Analysis Overview
SHA256
3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5
Threat Level: Shows suspicious behavior
The file 3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:12
Reported
2024-10-27 22:32
Platform
win7-20240903-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\IntelprocTH\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBF\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTH\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocTH\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
"C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\IntelprocTH\devdobsys.exe
C:\IntelprocTH\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 7de7a7b5c3777792b1690c14ecea2709 |
| SHA1 | 6e7832429c5f03f969f65f7a07ce7d14d85b65af |
| SHA256 | 5ffadf7560f479d0ad75afb7d936b11dc26cb8a59b24aef70d48fbea28fa0f7e |
| SHA512 | 375cffd2db25ad0829ce7a4f3f12b65170ec43cc082d82ab66d1cbff70ff8a340d7c66a60a3b2e95e06921326ba7106bf1a8af5cd4583df905ed490a0e5cf138 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a4e26bf388f4f5128f370b1227b34a3b |
| SHA1 | ae59d2bb05501f8704a3a8e0d8dc648c75f65d4e |
| SHA256 | a83936343c708c6bf20d4d16742a25f88fa1241496c8c5f7625a59c81ae0b0e2 |
| SHA512 | 5d0b4fd83606d0d675e8943d1b61faf867b42fcf6b4aef2877a0a104d1583d98fb8240d592751b6178190cc82cfaf907183f3467ac31a0a1570f4aed99693aef |
C:\IntelprocTH\devdobsys.exe
| MD5 | 076cabf5d63f35421b0d09476c07074f |
| SHA1 | eb1e6c6eb3b00a5d363eccab2b9900d27e9b07e8 |
| SHA256 | 57a45b89e16a8264e24c27f5b3430599f416929f9b3696401264c8aa8ee6bd8b |
| SHA512 | 930100bf82f468372edba8cc4e88c2d10368204346bb82b9290f84669c1221e52edfc79fddfcc98c98b0b12bb0a781eb7ca801ac6176cc816dc8072035ca2159 |
C:\KaVBBF\optidevsys.exe
| MD5 | 76a4f5b689e9cd21cf59cbfd7fbaa7bb |
| SHA1 | 044682b9073228f392ebb75f8ba7c94764f75e1e |
| SHA256 | 027c0e4b14fdbe5c66ee9df1af3fc2114dc52a14bb0f770f2cd32a5f221be0f2 |
| SHA512 | 6bc69ebb824e71159028bf7a9353fdf4bc8e26866bbb769155e28cbec13e7bb23730a1850ea1d13b329f67f4dd1c59c1a8ca3ad8dffca1e31fe8d5b155a05efa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9bd1c33e44af2042f5c7f199f6df7229 |
| SHA1 | 6afe30d8cc8d1a16e1cf68ddbd8cdb629c9fe8fe |
| SHA256 | 9c2dd4baa80e40d3d18790f7ced715b552e090bf94e6cb22085bf290637f29a2 |
| SHA512 | 5cf6243a58dc786bb1106cc8672f6c88b812db6618db9c160e15b7a3a72f30cd960714fc989b1c575d0ef25b3aaaa7bcb4af5657bc2112966be1b33840610aec |
C:\KaVBBF\optidevsys.exe
| MD5 | bf44ca13b06e59ad51503b585db2d944 |
| SHA1 | 8d84c6b808a898fbfeea13856ec382531239c6d9 |
| SHA256 | 9a12a344430be9cc0bb7d2ea6202d63c01daa92c07c865ae267248b82c329f28 |
| SHA512 | 13481f95a2c51740b647ee5a47794773224d573092df1067c4b3962e342065a270d3d494a618d0ba6693165957b646af13eab68013ff56badbe774418903f854 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:12
Reported
2024-10-27 22:15
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\FilesCW\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCW\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3F\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesCW\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe
"C:\Users\Admin\AppData\Local\Temp\3fd8820cef3f225be64863db12c141f9b3f4f94556b61f716f820ad81c45ecd5.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\FilesCW\xbodloc.exe
C:\FilesCW\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | e240929ce928cbcce290e035812a9c37 |
| SHA1 | a9cf1a884590a29f72a569c582fc763fed6d1fdd |
| SHA256 | eba23899a50f16895786731b0233050ff4c19385445c98c839b451e5ba17538d |
| SHA512 | c6cece84f945af91dcb044406e21e4a5387bfe63aba49fb94f196cb7b7f6205632553d0580393d65e5d43f4fb5e71be534dff9d6dac745f284fde9e64fc61894 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a51b208994942e75ffdba4486d266738 |
| SHA1 | 2d4a3453893346e1b1aff9c900f13400942e2103 |
| SHA256 | 405c1d96065a9a5e7ce82176dfeade522f1015621dbaa08ae0a1b4070395dacf |
| SHA512 | 1bf7c3c91eb3bb7c6a9745612403dcae9101782c3e12b50562c94b96e6a9c41325038e73b8c863e68632e8d461e38c9f530f8604c0465ad79dc13b5f970d2879 |
C:\FilesCW\xbodloc.exe
| MD5 | df7c77f1838101878427812c74cdd9fb |
| SHA1 | 12c1baca34cf69737537cedd428fd0a569808d73 |
| SHA256 | 522883a0af871f4cdae7ba44c9ac3a52ebad11d29800a3e14e00db37d702720e |
| SHA512 | 5b943f93e79e1cf134a0663191795561d8a171d65655f5c2ce9dadda0e2c7f5bfe50a895cf988d6c901dbc74ed6e1f9e9bf4a8ca1ba04841f62d35f77db3632d |
C:\Vid3F\boddevsys.exe
| MD5 | 1f99a946e489a716cd3795f041ef077a |
| SHA1 | 000b407d2b011a1f2ff7d76b06249ac0335403b4 |
| SHA256 | 58d326851c83e5b6ea2a0c299f4cff25e46eaea89bcc8147e77965dfd2f31c6c |
| SHA512 | 5e8498be8fdd91cd4ed87b6e9b47ba301a839237ca4863b247bf19431ff1ca34052025b16e55c47b1213d4b63c4a5384a791acf42ec24a6dd45b9cd710eca2d3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad9eb57270335ccda2debdca98d34425 |
| SHA1 | 6583f757d5d796d02d347fcbfb82c01290c3a862 |
| SHA256 | 5a059e37a266ab99b0b5c0913e86bf5ead015483335f7b75309453acf7d30ead |
| SHA512 | 7670c7379d3c8d8e1e8175c08449e6e7d5f28689c5ddc49430afbf3e0489a8a20931387ba11060738d79e3da7293899fa5c41b9211751d92020180c3cfa9f2d5 |
C:\Vid3F\boddevsys.exe
| MD5 | bcca63e21e2c9474b49354456f7d37de |
| SHA1 | 56fede3206d3290a1f3ceeeffcc2209c5f839358 |
| SHA256 | 86c6fc5183ec5dcaad266970616e6fab673d22a6f88a34beaebb82f993bf114c |
| SHA512 | c714ae7a84fed6cb563ba0d01783f5ac8cf6eaae8f1980098f150037529fc3991967c94d765ccb0b6d44f1711bc403bd26235c7d7f2ba3f44cefa96bcd3c6daf |