Analysis Overview
SHA256
15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448
Threat Level: Shows suspicious behavior
The file 15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:30
Reported
2024-10-26 04:32
Platform
win7-20240708-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDotCS\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCS\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTW\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotCS\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
"C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDotCS\xbodsys.exe
C:\UserDotCS\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | f928f5cb35f3f802095503da21f17900 |
| SHA1 | b48edbe9c7d1aba9eb967e5ceb50b02daef6a4e3 |
| SHA256 | 09817acd5fa05786ca92decac46bb92cd94333807b764b2a3c12be7a714d332d |
| SHA512 | 1a02cd9b9be5d5b8099c5a6f5a027ef311764d0935149c6eecfa92338f0b5de0c0d08d23d5a3789ab646f516e01a97ffdd28f2c8258f55ae70d7dc6c085bc54e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8a2b6d3f9f8ceb017044c2cdd227d610 |
| SHA1 | 325214b44483a83f82377883a0223daa9e971be0 |
| SHA256 | 7f2fb295326260d74eeb0a43f9f193c2b6e2361f4367c82aa9458f424135a4cc |
| SHA512 | 02b100b3d8d5c8bc501435224e8e358e600adc3f850e026af3d99124df883305fed1c7b6b042a1ecf42c512131e7f127ca664d3b8c6e815582626b1f535e729f |
C:\UserDotCS\xbodsys.exe
| MD5 | 3a4a4d8840b66fa9ae78da2f121577f4 |
| SHA1 | b350312aa0d40658985220a5f8bd8f25da7af085 |
| SHA256 | bd7c1cba70327a236357fa8948003da5889fe33962d87f3d4aebcee09dc05498 |
| SHA512 | 4c77235ded11af1f34e0cc2f1c2ee7e25eb8f863a30c6a23e6afa19cfb9ab045d66605173aa06cd1af898ec6a00d6b06afe3c383d91a5c693bb9180e51456a7d |
C:\VidTW\dobasys.exe
| MD5 | 0cac7cacce02f5f5596f5d08d7630358 |
| SHA1 | 5da2db0c35b63b470545c75f0aa8d46992ac8e84 |
| SHA256 | 65efafdcd82e51abcea27875cf1cbd9f15023b8b8b2dc60fbe6908ed260951cc |
| SHA512 | bf69d89ca3046dec0c6ca002c7a4917bd961831e8f24d135286c84bae7da4f2b28b4b8a24e280b0f243957d1669a1750ed3d92f28fb08c7833fe73adb8741d1d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c7123403c7d607b2b7fc4f18187853d9 |
| SHA1 | 2cf2c5789f07c2d95fea9878b36947aa1f3ddb17 |
| SHA256 | 1f4f89f8182546b29c8f2f391f041efe16d7963426415e97621258f8b7774019 |
| SHA512 | 3106c8b3d17f7b5758129373b397acc056e12542f734b71f3021692048df8727a6a4619a55f5d11fec6aae754343bbd1181b8b59c87676fae9fb24b45e1acc4a |
C:\VidTW\dobasys.exe
| MD5 | 467eef31be94831d5bd6003423547169 |
| SHA1 | d18b8350c7273b5115ea0bfa5d60acffd9d43649 |
| SHA256 | 68a58789cc93159291b04b19a4d2e676cfe93038e25b8385aab49b5b4d4463ed |
| SHA512 | 3f9b41f8048e7ad66417c822b9d27eb35e20d3912019ae418ee7c1eec55441dcd4d200897063173ecf70437e7a7f2d20f33c5be924018b383e9145d093686c42 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:30
Reported
