Analysis Overview
SHA256
914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788a
Threat Level: Shows suspicious behavior
The file 914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:18
Reported
2024-11-13 19:20
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvRB\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRB\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJW\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvRB\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe
"C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvRB\abodloc.exe
C:\SysDrvRB\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 1f4305c06fd0a9024eebc4b042e08b1e |
| SHA1 | ef6393a8858d531c81df6d7ffc37cd3fe4c791d9 |
| SHA256 | c7589eb2ecce764ea326863c385db46fa40e6dc99fba2eef847da1e4468d83a1 |
| SHA512 | a94248568d83708244ab81e69b8290d562a98de10b6791d94a7a1945b16fb14e424815b5fed30094e249d37990a1faca8fe0d9a7ee04a3350b06abba8530ab3b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2b3e250cf6d839ee2d50225f949b0912 |
| SHA1 | 8aa5ce41ee486124af595ef724a43cbb6cb5161b |
| SHA256 | 82e1ea3fe4a93dc341f5d476548bd1274ddc783b2d7f52e83fefe3943f36af0c |
| SHA512 | e74f97523c45279b8cf68544c7ed72229c0ff2c9f488e175acadb612af7540851f063040aa9825598647d54f0d0c9bf849792e285f9daf789a10b6d3f32a86b0 |
C:\SysDrvRB\abodloc.exe
| MD5 | 568773ce9bda73ea2058b8ad2245a657 |
| SHA1 | 1bde7ceb86a36234e4b3175772a4fcae785cf838 |
| SHA256 | 2bc865d50555d825c285b800d20dfdd5a6bed3e91954691b39627af207a4cb45 |
| SHA512 | 01e093598154e396a728e30574bd97bebe8d8e8c7d60cb9ca6371ac78944caa1c05e8fa6d243c75c4bd050f22022b1471b7ba7d0d95173cce1f47aa3e0bf9d7a |
C:\KaVBJW\bodaec.exe
| MD5 | e572f7532d30b4f095ea196f2445b5b2 |
| SHA1 | 223c9b5e73fc01c80a06db8b33f801566d2d7ce9 |
| SHA256 | f8a747fdcb78f5e286e5e617d19b60c387ed5c122b077e0157fb6169ae7a97c5 |
| SHA512 | 79d08694cf3b2b5e2befeece61324f3d0bbe2acbe5d6d215d10e948edc1ac8536f40419cd0ab90a288f5f52633ec0c84be7ddf579a6b81a9e606be2d7f7065e0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3d82a01fcaf763fce4820520ae17ad84 |
| SHA1 | 3a4fde9c6f52671c83c7b4e9b164d26f5157db61 |
| SHA256 | bb5efef8a97e1d7f70a5eab95aac8ccad6cfaf68af3070d93ed8924c038fa0ab |
| SHA512 | 35a88948dac83de24a94ef91990e74ef3b6864503425078196c180160e934b6aea7fc3292a342f96481d508c9eb1b2697dee40d2f8f884a2bb127c379c8bf4d6 |
C:\KaVBJW\bodaec.exe
| MD5 | 7d54edf29c8268e15b32fecc7dbc1456 |
| SHA1 | c022459f9ea4fd990b57fd58b031e52137e977ff |
| SHA256 | e74987fb22967efc1a76b5bce8e4f0f16bdbcd36228d40189ca2942134488dfa |
| SHA512 | fe181913ec606ca530dc6b2a073808c04f3b7085577714b3a22335a4d498d6fd43449194085a7f4c8b466903408183e359307b12155dcc56d9e4d15771fec580 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:18
Reported
2024-11-13 19:20
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeEZ\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEZ\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9M\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeEZ\xbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe
"C:\Users\Admin\AppData\Local\Temp\914e3b65176a88b7ea89f63cdb1a4c97463cd52cdd359f966061a97d3018788aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeEZ\xbodec.exe
C:\AdobeEZ\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | fd9b35734bb5b96ef51fc82337ead33e |
| SHA1 | 3d31b6bc6ceae74db17809b0b336985eaafe8595 |
| SHA256 | d897b37e908b199b19c7929070a365a44e2101c0a934bbeed6d2c3681bad2f83 |
| SHA512 | 8d6454048cbe83a5ce570587c2650059b1d4a5137052db1de643e0cd1ebd021ce40d66e6bfb0c2840f544f8a53eb7495cfdc40519f48f81dddd4989036ebb83c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 943d1d37418146867819955c45c7b2c1 |
| SHA1 | 6044c43fd149fbe54a7de4a66bb64e837c4e9895 |
| SHA256 | 17be711cc6b427327c0addb3163a328f4f03d95a320691e16d25abadb87ee323 |
| SHA512 | fb1e88db228ea22a8fdd4f046ba48bb71000aa0f044cc3966aa550595a0505b2bc12d033f2c34cf6e32977bb286e4af5e6c00248b55edcb705d4b1e6afe4ae18 |
C:\AdobeEZ\xbodec.exe
| MD5 | 42c57a4d8137e77a770ab5b4029ce775 |
| SHA1 | c71a3dcb3fe3d88d0419c2cc9df14ebdba4ab0a7 |
| SHA256 | 6600e0b94a513f69982433e758c18645bb93fa1341887c025a2e35dc0a29e564 |
| SHA512 | 50799e25d1acd3e3b8c873b5cde09fdd00e23b7908d54de2fcd94fea7bc6095843969cbe8ad442b5e5aa8c4f33ea451839a371b5b5c26603551b34ab8280c7f1 |
C:\Vid9M\optixec.exe
| MD5 | 094459e96cca95998fe0e6f123a2cd02 |
| SHA1 | b1c293e3a0569162ccb5f16a4fa709ff44be4433 |
| SHA256 | 6fe13faf9ba84abc12971e65897aa86b03637fe9f8f7610bf79bbd71a98e2758 |
| SHA512 | 2ca82f9cafd570f2c54546c6486a4ba08c53ab77da8f9b018b38b5b850d2199808e8bde0e41090b15f8a55211c3d719b07aa08bdee2caa88f2a12db4a21dffe5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e7029452abad2b1cdb970cf55add3757 |
| SHA1 | ee29d8de9e0343a7c56fc73ac6368ff18c91ac30 |
| SHA256 | 67d7daa1a64b42389adcacd07705c2b75834a0e1373ff8fd0ead84cc1544c22f |
| SHA512 | 0e8323a0030c23cadc149eae98406e06ef694d398eb0646067bf034de52632acb0bc98b99dd3aac46f9f516e074b747361ec8c16884c9830c6d461beda3ffe64 |
C:\Vid9M\optixec.exe
| MD5 | 6d2c1a9c24a0ee162802a6c1a45cfd32 |
| SHA1 | 2bf81e0f7e84360c61bb3068463f0754fc4cc81d |
| SHA256 | f72131c163366f1516ee713ef4cada1126d85281a1ae6ad2ed5c87203191a18b |
| SHA512 | 609fddb4695fac96f9ad7ff9f703fd91571334da3a854682e7ba73b7a86b79fc72f9b7634276afc94d9ff1ffaa5645c90b42efe1c5e195ee19fc8f7755648698 |