Analysis Overview
SHA256
67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180
Threat Level: Shows suspicious behavior
The file 67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 23:23
Reported
2024-10-25 23:25
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocKX\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLI\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKX\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKX\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe
"C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocKX\xbodsys.exe
C:\IntelprocKX\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | d29385c614d5cd8c91f967161d33ad3a |
| SHA1 | b9d2dfd6ef54b765d297c57c648a560b66417e9e |
| SHA256 | 7ad649a9747b96902b15c5d6be6ef5876873b71a3d234f35488274c45c01cd1e |
| SHA512 | 2fedf43374896d5f975665d991e64a9ef143d73b67fb6ccb86df5b43257f992bc67ba932716849eea03acfb3d44acf76d6683ab98b36fef978c0eec43cd1492f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c040d06ce02d447f641203cf9bec06c0 |
| SHA1 | 9ae983b32d8484a7110155480ab5118fc17dec95 |
| SHA256 | e5a7ae2dd68b4482c371fc4a795edefcbd8be11b781a4316d66017c470e3b5ce |
| SHA512 | d73dbdd22255fe97d7e2a2b2a0205c38aaa49c2cd78d237cf0f0392657c888cb81d5cb5115d998f89e67db538e1666af2f58e28800714ae11cb5f3c466b2c089 |
C:\IntelprocKX\xbodsys.exe
| MD5 | e9dc157333eff9a675cc526ad735d125 |
| SHA1 | b48d8abc0cd690b521b63d644bb40bef40c7b8ad |
| SHA256 | ffac05e08ea28426821ed9128f5d96cec520a3f141a8f487daeee800e4eed061 |
| SHA512 | c4d5afd2803ba7071a20aec9ebd5865f79a967b57c608b1d36bff628b628f47408f8ee99e5b459f7c3c48958bcba9cf3b5f282e1b6aab3b441af07c6d64d10c5 |
C:\KaVBLI\bodxloc.exe
| MD5 | cd365c53785bbcff1eee7b947c8231db |
| SHA1 | 58c85b3c1f2e102c978d5fa576839c21b272e9c4 |
| SHA256 | f2432bdee41ad5e6de1c2918f36da3cc1a89181306feed014e4a8a9e86fdaebd |
| SHA512 | 08f33c3152794534abd9d05a4db1229c0407135fdd9ab145839c6e9998325d7258f9227e8eb68be5c3fc42a808cc1d90a28a5fbdb71634c65eb0c042cca89548 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6df562ed9ec7ba693c77fcacf822004e |
| SHA1 | 9f062c14e68f5e54341518022ea96994dc324abf |
| SHA256 | c768fe63b6a123d97fc932a1e8459050e632c97386ebdd8ad8a331c6c943af6c |
| SHA512 | 4926e54314a2d244e14448bb7186e50669a96e146d367cd1c4e0464bd932eb444099a0a607a7fc0452a7e0c48a71b768ca805089159e7faafcfe83b78b56bb67 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 23:23
Reported
2024-10-25 23:25
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
108s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobeKP\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVM\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKP\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeKP\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe
"C:\Users\Admin\AppData\Local\Temp\67e2049965629c91c2719c6d2a25b40a1be1d91edd30c85be1466918d8c6b180N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobeKP\xbodloc.exe
C:\AdobeKP\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | cb5b53e727d5053b5b9373928272cfbf |
| SHA1 | 07da318d06c86f8a5e8937511777f1b99c82b3c9 |
| SHA256 | 988b2bfbd3be761d38ab61ceb90b65625c52260e839358ab1ec860b539598578 |
| SHA512 | 139c87761a4868e003c6622cc878e1765b42b1072c6664afefb0bae9546cad528b1b5378414034d3f3c3b7f8151cb3c05c9b8a43bc3ca59e0838840f2b88718c |
C:\AdobeKP\xbodloc.exe
| MD5 | 4765ecf8a699e5fd9d0328af65cebacd |
| SHA1 | c77985d31e061364cabc8e95cd30ab7cc7d0c642 |
| SHA256 | fa42f37a50e7362b69128fabffe4bfcb1c7de8ce273841736862fbd2e12c8074 |
| SHA512 | 37295596bfc7a4591950a66e83ad65d96d9eefeda17ac0b1b847ec5c31544f450645e57f74eca042885352a90658ab821599539dce534a379ee4de2199faddec |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 75914ec5f28e1ffe8b0b6d6c7a12d09e |
| SHA1 | b99e14d4e4d9975a6b30311cdbea958ead71c336 |
| SHA256 | 0fc280959805515cde93c541dc36ed4bb7c7d01d690d9177ece69992feab5d5d |
| SHA512 | adeb776b949f699fc032d72e6c86e22141b98d527ad52c7723eb3e4a3209e6702665c01265e77996403f250beb6bfd2305917a82139c627a20cfc98d67cd087a |
C:\VidVM\dobasys.exe
| MD5 | 204c53913f12c79950e195019bd395d6 |
| SHA1 | 7e824f5cd4ffaff39a3229f0ac628b00e91b8c6e |
| SHA256 | 7bcdbc1e0f77976891d45210185091d9dd57c65d8f87dc9d0d15a3cbcccd5168 |
| SHA512 | 1b256535062e4ff686292b8f2732999ac9186d09d2a14c5a27feaa9619f556b86833f0a916d67d777e2fb390f5b0fb21723313df7066fefd6f152018a113efab |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0b668ada093c59ab54cb04e2d2156ab6 |
| SHA1 | 7fd6240427ccf02c3c567ca56ccee3f6e2497c19 |
| SHA256 | dabf9ea1e32488aa3e8e1d02b621d0a6ff2cad91401cb56d9da08b84237af27a |
| SHA512 | 45391a00884125a1fd3cd9b748dfa09f0c42f8103fd1765ed3675231d92b180f51cc90343f6ff764b3c08e3ce60135f8c7d2cfc808e1fcb85f663639a275924c |
C:\VidVM\dobasys.exe
| MD5 | 613e03eec83ccd1054521cdd6e340083 |
| SHA1 | efeda34b01038d84bd6c5493ecdc67436a0e7ffb |
| SHA256 | 326c30ca68509e5eb1b11643a1d3559dcf645836d56abdeee0e0eaf60836c787 |
| SHA512 | 184441145f0911c1b3e4a63514a91ad5e44dd120a66464b9f678a86a42583d18b5ca7c43b0a359e46768b4d6615f8456a6a69faff0a1fbaf2361c39f1d423fab |