ddee6e8be547d6e8a90e0a8ba75d73d117f487fb89448266b6b4b562f122fd843cd1d3114b1a0fb9da66cbb5a3f878ddc3b9 |
C:\AdobeP5\abodloc.exe
| MD5 | f2e74635a390f8b102b84b8eb8dbde02 |
| SHA1 | 40a33344da13a421dc93fa351dccf18de6879ce7 |
| SHA256 | e854ca4a67fe503400ae2692266a09c51d9f86af21833aa3b687c3241a1a22a7 |
| SHA512 | 4d9a3fb94a03c7aa5bf270bc0fbbea53fef85f1f4b2042e4d900124d8a9fa865b99214bad1001fcd018445af4df29bd874f64c7352ec1a1ee7d7e09e3153188a |
C:\KaVB2E\optixloc.exe
| MD5 | 5fec303eff8486247a822a375ae48531 |
| SHA1 | ee24dc040222cee0523f09e89e350df2b321c331 |
| SHA256 | 2f86785f4aa21615ddfc323da9a1cee112a6bc2625029f45a8f52c78dedca5d8 |
| SHA512 | 81fdd5e46041cebcee685922d76f3c87d0479a8e8ba80dc4e847448974b5e12f1dbd1f844d04f72aefddd35524898a4b4519329925e8ec32e42e366f44a742c0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2dd47d6228a06d0390ce5cb07e98777d |
| SHA1 | e5703e710f9cf0d2a0ef595b98a58b73c5cc2e85 |
| SHA256 | a97357a86d4986aada6b910f3479e8ef81a8eb89b019c632e1358390d02cd6b1 |
| SHA512 | 37440a54ed9da3992ad8eb067c01f7e29898948320d6557215fb5074b0db6b702bdc67b3752c79b979614bfa165e39172321d072bec36656f70918eb1f79796e |
C:\KaVB2E\optixloc.exe
| MD5 | e29053b8725cc8f5d74a859e7248a030 |
| SHA1 | b63b1cc998dc4e46b44354a5ea160d7650e08484 |
| SHA256 | 7b53321e3f51722d38086ac63ccdce3fdbb8766a4d856e096d3db55aa671f798 |
| SHA512 | 7e8b9a5ea3f4fc16b311c11bab2626a4c967ddad02675e41aba3950e815d117b844b8561372d7c51dbd46c90f4ffd0086c18d9a285634047137ea08621992892 |