Analysis Overview
SHA256
be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7
Threat Level: Shows suspicious behavior
The file be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:30
Reported
2024-11-08 22:32
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\AdobeGM\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGM\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8Q\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeGM\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
"C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\AdobeGM\devbodloc.exe
C:\AdobeGM\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 0c04ddc916e56126549e98c28d75db86 |
| SHA1 | edd8072f7580ffe88dfdf8d39ea732f5e1abf31a |
| SHA256 | f82a403dce3e47e028685958032fa47c82c550c3555c82a2d346c05afc690727 |
| SHA512 | 9d1031662c570779538489427420521305d31b42b555637e24af0b333e5d297aef7d254682e4e85c6262a48c74bf2970d1a57aa80d46eb4b45f369c1a58cd88f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aa9a44e7b934977f1be0edd92371b2f6 |
| SHA1 | ba2e8c774a0ef9072f954a3c6b84e757bac73563 |
| SHA256 | 515b38afdb76005f15622548f2d093a0ccfbdaf086ed5b6e5cf6a15682f9820b |
| SHA512 | 94b434a59c2973c446fc359d162973ae3667dc0903cd3b73ad0fe6a1b6884bf3cd014c7397d7345255094ce69610d7e4f606f11e2a904d1e839d8eecc69d7eda |
C:\AdobeGM\devbodloc.exe
| MD5 | d5b3a7c4dd81660c7ba05234812498e5 |
| SHA1 | 4122a8dfa3c5dd571ce3a167bb324dfad086be43 |
| SHA256 | 31f0744041b0a484a746cbc631e9ec9dc06593a936c6e7d125739c87a478b3b1 |
| SHA512 | 149f1d0ccb641d0b29d642a701e63b39468860717f36ab124d87f6f6b63bf1e178071d0e04e4a782ad600aeec02d9bd811f94b188cbab1e92d8390239874f13b |
C:\KaVB8Q\boddevec.exe
| MD5 | 85f1412a33b81decd52d503a61939ceb |
| SHA1 | f0063ebc9de0ca0b995bb7c3e560476ce75c92d8 |
| SHA256 | 1eb54b8b123284561b91f692dfda188447a7ec1a9b224a6202cb899725c10df2 |
| SHA512 | a997c3afd6a06172755778473d3090f830099dbe8205f9fbb5aa55459356544a4f1e04e2047113c173151ca7fe2e86f8efaf12ca8e2810d80c3090c724ddc3e3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0738ee3f61ca8e684201eb10c691af43 |
| SHA1 | ecdefeaebcceca2948e24f1f75aeabe6d3b438a3 |
| SHA256 | 587e9e7f053da2ff2cea8caac32d76e514b78c6471d4424a85e7d123b839bce0 |
| SHA512 | b9f23ca87537887a9640029ba3e373fe0f6c3d6cfa45494e2e605b56bedd596de311cde9f7c6b00d8385b14d91857a95937202d6b3e2f87502c257c809e9c1bf |
C:\KaVB8Q\boddevec.exe
| MD5 | 5a8a731bdaed01719111732a65c1eb31 |
| SHA1 | 0c0ce22506530dfdf7cb3efc00ed2036e3269b33 |
| SHA256 | bfdcc8032c4bb14a70ab977e0ae8ea968a5f9cbffa6fee00fb8a5fb561446132 |
| SHA512 | 53c59f105651f83da0e2092f74527b019603b362a1efcc7296703fa0dcff7b0257fdcc358533a60cb6a29a5066d33539c19ecbbc415743be34be89d3225af4dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:30
Reported
2024-11-08 22:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\FilesPU\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPU\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOV\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPU\devbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe
"C:\Users\Admin\AppData\Local\Temp\be0f1dd8fba92e6a057abfb51c62ff392954b04f68109689d897a9463804e1e7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\FilesPU\devbodec.exe
C:\FilesPU\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 7636941a2f54f527d72eb62bcaf2eed5 |
| SHA1 | 5f5d306b20c299160b7a2e49c6932eb45b9c9761 |
| SHA256 | 48a1fc8542aa889623cf96125cc6508228f07dc3752e45af230d1a951a9e19f3 |
| SHA512 | da87a63f21ccb8d1d3a75927380b07dfe8527ddb89641296d8766b002cb881e203abae8ea143fa0c42f00e2189cffc799687a915c920935febef9126a6b88da5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ce7f0d7b7ac0e820b7ec1d180f47001d |
| SHA1 | ffc894dfb5824781646ca5254605389888b71e38 |
| SHA256 | 18f687c47bc527c87d91d48b18151c5fa739577e0258a58c542a9c30612979e9 |
| SHA512 | e985f193b1cbfcc58ec0fb7f2c364e6f621b0dc8a8585f256a8f775a9364a2df95da1d6055ca4fa04751b1209f62b064f69eae76f4097ef3ac523348e545f3d8 |
C:\FilesPU\devbodec.exe
| MD5 | 3d94f62268a4fb4599c209fd92db0edf |
| SHA1 | 27daf0fee8c2894c0fe18183daadee1d0d67a69c |
| SHA256 | a28823d61fe1dd956c6951cbc7f48efc8fa4e451faeaed63fd5e84406ba64037 |
| SHA512 | 4f4da5402dae433df2cf52c97dc70c50a22e46ab1fb61e5dd68e83e84e6c3c68b5a3ad344a0ee01a2b8429d1a0ee2fc962a2ca5a34a1119c9ae84c68b8d60220 |
C:\KaVBOV\boddevloc.exe
| MD5 | 9bd2406ab96ed5ca3def3ebd19752e5c |
| SHA1 | 0ccb6881bbb2fac66001daea80145e386f5d947e |
| SHA256 | 80fa5d7ae449772f335e8f7446e4508069c8fda62e1aff8c81843d7583d865a6 |
| SHA512 | 3ef9f370cc9cfe46a8680d9424060e335da09f65b49735155d5747f10eb16c59893fa997dc1efbf48ea32e39158c9a8c49dd928f38313588e9aebe82c40130d3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 64958e8abb7d6beff88a72c8a4df677c |
| SHA1 | 8c3a19104ef691c6f60eeda8db4d2b0f0b48ea66 |
| SHA256 | 360bad04d294ea74959a38a1fed45000aa5f90241a07141b8eaf997caf9481cc |
| SHA512 | b79fd405312ddd608d72c7fe5f5bc56be89b98ed435998997b6cf27ae787e211eed8eb0a6e41bb3f85953c6b65fa6cee51281e761ba6e34aa284e4d098fd3b29 |
C:\KaVBOV\boddevloc.exe
| MD5 | 2d014a35145ad0c0bf383d6c48535247 |
| SHA1 | f1e2615b5740c1d1922996a0887fd8944f2fa787 |
| SHA256 | 0eeec169c7ae962f8506af90031c334e2fdfe3b328297c2c212248fdde489fde |
| SHA512 | 6c8682b88f59db94b9e903411240b757dee77d5fb1ed3bf86572e3f843d9843bfff391fab9b0157ce4173cc8819b1e24298e031baa575c341869454a0822c2b4 |