Analysis Overview
SHA256
bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14
Threat Level: Shows suspicious behavior
The file bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:51
Reported
2024-06-09 07:56
Platform
win7-20240215-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvNQ\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNQ\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJA\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
"C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\SysDrvNQ\xbodsys.exe
C:\SysDrvNQ\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | bc852c432427b7acfd75b5629944d6c9 |
| SHA1 | 2cf6ba6de334055bbb3fdf7b3af4ababa8050bdd |
| SHA256 | 43f512e6a4daadc3eea9fca3f71747905de8e672798dde0120acbe10d6904b73 |
| SHA512 | bdb67d84b16fa2f74b03a3e4a7774f51724ba3b86a7224bc57a3873ac0b141e6dfbcb0d9f68f212897f14ea9fb8014ba3abd985ae7ca4104ec8d86014e057a78 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 41282c20d3df78ecb481da4c2718483f |
| SHA1 | 4296bb39acd9197d5617f78714a8cdeb67cb1584 |
| SHA256 | 23fec033385630b471dc04f5a10e9cfe1a8d83ee607a66c6144c9a44d2a871a4 |
| SHA512 | 23585ddef017220545aae8473d80c963890a2dafa69af71c515a8d2df74b228d01d73a4b7ac384d20d5e6d9519ea352ea9204160f80ddda3be2a690de544d5ab |
C:\SysDrvNQ\xbodsys.exe
| MD5 | 11ca2abb1f93a74ff54b9a1fe3cf73ed |
| SHA1 | 19a572bf821da3ca1169c608e63b875f89b520a0 |
| SHA256 | 5a71b8e5658f7ef5f14eb3043b3a6e1130344ba2ed0e1752636b7f805ac5e24e |
| SHA512 | abee3685bb789e00d61639a0e74ec142d045008ba24b8fad861f4d79835b326f928e312aeb330e76c8e2a3d891b5bbf77d4d238844df421884a289a6d390aec2 |
C:\VidJA\bodxec.exe
| MD5 | 1df72a5f419cd989749cfa257427ac64 |
| SHA1 | 199d60c902e06a09678d38af241deb9094b9326b |
| SHA256 | ffb6ae638d3c49a3583b6efc778ba3bff2e36d4dc4d671fc8bce79311394de32 |
| SHA512 | 80455f7d288ee46d06b47c82600c78cb11a0fe750f7067d4bbdd6f9e65e91241c473e6dea7556c639c0222c15c2fbbf5d1e7b537a10eb2bcf2083719dd5aa33a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bca3f281bab7d60bf8679c9e300fd3ba |
| SHA1 | b219c8b8d5c1c146e27ab9af2a1c9399e20c1876 |
| SHA256 | f47b731b871d96b98e1e46161ba4413b3b03bd557a3321339a96416c757af65e |
| SHA512 | 4cab0f3d798d42cf21729e22c4166a95ef39b0205b7a214ba49518e13e5a1874c447a4b690871da3253bb5cfc388305a408b4f1b59256b2d3e3de72cdac1e75a |
C:\VidJA\bodxec.exe
| MD5 | 34d1a616b06664d0cb471894df8aa2d2 |
| SHA1 | 009337a68583b5a82611dafc98f158a1491aff62 |
| SHA256 | 5dac4e202b7310781a55babf92d95a9a055a4d1723c113883b66ff1b2a99eeae |
| SHA512 | f21ee2cb7acd68d1ab0501ef14275da6b8839990a12d522fb645e0e93144e1cf859b830772be055155ccca7ecfaa0afc3172969d2f267cf85470dd1d4e282d31 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:51
Reported
2024-06-09 07:56
