Analysis Overview
SHA256
57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4
Threat Level: Shows suspicious behavior
The file 57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:40
Reported
2024-10-25 22:42
Platform
win7-20241010-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\IntelprocY3\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY3\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYQ\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocY3\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe
"C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\IntelprocY3\xbodec.exe
C:\IntelprocY3\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | eb467b400dd1b3beebb52dae163fb3e5 |
| SHA1 | 84683eeece93b6a2b6e00b790d690d96316a6d1d |
| SHA256 | b610ca861b76c0ffe91cb512eb4b3578eb4336fd8675d2caa83db5353ab32dea |
| SHA512 | 79cf1d779d880e7530e2519733fb268a2b1f5dc4fa8f8499f2c9a566e7b5227379b763cc5001eb9b1d2b6528eba626c6a3ccd7f267b8513de9fa8bb30f39d0a0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 947484ccb8fbb4b6f683e0eb7408cce0 |
| SHA1 | 719a8534c761c5bff44d7565980ccbb36ca46728 |
| SHA256 | bf8cb7a0b9b372f568d1bcc0b94c57a8ded082ecf26d2edbc82f915b940ad63f |
| SHA512 | 7713392e116af11c65c158e6d05879fc5528cc1a99b31dde6d46682cc0a5890644aa43bd0b07ee14e961fdd35d27d10f5a7a7c46116d1b994d5b0d428c829dd2 |
C:\IntelprocY3\xbodec.exe
| MD5 | e774f7cc8e37fa166ef18ab0a9d60e16 |
| SHA1 | 4f77bd3e512d5c12146e7f35e7b5be0d4b3a7e02 |
| SHA256 | e08f08f119187de09e0eb330f47bdacab8845a072489dac413bc443bf7bef16d |
| SHA512 | 2dd43695435871a25ff809c6279e5acbd0310ef0104f68ae01a2cacae71f5075c76cc04881d84790189cb7418f3494019a67bf7e283cd1d9a3fb0faaa406918e |
C:\KaVBYQ\bodasys.exe
| MD5 | 5f56cd14a7959bb3ef7c4ba2068597b0 |
| SHA1 | 940f6e5f63b389a331d1c601710fbc8630743852 |
| SHA256 | afa755b16d2c49b41651d22a1aac301992bcb690b0c6fde777fb7ff7d5e5b580 |
| SHA512 | 1c82509c99fb08cccf54fbd17787a7e3ff49b848af0d052cabeb64ea6ba3d22aaad3cac701200773fb6e2965622926b70a6ddb6e07f7bf34c2d04b6b905d1fdb |
\IntelprocY3\xbodec.exe
| MD5 | dc05650a0364ee460a5cc5824d8fce00 |
| SHA1 | a607af36fa3dac999a283da8475239aa479803f2 |
| SHA256 | 4588e44d95eb63b634054cf1dcfcdb3f7bb52d237d4851bd7dd47424ada61413 |
| SHA512 | 0b37ad10c83193fa7fac1bbafefccbfa9784e4fc47ef76e10f15398ed25cfb3dfe2c2e31568c4b5a3d6542545c8a65a195af78677c66814b1dbb57460f7026d8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bde4d6236fe8f64e9111d535e49ce16b |
| SHA1 | cd40516a64ea42c6c98b649c44011b69a912b709 |
| SHA256 | 33b6d4cb6a1a21bf24455e5c0f1f1fb604b39e64fb38feca10745b5508d158ea |
| SHA512 | a01a6d75ba9b455a52cfb2ca9809de7c2a195f1691fba821ad2f09b65ceaafb0e2fe45c610a7f11d410236a1c16c5e2fedc6550bcbaf3fa60d152801df81b1cf |
C:\KaVBYQ\bodasys.exe
| MD5 | 40b5c64a96cc6fe9d697c21bfe36e078 |
| SHA1 | a5fd275e9246666243d93e5253a86bb63c5e80aa |
| SHA256 | 2cbf0739d0a2db5dad1b30b4bc7189b07ad88f7c8be29ade8fa8c88115ebd961 |
