Analysis Overview
SHA256
b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71
Threat Level: Shows suspicious behavior
The file b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 14:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 14:12
Reported
2024-10-27 14:14
Platform
win7-20240708-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDotCS\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCS\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTW\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotCS\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe
"C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDotCS\xbodsys.exe
C:\UserDotCS\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 29d7992a8666996e55e8dbbe63d142f4 |
| SHA1 | 241181b6e1a26a822edf8544854e6d8ad6767554 |
| SHA256 | 2f4c1ed97b55e9ab3543f9f999c10745413d0f4db3b2cd920721de996ad773dd |
| SHA512 | e44b778ea8b14e3dffa09f1955bf3a5e23bb471a1026931af8e9eb13d71831623adb2420034ddbebe500862de9cc7602f1dd7cf43ac28e7206d8ecc848d1c416 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8a2b6d3f9f8ceb017044c2cdd227d610 |
| SHA1 | 325214b44483a83f82377883a0223daa9e971be0 |
| SHA256 | 7f2fb295326260d74eeb0a43f9f193c2b6e2361f4367c82aa9458f424135a4cc |
| SHA512 | 02b100b3d8d5c8bc501435224e8e358e600adc3f850e026af3d99124df883305fed1c7b6b042a1ecf42c512131e7f127ca664d3b8c6e815582626b1f535e729f |
C:\UserDotCS\xbodsys.exe
| MD5 | 7d613d19051f27c108bfae366a720d23 |
| SHA1 | acd86395aeff24b441a8fab9843fd3fdb85af164 |
| SHA256 | 7866846aaa6bbf08fd40beba87c557a0d6b3d79bdaab5d43018cdee95d57df41 |
| SHA512 | 4fe2acfc2cfb0fbdc4f92f8f6dafecceb435f17da2754d7908513a72e668dcd482a5cb7c427105d655742c20634d10cb2279743f931d14681202e3e39bdcccf6 |
C:\VidTW\dobasys.exe
| MD5 | 0aff8ae0a7cbba359fff2f835a18f778 |
| SHA1 | b48d2a78e9168c2b179bef3053b495fc6c39a7cc |
| SHA256 | c58755e21b610ef7ba148bd64dce968c131f0028d09833f396937d1ae238a425 |
| SHA512 | e7c4505735de4604aed5aa1d7e20fe6c3ff580e40ade79b7fe5af20207e840e877c7940f696b9c2425ccd74d4730340cb9737575d4a465af54d969545b89cbc2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c7123403c7d607b2b7fc4f18187853d9 |
| SHA1 | 2cf2c5789f07c2d95fea9878b36947aa1f3ddb17 |
| SHA256 | 1f4f89f8182546b29c8f2f391f041efe16d7963426415e97621258f8b7774019 |
| SHA512 | 3106c8b3d17f7b5758129373b397acc056e12542f734b71f3021692048df8727a6a4619a55f5d11fec6aae754343bbd1181b8b59c87676fae9fb24b45e1acc4a |
C:\VidTW\dobasys.exe
| MD5 | d5c30fa1cebd0fe0e7855f34a719df22 |
| SHA1 | 385864672c460d68c0e0a0d5cab61545f962dea1 |
| SHA256 | 0348204b16710eadfb353839567eee04743c0be1997479397e6bcf46eb91bc5b |
| SHA512 | 933b893248da3b72d684d7f820d706a1172d07c6f6b29409c3c4674e10ae02373192dd2904602ad5f886997b24256c8063fec7dabadb91c882d293a61fe03861 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 14:12
Reported
2024-10-27 14:14
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\UserDotCT\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCT\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQP\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotCT\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe
"C:\Users\Admin\AppData\Local\Temp\b5e7c4bb75f77d5208ae5bf15dcaca371dcd12ce9f8ece26a84c822f7e1aaf71N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\UserDotCT\devdobsys.exe
C:\UserDotCT\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | bcdb605ea9d8ed8d8a7e2213f8c74ae8 |
| SHA1 | 35e3bef4ebb8bb3d4cca8f2b97be1fc492786e2a |
| SHA256 | d3abf84fe2844d497131200bc04fbc5a076537cb6ee846e860b624c71e2b6faa |
| SHA512 | 16fc9726a7ab93bba68af928dee6a39f37b626a212773da08eb445a9cf2a345237d83a30b2ec41ed7d479417ee290bb220eff3e50b19fddd808420def2f9be3e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 781ec494fe2d19fcd27864ba61849a44 |
| SHA1 | 302fde48e1994218e4454a4f808aaed3ecc7f8a3 |
| SHA256 | 337d18e6ed37925ef833154bc7cb9f23542a51574de71dc83193456282098665 |
| SHA512 | ee646364bb29a4a94bee37404077e5fce3f02e1c1fa6a4c0fbf9fdabcf52e7db6fe5d3ef7de1843c132f01138faeac4f139b5aa7956a6ea48f5699ca77c16ffb |
C:\UserDotCT\devdobsys.exe
| MD5 | 969b111c0a4903fa6551d96ea8ba3af8 |
| SHA1 | b4e64f7653020a17fd4fa559ada6a6925cd0dcf9 |
| SHA256 | d512017b44694a9c40019fd85f5dcab152e1e06ab97eebe7e4b40d7c5d0d4a9c |
| SHA512 | cd2aa78bd2e53eebabf2d9007fab3c2ced88fe4db5fda63273c163e5a5c8afa2b30c1837fd3610a1c969849232d6c2291a69d04fec422467f618fbc3c788c65d |
C:\MintQP\bodasys.exe
| MD5 | 5ff6f53aaa235b4c15de216db425090b |
| SHA1 | b63c86f547c108a578d0f81d9f452dd46d79a9a6 |
| SHA256 | 77446ca69a151a0799c5c48760ee62ab61fb2aae1054a841c5f3c4c60c549711 |
| SHA512 | 3306919300a164441efa2db7f95c73a99a45502e46c3fe5cc14dd48d48951e7603cd17f08524c51ec742dbba25dc5b772d7ae5d8a273c8838172d072a2a22d51 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 63a50e37e2b6830c485071087e375466 |
| SHA1 | a9e7e971856c251bbbb78467c091edcf5ee463de |
| SHA256 | d821f8f718816dea21bf0f0d2dbf57d63b6633b364f61e1437d0dbeb53ff482d |
| SHA512 | 6460346bdeea4ccb45443c1693a56b506996fafa58d21a232615cfbc9764a790d9bbf4bb5ba5915781b39cdf9321e40f0240ec4cfe51249773218a63620da201 |
C:\MintQP\bodasys.exe
| MD5 | 5ce46de9d1c8ab23eeb8a98bb0b2232e |
| SHA1 | eb2b026ffaf5a7802065fa5971c5c4495fa6763a |
| SHA256 | 0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0 |
| SHA512 | 173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712 |