Analysis Overview
SHA256
31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e
Threat Level: Shows suspicious behavior
The file 31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:35
Reported
2024-10-27 21:38
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Files7Q\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7Q\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAY\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files7Q\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe
"C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Files7Q\xdobec.exe
C:\Files7Q\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 95dde4851dff3e148cbd1efb097b86b4 |
| SHA1 | 2591177f4cb2f61a165e4514a51d810065d529c5 |
| SHA256 | 96cdde4a2127f254ad71d802ae92e725777003c57183174b6608d17f4eda17e5 |
| SHA512 | 6f5a1e20163dca3f5fcd28931052ab495e8d19bf5b2650d95a2ded3b48a5d258497d77bfea959364c627c4a87ebfe3e9ff16011bfaa5d5452bb28af887bdf5ff |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 047c8ed88c62789dc5ccb49040f4fe5f |
| SHA1 | 00341f59cd3280ddf9c4602eb561f0f44f595641 |
| SHA256 | 6f01b2a45132c8b576b7194f6bbe6b651764f7b902d7d5b69f80af97ee849fad |
| SHA512 | e89f3003fc1e70e22e9f79590906114cd1bc09f13608fb8687ac5d5035478d947ea25272c6f7fb2574db6738eab3291b6306c5b3f1497b31b37116a9570c62dc |
C:\Files7Q\xdobec.exe
| MD5 | 04f0e9c6e30c3231857de44198164d34 |
| SHA1 | 70046c6a4aba0ba10fdf83c96f564979472ae123 |
| SHA256 | 9d0f5b91ea6bc9144ae3dcbd925e9b939517c1b793da582050b9cd6a2d3f9dce |
| SHA512 | 22290b0d577b6205de07ce74d0120064268b8eaf47f839e77b5f79ea0b9945b98c27cddd3466efab1443f26778401b681992336bad8754399a2ec4ef77d18d6e |
C:\MintAY\boddevloc.exe
| MD5 | a6ecb6895294f7cd04093d8561536ad5 |
| SHA1 | 67d0bca35dd52af79e016677553c27fb88ea1e6d |
| SHA256 | 6987862557d8c1ac23b20365c2e2564000e6846caead1e81208bf398188a4450 |
| SHA512 | 12e1d481e8cecbb5331a804fd466038a0a312433baaeec5b5d29165296774c01aadf35c9a59e26c616c0ce32cba4c1e8c1de3093172aadf23b871471ba3d4dba |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 921f7c3f4d0eaaaa62328211b280f198 |
| SHA1 | 46af0ee09cf4f9175d434311e023b3bc039f0123 |
| SHA256 | d0d802c3fe0f5eb43f369528ff682a872bf70f5ced1b0106b32995808d46290e |
| SHA512 | 870ac9c7fc10b4e3d49236d37a3c0f42867508d5f38722064e095c55819ad3dc32d76c427c2cb7a8bce9587f1882ed69a8ced533e145756d6e08973b36c2d471 |
C:\MintAY\boddevloc.exe
| MD5 | 8486e4db3a0efacde8a1831fa05d4121 |
| SHA1 | 881c4ef5b154c63898ca53c4604cffa67b92e8aa |
| SHA256 | 2b9b5a39aa9ae17582a1b69c6fd66cdb40e8e08f3ead873e33d55c091209876d |
| SHA512 | 3d7b19442ca07ae8cb3c1f2a5c7ded0637665a74f49286d914c9b73645ac9fcd89298f3b2461fdcbea0eee561909933b200e908e4cf9e0610f3f222771a524f4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:35
Reported
2024-10-27 21:38
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\AdobeRN\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRN\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKQ\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeRN\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe
"C:\Users\Admin\AppData\Local\Temp\31c977db990491c1724f3961c969379ed4ee5ff22ffe9355b3037b281de6ab4e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\AdobeRN\devbodloc.exe
C:\AdobeRN\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | f9c913d3b72c99929a416564d345caf3 |
| SHA1 | cb471cc6a7f3cde50f2eb112ba238ef9a80d2e62 |
| SHA256 | dff8c5fa20c1249e075ded373c950219cdbc80a906f208836cf635dc6ca55436 |
| SHA512 | 66dc84d4fa802bf7992be4d608f89c60197123d6873293d0ceca1a5ce70f58ea3e9dd20904bffd082c3f3086aaaf27d2c839e2d8188689b22a0f1b8d5a95d154 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8e4f8e25ae027d8f4518ce4fd8245047 |
| SHA1 | 38e1f243c5accf475a4df277553bca14728eaa08 |
| SHA256 | 38d6d16317f4aa51c31e6b46270458fe5e38b324a9b06a679e685571a32417e2 |
| SHA512 | 37d761820db651719a79f3e37d1924b091666623b1b7093291eb437a3edc0f94de5b9f02811409d219663aedc44518c5969b3a78a25736a84386bd3095d9cbd4 |
C:\AdobeRN\devbodloc.exe
| MD5 | 3231d9317c0e11917f9cf5a2e817ed5c |
| SHA1 | 9c6d7f4d5dca19db43631d6d63eed26ab4e2b9a9 |
| SHA256 | 99c25c756652a7f467bc468bd707dd2d8e4e8ccb0d3b713c31828e8bf6437846 |
| SHA512 | 2424c3740569cfeb5a9e3457233158ace628de277bdc9e2e98b6d432e6a6ab2c0ae97c2a464b6030076d190634ae039dba5ad7fd3ee1d63956ccc0a4b09d0af7 |
C:\LabZKQ\bodxloc.exe
| MD5 | 8429f62f96ca80dbe5229651b247ff63 |
| SHA1 | e5c07bceb19785d896677ffacb69c10cee4572ae |
| SHA256 | e5dd45ad1b1ae2fbb4d87a1037a7a0b87da5ea2e90d4d541b36938fac57eeb6e |
| SHA512 | 99c3d33047ec15b6975a14536c285c056190e47d32e3ee1a8b5106f44c6d5787f714e7aa91d66dac8e0d8afef7d4383bae342ffc7c9ff05ab82eb50182d1d8ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ccbfd7d5a8f2183918dec4003ef83d32 |
| SHA1 | 3603d613055a9ff80d90469510cafba4b8ae7216 |
| SHA256 | 6c622a68093fc32641c34aa37391b62a9f334117f5af9bab83821c98ac9341af |
| SHA512 | 6f2e4efba30c482a1433466f547d61ef6ab8ef49406f6bb22c8a35c3a1a01aae30e7da27c8a41a5741ea76225dc598c12045c0ac80be0d2c504dfa519e98e06a |
C:\LabZKQ\bodxloc.exe
| MD5 | 306db0a0c82157510e63b751323e1032 |
| SHA1 | 6a09350c79647c37fe4bcfe60fa7637162b7f758 |
| SHA256 | 747290cde1fe5c8139d8c40f59f4478331771c9d1390f56fb1f68c585e4a128e |
| SHA512 | d3b2f95adcd0f06f6c4519817e3cb87bcf60b71cd5b31c0e0bf6dae2f5a408b9bbc5b13691afd9de97ea2a290e625882a27e980ea212f91acb2409324c5e210f |