| SHA512 | 233025bebbd2a4a3a81e02a6843d55307e50e524b7ededebceabe2a332fde10a79f306619835e0788fc93be13b491bec59d77a1bf5ea91129ecf0576c4543a6a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:40
Reported
2024-10-25 22:42
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
104s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDotT8\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotT8\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0Y\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotT8\devdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe
"C:\Users\Admin\AppData\Local\Temp\57f0331dd1d50896391afa9b29dedf1678879f1341d71421b711c85ad6c874e4N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDotT8\devdobloc.exe
C:\UserDotT8\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 9cc514e41e4868e94a6d7c5b0f3d9a3f |
| SHA1 | bfd2d5eca52a124c6f6e1c6091e6ac1855432f45 |
| SHA256 | e781fbb8e405911492e64205d617e8f2d265bf8ac20fb5cc981d01d3ccc93ba6 |
| SHA512 | 0054448478bf713157c27408b92c22f388f24a84476dcd178c0ec788412f9614ee56ad29a1a5d84caa08ebbe9c4f4c8621a6e1e425211d55924d92943c6093b9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5b98141d82c03ec275083a57ea7985b7 |
| SHA1 | 695b6b31c1844d5b10136a1fbf849ed36d41574b |
| SHA256 | 52da3e2c21922e702075261a53246cf85355340b6a5af7a94e896e0074075a83 |
| SHA512 | acdc9373c9e107004f0c64d9fa5dc734015be610c52e30ceec9fbb85755b7452f56cce9de0489b53a7a61406897b14849b04eb40c76af7802382d436156a5788 |
C:\UserDotT8\devdobloc.exe
| MD5 | cb5c8e51fb6204994e87d51dcc53a4e5 |
| SHA1 | e29623042251263cfc5fe117f80f5cdf5b02d47b |
| SHA256 | 8e6bdf2edc9f9925425e65068ebbda09c817529a458c86cc13579d86a761518a |
| SHA512 | 9a0fcfacefca245510f1ecc8fe6510f825de3a7fb00b9aa7c851dfdc6aeff2629238445a6ac41bfddf9bf47a0b69d4af3ad1cbdeabe144cb0596d10ce6e5c422 |
C:\Vid0Y\bodxloc.exe
| MD5 | 128a984ee46e670d20900ba294a67ab8 |
| SHA1 | 4dca93012a0d0794be7396c8624e670f1880ea72 |
| SHA256 | 498b9b1c398f0fe180d1cdc2ac1108f2fbe62edb8798e5955fd754cc5ef2eb0d |
| SHA512 | 162362b44ead4306d5b54a2576e8ce5ed7fb7384f98dfa60b6579aa0932ec01d435ccf42de5ce647cf54151703fe720bbd8bb9b19f93d1577e745093fecc7dc1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 970c07ab1e5d2477f8464253b68e6208 |
| SHA1 | bc347abdb0fdababc5ddcf14c4259d039d757d45 |
| SHA256 | 70b308e99f1cad8f8144126ac88b6ae5ed766d00c8687fd3afb86d32bc4f59da |
| SHA512 | 57f70d0ffc7c8591765b8329a6bb9a5956f0394b45fbe1e00b264b97d2546cfde9007daf4d6eb7a73d943e6b9b7598d14d180664ca2e8c25bb44e1a23d360147 |
C:\Vid0Y\bodxloc.exe
| MD5 | 8f34c214f7d8cdd046e2b178c7b6e99a |
| SHA1 | 1c6972e69ecc5570f6074bcbeabcd85b7304dca9 |
| SHA256 | fbbffe66f91bed070f2987f196dc20916118572b2054e11b17305ab62e82bfb9 |
| SHA512 | a488979eb17b8cc9250b625e8e8017d8c63d364f5efab1cb37f884828aa3f968861f9009f5d632a44d0e3bc26887898925179e207ff9bc1e9aa1f8270766fb18 |