Analysis Overview
SHA256
148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8
Threat Level: Shows suspicious behavior
The file 148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:55
Reported
2024-11-13 19:58
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\UserDotO3\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO3\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1D\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotO3\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
"C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\UserDotO3\xdobec.exe
C:\UserDotO3\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 773500367c23b829cb40f300d2032665 |
| SHA1 | f053673df87ec20a98813cc126cce771e01feaa0 |
| SHA256 | 5107b5f121b37545cacd3c78fce0aa3d4f052ee8f39c04f1826b2e345c42127c |
| SHA512 | 2c33bc80b7d3ba5240bc715fe5522fbaa7c144d7e21e161e9aa54562cb009c180d946f326beb31ec41451602d7959fac318d7d3172f450789861b63e82e1e98a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3377d25c1e4aa583d09e54c1135c10af |
| SHA1 | 6b282327e493dd46dd70ce4bfef98cec7160f12d |
| SHA256 | 11b9c6f0db493867c647604d73dfe0ddd46f65095953083411658de61d879e97 |
| SHA512 | 291fd0e199e97adf1ca78abc62641d6e44c2589bd5fb624f96764c3eac96a34a1e7464341e445d5ec7ac58a194165cad0aa5bd7117d4c6cc9ccf09f71fe676d6 |
C:\Vid1D\boddevec.exe
| MD5 | c5a26dd1a0af79834cf3e2df527322b6 |
| SHA1 | baf93c715acad086ecf1600c0f2d16e75845ccf7 |
| SHA256 | c7c1528098007a7d7608107796d9e76944c6ef170369b354f99addd5151272b9 |
| SHA512 | 904e286398dbac2bcb8047209ef47e26f245b8a5860bf59ce8845c0477d34e296da39885b7aa4d7f44aa58bc729fccc693cf4264ed0745ca23c2abcd499687e9 |
C:\UserDotO3\xdobec.exe
| MD5 | 957a39666e25bf80d1ed5809fa76036c |
| SHA1 | 5b5c5266f1b79753476432ea132ecf544f96b664 |
| SHA256 | 282bf58490cefc230795ee0038c35025b602249cc8faa2883ee6882a19a21a8f |
| SHA512 | 54e7267bb2a1503d4272cc7d3b1821e9f180a01c4993ce714613f05eb09bcfb7f3ea0ab5dd49901e5f4973e8b3ecd83ef347b1e1cfa1fba2838175d3a12b31f1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ed9328d873f1735d182652806f7e26e0 |
| SHA1 | e15aff4c693ed36f0d73a51cd44884c829e7ff8f |
| SHA256 | d3a650d5cb6684b81faa7daea7b58fde5c2dc6dcd3c4cfe79f718e4fc600b7e9 |
| SHA512 | f246c01894211e358625a1f010a7b668df75ba6821fd97a434a4266e7a9a489fbbe603b9e1b8f0ad9a5d4b3585c71886a66f63d98d9e15c480c2a2d579a8bd90 |
C:\Vid1D\boddevec.exe
| MD5 | f2db5967cc0aa113384f5ba4fa7035ef |
| SHA1 | a44f5b2ebf144552e1d264557eb7c81f10ee8a98 |
| SHA256 | b307360de7ff458d1ee47aad9ef95378ea84a596b6d897c73aef2c825a9b1d7c |
| SHA512 | 70f01c35a557cace6370dbcd95d2428f52549c64ac6918e08a06d236a5162ade299c35e974545aa9b0c0a16699f502bb66f57f540bec417ba8ed8e565246721c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:55
Reported
2024-11-13 19:58
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\Files1M\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1M\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5A\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files1M\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe
"C:\Users\Admin\AppData\Local\Temp\148e2014ee5a52a192ef127dedc0ef9fdd012b80ab540e1a1959070c61fb48d8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\Files1M\xbodsys.exe
C:\Files1M\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 711c9cebb25cc4de314b5541bffc7762 |
| SHA1 | 7b4bb6853ed540168288954956ad9e64aef55165 |
| SHA256 | 13160e61bf22de75827cb46394c28969eee91246774f6c80038c8455735d2d5a |
| SHA512 | e6606def8c718aee66d39993d37b94eb0862763d11efb8ae6f22e4dccdedcfd964d4490b9432dc25aa3f1dd127a6781bef2308b00ce1b2024cb899e550882806 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 713a7a676c9d40ca56ec429db57221ae |
| SHA1 | bc9dcbd563a74377ac382e154f817bb37237f812 |
| SHA256 | 3cf22097f28ab52ac38ce69f6d5209431124e16742b16623b7af23ff1204c8c3 |
| SHA512 | ad6a2e6bc3f1dd9d3835ef5d7d999639dad371b299b9f265613d2fb3c1dc43f4eb31c41402fd4cd23e5182e889f80c3a9c1d6f1a21a0eac082acc2cab37d87cd |
C:\Files1M\xbodsys.exe
| MD5 | 01fbe305580138137138c2bcde879cda |
| SHA1 | 3cf8a39fc8a693ece5747e61d3616c16ce507971 |
| SHA256 | 17b0f433370a4125b5411f711013c041d0ff060d0678703f765a30be6068f068 |
| SHA512 | a15d3271ebe677362fe5a6d517f78b57f06bd38fedd6c2fcc74ce9dc8f685df37aa1b2c79d81884b608b9b295a22ae5e0f036d75e3a7be7ac86b1e09e6d899d2 |
C:\Vid5A\dobxsys.exe
| MD5 | aa8e13b481284d1e3b2124447c5f529d |
| SHA1 | 1afd90a119f584fdb203de26186b14b8572de9e0 |
| SHA256 | 26507de4f7e72ce8c2d43e7804e6757cd3f8a08f341beb66126e853c3719bca2 |
| SHA512 | 291b9a831fc3330e55bd035b6212f57a1a187eeadbabb02feafb64790efef28760bc6252349ed75f23ad75a6ae7ff36c36f81a22043d44d00350061c7b5b9600 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 27d24ed159c0173bc95bd6a285984ce3 |
| SHA1 | 566356085d6885d5faf01d5d2235f7bb44b21bce |
| SHA256 | 564584ae4f02e48940e1ba1efd3a612be41a1e941b20822daa2865e0d731af3e |
| SHA512 | c41f4fb2cfa4da8c1e4f85da5ca47696b33593c1fb6401b82f7fac045a45131ddbd9aad2c3e55adf19f79edd11f9111d73e285a228228ebf72d64716ac9434f2 |
C:\Vid5A\dobxsys.exe
| MD5 | 438550544a6a512fe820406a770d89d2 |
| SHA1 | 6f14494bb2794922f1c8d50786f344bb38e1f8b2 |
| SHA256 | 6df202435d23f48f330248b8c3501f1c708289a75d001c3169e470d62e527a07 |
| SHA512 | 33d91b66eee14375c65406c2d38419cb6de01b3d22a45b37099f3b4f413f37faf54fd3a19f4a9d6a12d5b2c1e6a438fe63e75b453825b07b13470e687cead69a |