Analysis Overview
SHA256
31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359
Threat Level: Shows suspicious behavior
The file 31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:36
Reported
2024-10-27 21:39
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\UserDot43\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot43\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxH9\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot43\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe
"C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\UserDot43\xbodsys.exe
C:\UserDot43\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 46a69cbe9fb39874af91983f53abdeea |
| SHA1 | 8e20bbec5883a8530ee13edb3d8406b20989a337 |
| SHA256 | 359cef6027a9c1ccb5d9b730764c0da453141f93227f03450108a17355c2f5c6 |
| SHA512 | e8595354af1e48ef876661dfaae4261802bed50cf4da7759d55795c546e9214a00083fdea5d140132883e0b3287af0dc581c0ec85a2cb0a95ccc5e3e5e7fc697 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ef46635097bdf6395e4b9c2c867e6b33 |
| SHA1 | 44097f431664253110c635ce3056343e0fe0094e |
| SHA256 | c16a3265d0ce27a64198d065d55516222a4a3f84b418787380fd0b18a836f9ce |
| SHA512 | abccb6cdd52990ffff6c3e82f5179453b0000adab640bfc5df14a309e8aa4a177e1bf1d4d42ca03a33e0cf23d16fa2a50908b7e44f49c219c7a2e17402574976 |
C:\UserDot43\xbodsys.exe
| MD5 | f15de1972cbcb77aaa59960534684a9a |
| SHA1 | 7c3caba854a84f447308e0363a027e5302cfc305 |
| SHA256 | 699fbe5f898634e3d00b7b3f30d39e0ac80202b2798ad4ca1b36c94d6d27ff55 |
| SHA512 | bae76d8b68f048f7632f9502d38a54ddb04d4cdb38983c8bf04c7bd9ffe26ab0712e8821b097ea454a1da63d8171e7307c26d9c65dca383679aa34037c462409 |
C:\GalaxH9\optixec.exe
| MD5 | 34923a11e08a45f773ae24149cbf60a7 |
| SHA1 | 9810e4dd2ba1cd48ef5020a3ee89ae88581b4127 |
| SHA256 | ba102775f31ee0008fa4d8ef4810f677060bb79f56b745fc69f76c78b919def7 |
| SHA512 | f1a6bb98f880bd5f8c8a4d0fe440fe8031b68e6b085baea5e8914dd251145b22826c921f3533bb405aa51a73c1791b3e49b9f7329628f8d269c660fc05eeb677 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3699af2d370015871375a71ceffca869 |
| SHA1 | 2bcd6fbf1df20f0989d9cd73bfe03635c0fa0941 |
| SHA256 | e3a4d9f32d1cf185477e10e09cee3042c8b745022864f1652eb2a44d731636c2 |
| SHA512 | 9a2183691b562b81d7a6db5aa488c975cdf8f2ac9f141dad6d0d973527d2ccd6594a19702bce60aebc641c5b9430d8b84a57c16359d36d362e65ab52522e76e5 |
C:\GalaxH9\optixec.exe
| MD5 | e5a30f9e02391f4d724fe1b3575859a9 |
| SHA1 | 01f89d50ed890a0692a57b4465775722a5f6e460 |
| SHA256 | cadd45317b7597e2ef5e3e5af9be53d32c80ff57f91da7b42e1e9858d1c75d0f |
| SHA512 | 5d91b5d61dc6c0096ff39645da62cc4917ed56ef6b795a07576a45b65370e708f6c9a262f7145a7cf5dde55156b010a8c862853561c370862c5714de33ac71bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:36
Reported
2024-10-27 21:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDot01\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot01\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7Y\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot01\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe
"C:\Users\Admin\AppData\Local\Temp\31ddf9b7ad74da7950c8c2e6fd9ab5be704b6cb85d159f97050494cb5f275359.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDot01\devbodloc.exe
C:\UserDot01\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 45f51adf28d74a5c3a20150f516d36c4 |
| SHA1 | c3c4dcb07db3e8f111e1ff76ef97b6824fa52c46 |
| SHA256 | daaac29dfc08040276bdb698989df1ee818378a955bb82d55cb04d5591f5ab88 |
| SHA512 | da8e37fc0930afc4c534f77614ffcc16a07f1d19706274bd8575c2706ddcc5688a2232c8247a4b9937edfe30a27161b80beed263ad83d2a5d2900a0280fd326d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8eba4d10ca24df5a52593393fcc65e51 |
| SHA1 | 08ed4b893f38e469f66b1f072db1206b2ffb29bb |
| SHA256 | d8f6b7e11176c5558fae481ff61bd9c2b73753945b7379c7ca995f3504a48474 |
| SHA512 | 67d6092fba249009973c7dee2b8c813d44366d3a01bcd8a3cc3852fbefa45dd793424d8f6b0201806c488150d88890caf28701f14a56d360a603ed6a9e804950 |
C:\UserDot01\devbodloc.exe
| MD5 | 55aa27b46eed83f6764802931016d915 |
| SHA1 | 0497ee00227f584e1b7aa341f175037dbe4b3886 |
| SHA256 | 8af5d545a9adbe4d54cef4b39e1d198acabfaf7b8632728f367743dfd92b63bc |
| SHA512 | b4a5af795e879c1158b1919d452448cd77fd30161dd8223ed4be05b4e36a0fa279cd385af0a9f0051701760a6e96ae094ec04ea41e484edd6856d6ca4f0fddd3 |
C:\KaVB7Y\bodxec.exe
| MD5 | 263818a8f15173c4f33f4b40062f5cc0 |
| SHA1 | 92e753ed1650f3446ba42b7c4b04e80191feef13 |
| SHA256 | 75b698dfc599ece58d93c4c08192efc54d37b7f902adc9f82002e7ad5825cce7 |
| SHA512 | 6645811b23ef64f8922973c1c23b258e919025848f7e177d71f990d0376d4987f4a2f362ff5e9bca0837a1d84a485692ce836c79916e0d02139752de1224fb0e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e4a33d16356a3301cee5778e4d4c5a42 |
| SHA1 | 93d88a4ec03ce3c30b38e6e1620b77e908d59870 |
| SHA256 | ccdbf3f24f732f807908dff14fec2bce60f282e9349c73ee0369b17c459e50df |
| SHA512 | 69ded3c78aa0734687372aa41d9b2138c21659ae98aff4cc56b4029256664d95c98db9c54e8614a8e4943b639c2066da39c399c09165920a7a04f814b38d67fe |
C:\KaVB7Y\bodxec.exe
| MD5 | 749b02271ce95f296a01cca9b5b3cbe6 |
| SHA1 | 67f4745313dc38b6014647014a663aae3c5b69ff |
| SHA256 | b49fefd3291fd517562490d91509974413c562c2ae440575fdc24ec17beaaa20 |
| SHA512 | 2222662a39907169b34d24246b007ea362465c09f6bdeeed98f70efc6f5d31cdd375152d9683b8bdade9963321796a402f88f11de20bb95cd60b05deafcff01c |