Analysis Overview
SHA256
3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966
Threat Level: Shows suspicious behavior
The file 3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:06
Reported
2024-11-13 19:08
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\Files8W\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8W\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUS\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files8W\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe
"C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\Files8W\xbodloc.exe
C:\Files8W\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | b8c7ded769711d1f344faa7e1f334b10 |
| SHA1 | 50c59f2a8e1009c7f8d4909215ed8c42e145066e |
| SHA256 | e667f5c17d878098bc8e6369a18e27a36012dcaf9c599ef72d84960d50cbe206 |
| SHA512 | b058133aa3009d534675f29a9ec7cfebdef18410affc781b7175f38ba5b5c763a6352f101c3af122b653e27ec5f40df59324c28c453303213bdcae32da0b116a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 50eb4698a056bdd02139b02dd10c8e47 |
| SHA1 | 3a4105f10988ac632edb1795686d60b66d1b1046 |
| SHA256 | 2961d3351291c472b8261367d89f9f0b0fa3c0c2d14342b3b9078cb99796f51f |
| SHA512 | e31a773dbff2de1465e6bd785847022c2ae62fc0e36c431bd41a041f3dff31033e6ff6b7e65e5b63bc9e7c285f97a298c4d775694f73e563d5a75c69d607d426 |
C:\Files8W\xbodloc.exe
| MD5 | dfe84b48063965fa20fb7b0dbea910c3 |
| SHA1 | a201d52864d48de1ec87a642814e135cb4efd0ce |
| SHA256 | bd0b6511fcc8681276e973b6403e1bb09b8b12ff3347269a31072e1e7471eef8 |
| SHA512 | 5911c272fa0b1e458642b2e73855bf8c14ed37bfbd9007c7adb0f77e3fa7884107fc53adb0518d98aea7ffbdbaa26f397198063f57ff9203ab4a87fe24f48683 |
C:\LabZUS\dobxloc.exe
| MD5 | ede40b36034d11420daf9b761d447622 |
| SHA1 | 83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7 |
| SHA256 | 6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4 |
| SHA512 | 0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 54abbe5f2ea511f431c190fe739542d6 |
| SHA1 | 9b8b4f48c4a9de2e3d77ed98a39b0cfb47dd92ba |
| SHA256 | 5453a893067e1afcebdff9cfc4eddd6b04de23ef54dc446e73fd7aa1ae09f55e |
| SHA512 | e70a9d71c193fc66fdbd9ec6202399a039e7c63b3638c2769ab9e767adcf300ad9490e5dc6ca154b21aa26b9a964a406f812dfe0e709fa579260b4d20e5c8b03 |
C:\LabZUS\dobxloc.exe
| MD5 | 991a71d6c681b543298886d695f6131d |
| SHA1 | 985f25e10110629800d541873e1c67881f3c4e0e |
| SHA256 | 9870b6bc333af2e0d15b25dd02234d48b2b9cc995ab5c7a1dd0d3327427ddd80 |
| SHA512 | b31429c9b8ce239ac262e864dbd981e60e4600900f834ffb69e442cba1aebb269218c45790d9d5eb6f9dc864701ed8c2786397c5dc03bb732c5b95d18fa07994 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:06
Reported
2024-11-13 19:08
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeQU\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQU\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7W\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeQU\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe
"C:\Users\Admin\AppData\Local\Temp\3111ca9b47f59b4508be64e369cb4ed455c6dcdf7e7a5937c0bf7101f24e7966.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeQU\devbodec.exe
C:\AdobeQU\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 193112c21b86e3221bf64c2e76b9ce51 |
| SHA1 | deee195d02a1e4b154c3328b17c215ae3e7e4c4c |
| SHA256 | fd72c522051013f3fc613968f9ddde886eaf375ff636856f5ce8c485a4fb5538 |
| SHA512 | 25a01bb4e35bdea08c7c0e19647b19e72eac3d3019026c1de2d889ae30100849965e7afffe2f46ae3500a3e1fa7776d10c9a5b36950f1023f7823d908deff2a3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4d78163b95fef43496e00aa990d244da |
| SHA1 | 6ef6a7bf39e7462be6628242abe4a888967fe74d |
| SHA256 | 15eba896031d00a73c16618ccdb54b0568b05a094802485b4cfdb39fa6321c30 |
| SHA512 | 8fe7eed37dd2be8f2d2c7f058870a55ad55c528e2fad62203f4415029b5d4833ea097809faffa9c937478f0db0771f5c9af99b6fac1aaa54042e1ad291e88756 |
C:\AdobeQU\devbodec.exe
| MD5 | 9355f64a677968b653c6bdb884b87b60 |
| SHA1 | dc3250eeef78f19d0933294143f8933402e52b2b |
| SHA256 | d02a57db9a5f64e3ad834542e6f0d313ed08e1a36e13ac4fda5a933c8ba8ddfc |
| SHA512 | cc15da11849e120f43b8700e050376e72d0eef18b66423ebb4acddf984e5e3295bf827c73eb529248358c33c3be13f221affb19c2dade878dbda8dff5bb30da4 |
C:\Mint7W\optiasys.exe
| MD5 | 079e1fc0375b5b1ae270a41f8900b751 |
| SHA1 | 2cb86b58ffe75c3562dacb61d0e76c8b798dd5d6 |
| SHA256 | 920220b57a7b95709b0f208532ef7cab508f031c86fbb462a7b74e8cd348e633 |
| SHA512 | 6afca1917490bca5a4671c910a5e77b2d4161a583113675798053b42bbf4334366c94c438a29b4bcddfed0f798f2782927305175beb53778812e8c05cabfe898 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ee02d817c8f3636cc0492e92bc0b6e46 |
| SHA1 | 58ccbcba8b3b1664ef4e4bfa3830f3f0696cdb6b |
| SHA256 | 401bb8f8a8d5d1bf0e6daeb64ae6704b718da2af96d801b39d28314838345404 |
| SHA512 | c1146acaf1f07e5087b98fc900c1ebe02607c5775db7ee964030cff8811445f0179ef4cf2acccae43ad383fceacdaad32c75eb6bff078497fca47a3724717fa0 |
C:\Mint7W\optiasys.exe
| MD5 | 6e48912c750d2a4af218228dfe476e8a |
| SHA1 | 8f0359cb3b03fc05f8d0ae4252aa2f0f938f5489 |
| SHA256 | 6b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40 |
| SHA512 | 94858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5 |