2024-10-26 04:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\FilesP0\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP0\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTR\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesP0\devbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe
"C:\Users\Admin\AppData\Local\Temp\15b8fadbf14ef9a3f729fb410f8db362e27f7a18aac41fb496feca06cf1e8448N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\FilesP0\devbodsys.exe
C:\FilesP0\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 075103a38e58ccda2b4213017c671dfb |
| SHA1 | 9c2177b52c0e15a5cf7c7a7db79e250542ce09b1 |
| SHA256 | 8d78c8edf9c5423256ba484849772a920422236052237b4d1b230f35c8fe8607 |
| SHA512 | 3aa12d7a5031604ab5a094d0ce066e94ba30d1d60ee68834799a0c9c1eb741b379fb5ac3fb7b8221e1faf0ae6ddb3e4ead1d43b39d50d0e858fe5a88ef7b5df7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a64c9ba46a6f32dc6b2aeca90b309cb |
| SHA1 | 432e0de09b22ac58f64943e0160910909380f96e |
| SHA256 | c546265db78c4cc30e0e2dc8352823d715cc121b70b501ad100729030e61d7b7 |
| SHA512 | 1246202a58cc63ef5bcfaa9ad7e67556e5e23a68e3eaac0ff95077d5ceef62fc2f1e562ad340e9574027db6507820e88e096160cb11860d3ddac4903f0b4deda |
C:\FilesP0\devbodsys.exe
| MD5 | b30af74c34a007928f25b3c482d6aeba |
| SHA1 | 111abb46b79b44819e95067b1b91c24e37f73cb4 |
| SHA256 | 1071a2c72c386796b985c82ce94e08aca150bdd2b9c75c6e6b13e0d9494003ea |
| SHA512 | 4665dd8cede04b8f67c2e8dcb48ec38fe8c556c5692ffb92ebcbc656f7b1880947d4bd439a0c5906b3c93f0d0c18b3b39c79470d1f510dd5c5fa41152e445041 |
C:\FilesP0\devbodsys.exe
| MD5 | 45729fefe85d6941a3f8639fa40ed6ce |
| SHA1 | ef3bde99214f2da29dd6ebdbf98517bd6ba35b32 |
| SHA256 | 1f3a75fbfbc2dce916cd50a5ab379f3f41b56b3ab68b03b22cf324f93e79b6c5 |
| SHA512 | e496d8bded7959a1ef9657862910dc78b000e9d181bb95e7725797cc6b01a0e0d4a913073ba3a465f6d70fca08fceedba84374d19fc10857e7844efa6456f185 |
C:\GalaxTR\bodxloc.exe
| MD5 | 759aec5f038416e01893d90cfe048577 |
| SHA1 | ca4fb61ce8b05248741f436c357e8f398a765384 |
| SHA256 | 80dce40506c7a13c6a3e02c2a65f17f09350181f3893361a9acd8c0e860958b4 |
| SHA512 | 3bd433964bc697503ad75d279a10efc318bf6ff53d0c6959885b936b4c24a8e1d47045ce3bfde5e3627b8fb1bf79ab50d8ec9bd00fb50508356168a55a0f93a1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 590bbc03bea59ca5eec167e87d81ec63 |
| SHA1 | 286454970195b190514d3c52badfafb4be07a082 |
| SHA256 | 5eb17119a80045c2d9d07fec509c4e31d30d5a7513aced8b51032551d6ed3822 |
| SHA512 | 5153bea746079bd40547ae9c72e3de9f0f772321f2851259edbace6a3b178ed09e7c598b4cd31ea25450843656eb044423e96e30980927693ee13d5db20a419c |
C:\GalaxTR\bodxloc.exe
| MD5 | 49af68b42b3107ac792422c10fe0b74f |
| SHA1 | 5fc398ad18774ec4495f063f018f4db58862dbe8 |
| SHA256 | 83a7f31b8578e7a00a994f3dbe8e71747a382cf0e351c7d7fa0610dded8976c4 |
| SHA512 | 89a91aafb5af39699748f6b84a6bc5db955d5f5d4474447893b829c9fed9377a791c01483bbd890bff4c7e24d20a7a372137094dd20fe9de5c9057a61f4a37dc |