Analysis Overview
SHA256
107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222
Threat Level: Shows suspicious behavior
The file 107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:45
Reported
2024-11-13 19:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvZ9\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ9\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXL\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZ9\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
"C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvZ9\devdobloc.exe
C:\SysDrvZ9\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 98aefb490082e8457012126b9c0035ae |
| SHA1 | 8cc8f9fcb9726de516c3afc8a4d32f320b059e26 |
| SHA256 | 2b81eb5ec73557f5ea7ebebeb92ca9083da50c6dc2dd2d6edc0cb04ae3d9da98 |
| SHA512 | 81307fddbe216d08744bf42649de0b07420e8fbe57f0f6f72d62d1f590a0d838ea562c50f3d3ed005c94fb87cb2f506880cb1c6d8ac2bd3d9a8c7c7eb141f846 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 854c232a225269e045136916e2759f2a |
| SHA1 | 564348ad6adce6180bda0ec75a03a87556a3cd6f |
| SHA256 | f6d944c370540b226e5881c645fb3bb8426f423859a6fa3599a4c374890a3e4d |
| SHA512 | fc280dfb61ef4cdb6c7250bc52d3554656ff4c2b8bb8a26218eed7591ba91dfd372a0c63dd6321b22a7cf466002478c7ffc18acc426595ad6c45eddb10d28076 |
C:\SysDrvZ9\devdobloc.exe
| MD5 | 2a2d4c56dc545dbd1235b3de74df0308 |
| SHA1 | 128049efa25c4d5ec038092f742c4c7928f79a9e |
| SHA256 | d4f9becd8d59ab06b887e2f66fe383b9418b6d804602e3d0cd51c5ab5d44f738 |
| SHA512 | 223ce0eb356eda1022671cc81fe7c1a6ce71746eac696f1924bf08d01d3c89be3f6a60bdfe4ad6202d02fb192acaa4622cc088749a3ab7f9c6b81b8b094d2c46 |
C:\MintXL\dobdevloc.exe
| MD5 | e3d42ce709ba30e8ec12030e77dd2759 |
| SHA1 | b49dd3f2b896e1e742c3215f6ca5bd081913102d |
| SHA256 | 72a9f3126038b3cafbb53fe7167ce7555856030c39f0193567d04be7d235c42a |
| SHA512 | 9d20edda519a734ea35d4244d5d40e9c0517686aa12551cc1978d15d40eeed8c754253c09b8c1ebb0b57b2510c5d37fc84796090215546410df07fce1f73cf69 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c8d522c77f5ddef15b8f2db4a0d8423b |
| SHA1 | e4a85cb23a6fbb77d4f758a2603e61ebf9cbbd6f |
| SHA256 | ec0ce132a83cdaf3c19836af63c1b5553374d19d4f5b066552cf16962b39523d |
| SHA512 | efc37cf4685b40a7c3c60b88fd448ad2a915997afb8fcc35167e90aa3aa447f0acf6e43fe135f1eed6203d2d865812d979bfd2867bf6a3cbec8b198a8d9fda17 |
C:\MintXL\dobdevloc.exe
| MD5 | ccede89232f164881cdeb3c62ae98f4f |
| SHA1 | 67cb5ebee01c039808a0862b8eae4433f60fa76e |
| SHA256 | 1da05bdbbd22d72749402d4414cfb3a31e1cb025b3168ff580643b7df8480c4a |
| SHA512 | 824afaa624648e73e5eee695b0ce0156608a7920c519e55b198b3b35a679501767c74069926fdbd36cfeb750aa7e2ee34258964f0ec75d367714e5bf3bffc295 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:45
Reported
2024-11-13 19:47
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesQM\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQM\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDF\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesQM\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
"C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesQM\adobsys.exe
C:\FilesQM\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 2f003592b102cbb9d6366e83a53461ac |
| SHA1 | 7212c674319c2b605c10c2c68ec705e7b01fab0c |
| SHA256 | f1e00dede2ab76590a2f16a9566793d4c5f8eadb3464fc6a331398da65cdbaed |
| SHA512 | 3a0701b69e3679dc09561cba4ceaa35726c3809b6df7b2c7a90869b63ecd4916771bc8035f5992f0eccedbc10bd7ff22d1af47c2e57770c6bfb081c48c4b91ad |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b6c02d1a4d457bb2fbf2c065e1949c4c |
| SHA1 | 225654c987afb8cf7f314b4fae5bcf99f1cac46f |
| SHA256 | 743789c463aeb3bf22ff7fda914a7abdbb7796bd8e7a71323f891020b07e99c3 |
| SHA512 | f96364c35bea997efaaadc0a41f2cb0b252f23bda11b6d332065e285aab7c4627a8fc1d145556ae680a77e5230f38a08a445aae7ebf6e8857f673bc30bf562f4 |
C:\FilesQM\adobsys.exe
| MD5 | 18c64931d62669fd19f74b4a069c4cfd |
| SHA1 | 9ac3c6b99c5224e66fb8630858cc64509c985af6 |
| SHA256 | e788ea16494eec598d382df1002c57d5de963a2356195157df284738a60a744e |
| SHA512 | 4300ab3891d106b74296c961ebcfd98970a18dd7101814f1f2a99155d0c114eca284e3e4d6199f5568d5e903006d6b4d8fcc29ebcb720d6be5473372695e8323 |
C:\LabZDF\optidevec.exe
| MD5 | 76476119549b06888b3a983537f38a31 |
| SHA1 | 0a92623bdce7a9daed099b8625042bd4e3cfabeb |
| SHA256 | 2827619ea285784f62f965ae0fb30c9f5e38a0637a11c595e16ddacbdadadf71 |
| SHA512 | fc255ac116ad54275b2452493e1114e86115432edc7b0b0be100f1999f17ef656ff7b78eb728b337d339ba180db7dc0d1aab6838268773c764f36477081e5848 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bf2eeb6371d7b483bd3287e64e95df96 |
| SHA1 | 9767b3dcc401453d243743c83a9bc450dbbf0f52 |
| SHA256 | 190b7bd24f0a14a9d76e49994c64653c02d5e55e3a38eebbfecc37dbd13211e5 |
| SHA512 | 205d4de35c7dd93457fba45e27ca239961d5dfc70973e80b9bd323d61af2089734f9e4b5ab315679e0edaea28d81e17f228fd1c0aa67ba915aa5ef0a22369ffa |
C:\LabZDF\optidevec.exe
| MD5 | 3421d48078becd2757242c799c1f76fa |
| SHA1 | f712b81d8b836313c299781997e39a5f2a55b101 |
| SHA256 | 903d682dfc442dcf9784154e15b1b6d129e7a7c43ac53e742d6a50faea2c2d21 |
| SHA512 | 511e1f4bb429fad3d667d12a8c03ec79d63524461ae510626eb716d362347be711fdba7cec3a84eb383418fb8cdbbfbbe56c4144955c563df913650fd87fa5b2 |