Analysis Overview
SHA256
82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5
Threat Level: Shows suspicious behavior
The file 82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:22
Reported
2024-11-08 12:24
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvY5\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY5\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGG\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvY5\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
"C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\SysDrvY5\xbodsys.exe
C:\SysDrvY5\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 58e22bc63a44999c3c68c55967823c17 |
| SHA1 | 45c787966890109b89ba061d3a4caf8f8ad2a038 |
| SHA256 | 25bd7fa108b10b183e9cec9bd330921766a04c28faf80f28f5d7f2147f2028c1 |
| SHA512 | 87ed983b81faf5a6eb3e068e7ea1bf99619f4d5bd278bac06641a3d8173e154abb5c202f54cb569020ce62770e06dcc7171775645e87111630346da7c104f93e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 233980f2de43dd8fc771e23a9b967f73 |
| SHA1 | e6a3f4a75f00d500165e119a256cc451566809ce |
| SHA256 | 4f04206d889ec4458e6577e1ac18a3c16bad14594099525043490a04b160f8e9 |
| SHA512 | b9cb5583fe0835ecac36bae827ccf5a3e9aff6c503199703495a0e062f93fdffa60742c6b7a344b766d844faee151529b0da8b2cedb6ff2bbaf96173f8914c6d |
C:\SysDrvY5\xbodsys.exe
| MD5 | e1b028b63bb71e547f5c524ae705b316 |
| SHA1 | 429d40b18513c7dff79badeadf32b0867186d669 |
| SHA256 | 028c0b749eff4c601bde013aefc25474e5ae5816ef34ea8d2bdca25aaa7614b0 |
| SHA512 | b2bd8b686be3f02fc0446d3ee4c8c2d048b7d710016fe44985638e6b2437baa1666cdf6ff4e26f322cc19377f921a2f84410b6642262abf78a5f72dfa7b2663c |
C:\KaVBGG\bodxec.exe
| MD5 | 2b6b5c9a118fdc1e2b983510b101d9d0 |
| SHA1 | a8158f4a3935a92c601e4a76d466572a251fa8ad |
| SHA256 | d4df447dc0d4417943fabdabe0d99eece1627ac88cf2e3ac452abdaa1adea78c |
| SHA512 | 030d3b9215de49d9f6698a1a8e82ff0a6cc10dba81323eee1198b8b1fce22b12b1417297ed34bfebbf96763a2618323680fbdac5e3b3ca9a93b0a840cfb74f6f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 043d6fd56c6f1e02144c7a4ea7b78961 |
| SHA1 | b282a846a4ae248fa7c9911d954b98ef3d9142cc |
| SHA256 | 21881750b2d2ab10dd5e8d09e1e3f1b026d9faff7a2dd4ea19a81c976207538e |
| SHA512 | 9f116deea57968ef5890b7df3485e23fe9fc100425d705a5fb9f965c7344241814a30f5d5d6b6ccf7c6450382291800b07bfc6059376f80efe19f85460a2f96b |
C:\KaVBGG\bodxec.exe
| MD5 | 8f43358efab98b34e760ee94c7f9fbc3 |
| SHA1 | 3274cb9f216b7efbd4eb55d16d90242098caf7f5 |
| SHA256 | 111548dd47523ebdb0d2a3f5cb162945ee7f74342eeaafc462835c03ef21f264 |
| SHA512 | f6b47b4ecc572c905570b75cfd2810f730cb86b8fab99721bc49860413d8628662123114b94eb3caf16ec0117d1632a3772051f3deeae103d43443f45bc1b202 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:22
Reported
2024-11-08 12:24
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\Files57\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files57\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPN\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files57\devdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe
"C:\Users\Admin\AppData\Local\Temp\82e715942a3f08535b8c37c56da0b7f9f78d3d582f6d00d1bea93174609ef1a5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\Files57\devdobec.exe
C:\Files57\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 3586df58c524f2821a61778d60444c5d |
| SHA1 | 66bb368ee13843bb11ea4224dae87771993cac77 |
| SHA256 | a2ca0a505fe427dd892f3af8b7239da1936ae03229bd26b878240aa8fc3b7db3 |
| SHA512 | 143af181e84a87f1156d8b33bf07db13eebd076faf1185a2b43552077ad221de7d116feb21e02447d51e5918f4bd4250011dbb3bc1b4938e65f370c4008fe04f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 50299a85fda32a0768d6a9823b8d930a |
| SHA1 | d05a0a744e1022e7e97dc276e5fa864916b99c14 |
| SHA256 | 3247f7005897e582cc775648943047c786a571a2cae2a56fa18d7e5963365daf |
| SHA512 | da6bd0f8262ba74334d52ae839711b6df017205da0e3e3db747a38ff283af6b411ebb44ecd2a74f7df9cb55bfeb02df973886d6b936821e89b94170e2c3e8c20 |
C:\Files57\devdobec.exe
| MD5 | d9b8644bb295d1cee3cdc03659b1209b |
| SHA1 | 0d1dccda718e9e49a943aceeb630b966b32a7fe8 |
| SHA256 | 1ad7b52cfc3c252d1320038935949591108655a1c41b2455044ab83dacf1e263 |
| SHA512 | 3c62bd529a453bac8134a478fedb68347bf5ddce029092a07ef0423c31debed7f99bf36a87219dba38b61a50e95e545d177632d718ee4436212329c3927cc6f7 |
C:\MintPN\optidevec.exe
| MD5 | 546e34e4832958ad53176de603e1a9c5 |
| SHA1 | bedf04e0d2b695600ce8bdd67320c9f58a1e85d1 |
| SHA256 | 70d2e4b86109f665509b92eb49eeee7287f6ddf5d45bc2694992291fdf3d8927 |
| SHA512 | c50b650d5b939353149b1410dbf37465ae42331614cfe6269c4359f2ed9384eada74cc41a7036e3ead935f854ab1f9e4b12dd6bd0c8eeaf956accddf01d5976a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1916fa1956e0e382c907483e4e796da4 |
| SHA1 | 97ed328deaa3877841b66c069343e320b7505214 |
| SHA256 | aef6eef814f984ae555e9e5d2fca714a0b1811b77c95116f497e3d6901297af7 |
| SHA512 | 385811c80f0adf26dc487d524ec0f76cc11ccdd1b3193f7ed4a7870da6199b1dd701a13d8f3dea7d682f8d7731da959d1cfdf3b333bed3bb3311269f4973a6bb |
C:\MintPN\optidevec.exe
| MD5 | 6767e44b8f8de6e616ff4b3523b078e9 |
| SHA1 | c871cc62c3911e5350a063da1333dbe1aede5281 |
| SHA256 | fb9f9c9a72e0e98d461054f92faed7837baed42691d98807657f573b5375a6cf |
| SHA512 | 5660382a8368b7e9ffc099dc84a891904199c2feaa7bc7a16b39b7231f5102c04d6703a2b85492b3db7f9c101333e9b3270fe6657fd524d50c26b9d07958c2bc |