Analysis Overview
SHA256
8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fec
Threat Level: Shows suspicious behavior
The file 8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:40
Reported
2024-11-08 22:42
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDot7B\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7B\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4N\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot7B\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
"C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDot7B\abodloc.exe
C:\UserDot7B\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 0bc3299cb1f53ed46e48f480df2bbb15 |
| SHA1 | 6355e59edd3033612f26130fe5a3f7a95b6b0649 |
| SHA256 | cb1b3b7ff845d623d0506f573e67ec1fa979fce05f5d3f03aa096c76fe2f7a4d |
| SHA512 | 8e9628e4c5b8efb4215e0cec7ab50e5a8bc6195e80309e071d7727e81c764e07d41b1fa924a77d772f8d55d692ad5d3e540db0a40593ace62f4210bf901ed8b3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 612172d7c60a31bcc9733c7ac01409b1 |
| SHA1 | e4a55765d4fa3cb3f5fdc9021a0e48708afcdadf |
| SHA256 | 184e27da420ab9a2876930acd57b8be73b5276ef8786f2ee6cc16bc38b4e3a85 |
| SHA512 | 6163f604a9b0b2e57e139a5e86928ca6bc8eb1431c8b13b8c2f0f53489c96b30f203d1a6e950f3dc24aa4e4d2aecda6a61280fb93ea3fa4c995898af5b067428 |
C:\UserDot7B\abodloc.exe
| MD5 | 974cfbfe2ed7dfc3d59b16e39a09b1b3 |
| SHA1 | 6b611d24765b1b6f0198366b98080de7881cfd13 |
| SHA256 | f0336202b8ac395ababac8da4e0575e1d3de9984f8db025bfbb6daf1e2151c4e |
| SHA512 | fafe94c878717457623bd2650d638e5e9fe6cc763dfaa0b5226730af816eba3a6c3fcd1c0a326975181172f957d994ee3aa9cbb07f8e223347b447e06d446dbf |
C:\KaVB4N\boddevsys.exe
| MD5 | 85034e0c40cfa21c258fdec503d76978 |
| SHA1 | cc9776b7fdaaadc5c074d93907900300e58005ea |
| SHA256 | 3c881cfadace041d098c4afc7bee1ad9f528c50c9be8f3f9f2394e3b0193e061 |
| SHA512 | 5e8fc2786763be53f6827728cf28e4bdd63830b41fedfe18e854298d0ad8d2f77890a36131ee0e78c3e6e5b1e4626066d5a095154fe3502da47eeadcdec55b59 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0dbd9589fa9e75a8694324c01393783d |
| SHA1 | 75bdd0cdc5f412151bc60764c75fc724474fd2e4 |
| SHA256 | afefdbf80aa850b40a5f1a694852121e201a011274db1837df33c78c3a857c83 |
| SHA512 | 50593eace73793197a7ffbb87db9076058db4e55cb91d0c82b372fdb59abada09f0615017f17d86ddd723d7beda88d25e286ef46690da48278609eae6d29a475 |
C:\KaVB4N\boddevsys.exe
| MD5 | a822030c119347f99d4201d50bc16b24 |
| SHA1 | 0e441e7e217f33b783b9a98e58be94fe51c6a02a |
| SHA256 | 53026b67e6e26280821686c5e9e2a1ca3626607d217dce3e22e99d031d206903 |
| SHA512 | 5c6911b5a754d9b92c8b09e1cecfc855c3b3fa0e420aee815e708d69797f6533196f50410f17401164f5d7759708a4c443b908dbf490c036f585ef4b292bf886 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:40
Reported
2024-11-08 22:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\FilesVQ\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVQ\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0Q\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesVQ\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe
"C:\Users\Admin\AppData\Local\Temp\8bec903bd942c7f455d51c6f307757f9dc8dfaefb39c145eee5dc4a929b25fecN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\FilesVQ\xoptisys.exe
C:\FilesVQ\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | b49ae260063b59f31a3acebae8c92988 |
| SHA1 | c2f35b074a1cf92f4c2fa9d62010330d57842123 |
| SHA256 | f76471ac34cb76dc4d4c6f671af21261bc3fcb35d837fec3862a4d4235467c3e |
| SHA512 | d50b515a9dcbced392999ee6d579b1001e19f3aead44ec5c92134441fc3af0cf13a595b591b48bb9a4ed41dccacf83ab0f769fa4f69e3a17c52c9ec3555e899b |
C:\FilesVQ\xoptisys.exe
| MD5 | 0cd20510b21780bb2e5b4b74b3b377cb |
| SHA1 | fa5be7e94658c776a4f909627d632ac292692323 |
| SHA256 | 051c30b5e561fc147c7ed588e2cccfe17a6547507b56c111409aabc5c6209679 |
| SHA512 | 90480dc202b77cd31aea15dad69ddc9a6f9d16da10a14af5742010e07d63bc8a673547bafb83b0853c32847c63131121cac2d764be2296c3c14308cbf3372e2a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9c8443997158ac1216003b2933d1b19c |
| SHA1 | 5729e5afeccae88ed2482f040715272bfb155728 |
| SHA256 | 9f3642f619ce75513a07bf74e97c887b366ac21a21bb0f4f3dca68b0b323318b |
| SHA512 | b47071becc549dbc21315baeb8be0767c61349ccfafa93c2ed842662e3a6026a3b484ea3c1b0809958f63ec675a37cf0c39c8374905308464c32b7ca564055b3 |
C:\KaVB0Q\dobdevloc.exe
| MD5 | d55e110c75c3dd15dd66c22499186705 |
| SHA1 | 6fe95d78c9bacdbe39029edcbf7e4508f5a43869 |
| SHA256 | 2bd608f1726851cd174ec0f05e34854c0b2b439ab7d572e81f093cb47d47b41e |
| SHA512 | 5f52fa873ba3118b9940574c32f1eed38ac442c9bc05392de248af57cd791db926408e04ca514358af2ac1f55fb02621913ca61c7deed56f2520d025f5269c0a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eab71a5c2494d3391a322105e93b377a |
| SHA1 | 7330b5792d3a6be394df0797350ce4eed8d13cef |
| SHA256 | e04c5a3f2a3e21488bc1d75f2c875572d99e1530fd68e8cbe85d59016b196e8b |
| SHA512 | 980b97ece2ae3413ab27adceb6a556c6b24c6d6363deebd14be25c58934f6dd58fb8a0759cfed8836e67b5792e76a52751e7e5ad107fa46b917604d3559c4fc0 |
C:\KaVB0Q\dobdevloc.exe
| MD5 | 3d45b0eaee6cd60ad4f5568ac16ef258 |
| SHA1 | d7e11caa9a67cadd55724afe2d1d84adab824cea |
| SHA256 | ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243 |
| SHA512 | 2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b |