Analysis Overview
SHA256
a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcda
Threat Level: Shows suspicious behavior
The file a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:08
Reported
2024-11-13 19:10
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDotP4\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY5\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP4\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotP4\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe
"C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDotP4\devdobloc.exe
C:\UserDotP4\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 1804ad38581910b8d1c1769c81aa285b |
| SHA1 | 7d67ee26b40cb0b70c0d1f38e99110f009657d04 |
| SHA256 | 3af372d2a1c994adfc0441e8b721a0284df4404ab88a94fe75442afeeee22e8a |
| SHA512 | cdf3df9d429e1daa33f0c36217ca1d0681ebda45945b8da7e6b8cba4860de0c79e0d3da7c4364b8fab802c24475713d4393bb169ea9b1826feb32591d6dfd158 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0132ccabb3ddc88b100b8ccf59cfc51a |
| SHA1 | 4669e3df7fbe9c54b5db908d1425d66814fdc82d |
| SHA256 | bb922bea84ee591c8f1b370d71e3c360d42069c40c9f2d486362a5f2a7d966b1 |
| SHA512 | 6fe59dcd210e8c0245e6811f844f9dff7ad90975c8f7d59c444c145a4fbc51bcc1b3c3407a29f8fe1d75bcf8e053a38a01a2e8be985d8ce5930ec659b1739535 |
C:\UserDotP4\devdobloc.exe
| MD5 | 0b69841aec5e430048f5f59ee507aa78 |
| SHA1 | fc4a7640dee74696775a1c0d0d84e31dbd2714d3 |
| SHA256 | fa6ea77345d7ac36e8ba7b1ae6f05755a5741fcbcca6390a11e27fb22c35f182 |
| SHA512 | d234cb1559c4a1b4aec0942560598b00abca310685e0fb696dcaee70b91254fa9d484a85c55d149f051f1576b16c76f5d756faa42e241f5da22907b11a03293b |
C:\VidY5\bodasys.exe
| MD5 | 92e05ba3017090c77842fb48869867bc |
| SHA1 | 6daf02c129156f59bc6defa6b1f3a93c9e3e8df6 |
| SHA256 | 194123ee36bc4cba1627c299fdefa4997784b9500b613312e45794c77ac92b87 |
| SHA512 | 26dfc6a1ba28fc660b5ebe9ad0ba738c63153219c91b3eec80a3228467813965cc374edceb619f3c6bf17e6d8df54fe902958e15591873b3893d71ccb9cb020c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ecfc0c5ea341fed029444bcbc5d021b0 |
| SHA1 | 4a8413f3ff8620a61d5d6095850f52ae15c3adff |
| SHA256 | b4883f6a73e4f6dcb8d4b37407a2400d6e907a3d90421c9fe07bf6d9de1b7dc5 |
| SHA512 | 02d58f96b39367eb56085c3967319f44312213feac7a5d0dfcb82c314ba374d123c00f1debed22344d338fbd97c2fe077fe669ea43a7502bf3f05ed668ae3915 |
C:\VidY5\bodasys.exe
| MD5 | 85e1d0eeb44be97a55251c7a9114f0c5 |
| SHA1 | 30d04544df966f2ac1b5b7c4fe27c457ca61a778 |
| SHA256 | 1f9cb971dafe628bde602b336b4108dfee0b00aa901ce8ed0c24788c75c89198 |
| SHA512 | 9b3f646eb1b79bd99887fd08e50f62e9219a18e2736d8afc189f6a8d1640ba0da1d5ad95f2fea5eb274d259d77df8b2677de93c2e9097726a7e689e9eaa3155b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:08
Reported
2024-11-13 19:10
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrv49\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv49\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1W\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv49\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe
"C:\Users\Admin\AppData\Local\Temp\a1759adc3146f8e21f62615ecf1ef41cdbf13e7dfe8a281ffb3ff1cc9bd8dcdaN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrv49\adobsys.exe
C:\SysDrv49\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | a100421fbb1b5e6786a9226a4214f505 |
| SHA1 | f98db0a03b1ab9917c0205bc11367f642a1b133e |
| SHA256 | 78ed2d35044f189e3892618cd67c957a73a6efc571d9b0813ca1b2931587751a |
| SHA512 | b1108633f13b9ca07f614f305dc2573f70d190bb0a083f176f138942515f4d57d26432e607b1ff7adc45bf9603b20e05377d9ebb872c3b780353e24047cbd395 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e12344059662b5dee0ac1ceaef36cf25 |
| SHA1 | 178e75c9fb5604e558c7d97e6e96748a11b8707f |
| SHA256 | 514cd15b3edfacab4ed87173a2b528dcb8471eafcf9d452c69ea199322f593b9 |
| SHA512 | 1ffef857d77636da5e2b595a2f6dd31bb8716dd9da6f3025b89534bea67136dd9d53767055be933688aaf729f8129c7799cae5803965177a456d5e8bcb477440 |
C:\SysDrv49\adobsys.exe
| MD5 | 23ba9b62ede998822d4fb33b90ce9c64 |
| SHA1 | d7d0e65d01ff744df9497d2f371ca3ab885f431d |
| SHA256 | d2dbff68963dc4d176ab193e281e0fcef16b22a8206a1e6da403d42d52f03aa5 |
| SHA512 | 5d7cc854a6e7f4492f34bfa7fa0aa3827452ef9b13114bd63d94e5e3ffb0973bac0721bc2404fbdc207492b609d3afb026c0871bb509a251aee6dc8571e352af |
C:\Galax1W\optidevec.exe
| MD5 | 33c3c9bfe4bae44362f071733397c114 |
| SHA1 | 15a0f1ceb7fe9311ba787e814a0150c944bac78f |
| SHA256 | cb6bb5451bb6eabb552859233951a21eb7660fae476f8551ea1a3f0c70b7f3ca |
| SHA512 | 514fcc5b94a5a2834bafaba5b3eb90ccad3e822448be327d420ab2f58de436d058798f979fa4abbbef034fc02d62edcccf4ee09bdc6004a8e967e74be1cd39c4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8475fd00d56ead8c45d8a06000eb592f |
| SHA1 | a539f695dc1513e08f9b85719b9f0b3dcb5f26df |
| SHA256 | afdb0799e0ae047ec8c9d0d867a288db0f114345cea00c5dd75429e0e41d3dad |
| SHA512 | e107e66745b2eb4e93c49ced0955c7ba1ce249198378af08eb8b00e3295c58f192a0015ac72033a1ee27a0474a329ea1c65f3f9caa60f1496b0a5e89ded75a10 |
C:\Galax1W\optidevec.exe
| MD5 | 3ea785eda0d5771099239846a971a265 |
| SHA1 | 0de7f1538a0078c60d386bcbed87c126b2d077a6 |
| SHA256 | 4d490ba6088113b8413a0fa5438b61322a49bb981f3d9d57937bdb2e3f632d43 |
| SHA512 | 71a84ba0caa5d0b152afd50dc40c92022e117eb456636f8c524428535c14e81389d7fcbfe0873adaf48f8eff8e1616233a0d6739afbc04bc1ce84338dd913a1c |