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\IntelprocJK\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJK\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6I\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe
"C:\Users\Admin\AppData\Local\Temp\bbff65de23f25ad99c86579f494ed186f07a76c205a915c37b10e86fa1bd6a14.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\IntelprocJK\devdobloc.exe
C:\IntelprocJK\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 8d57a0f59baaaca4b32d965f4f96dba9 |
| SHA1 | d01b1f749885d63de6b120ef7db1279ef42de8f5 |
| SHA256 | 7530515c5434c0d02cd9df94974284d15b711755d5b6acea40df02768e0a12f8 |
| SHA512 | dd236bc9eedc0791287c8a2ac27b609da53d36ce6911eeb8fce7637c22c03a5591c5f4d9e7cf7493f08037e0be7860cdb7ec3189ee5e42b51b34a21192f4527f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9c7d7da8418071759e40051732d137e3 |
| SHA1 | aecdfdd1efc664c7fcb4055dc07a2dd17eea7845 |
| SHA256 | 7d1478636a151ca4a1f47231adef277140310df5a73865753b5f37e3d545eb64 |
| SHA512 | 0e33925485fea3ada9309ed0680f563255fa7cac8bc7b11d979720fd932f869e7793a4a183198f3f8f4c3e3bc9ef613795cdad29f2692c88a096d5d0653104a8 |
C:\IntelprocJK\devdobloc.exe
| MD5 | f8ec92089906bdccb160d754e79a428c |
| SHA1 | 1401345ba076585a9c855ec22311da9847909510 |
| SHA256 | eeb41fe303a1300dc1070160cda7ac32678f432af83a567f64ad25a6462413a9 |
| SHA512 | ca8dc18e979501417bebd05e61b207fe1fe554101845e6aef2e73c48bb02979a7867428927e6e7ea533b5ef6adaf489515ea1cd3b2054e67d0196e774dfd35a6 |
C:\IntelprocJK\devdobloc.exe
| MD5 | 0cffe652f8d05144d1bde724e7998236 |
| SHA1 | 00d186809e674a27985097832fc56ab610c9be48 |
| SHA256 | c5c4ba51d97023e768f8d2ff33581a9c3d16d05c5f4571c8015e7b16677463e6 |
| SHA512 | 8ef0eaac5320a2f1b20252d52e1376d4a87e75f6f8e769c5cef8051c76f9e5231ee855a4dcdf656f7b706bb4220f4c6f5571f6a18fc611c1e922c0845beb810a |
C:\Vid6I\dobdevloc.exe
| MD5 | 4fc24ec84981a4859f43b365bc7a6e01 |
| SHA1 | ac430117e4d5c1ea397e258f30ae3977d121727d |
| SHA256 | 4e0f91b98ee9c10c5c433f05a4fab324526ea6964036154553a58504c1526eb8 |
| SHA512 | 7ae0f4c703ab13ef1f84b75037d4bb6fc4fb467f89d41f732cd5a27483f762e9fa5e6032c950865b5268dde35e7f3deec80084459c110ad93c15d0d0882b7279 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ed44a95d9737197d878f30758d1ce783 |
| SHA1 | a6b4bb94cd107acbeda291dd2dd9dc0b0bdd80e8 |
| SHA256 | d68238c13eae79da1e6669fd5d3b8b97544b1fa565061092028a6a71f760a379 |
| SHA512 | 8ad46b0c1e68db9f19804b26c0a201020e30ec33219cde219d11712441d8bb4c2167d2bd645b4d615a6391c40c1775ad6dbe97e2fc1bae7fe7816e36d49df41c |
C:\Vid6I\dobdevloc.exe
| MD5 | c9221e0eb3a16dce428ff8c482aa2dff |
| SHA1 | 793cc75bc04db78d6d21cce028ebc5202ab1f199 |
| SHA256 | 89c1ad531a116c26ad2fba26da6aa3bfb742ddc6af38f6f62b23e30e4064dc82 |
| SHA512 | 47ee868b2819e8889fa54c5e846d987eb2e67d90d25d969bde5b4f55cf75e4b12765acc7077bab313d9e96935a1d554300bfac8ef2ebe9d36f2bedcf78e5ec12 |