Analysis Overview
SHA256
693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1
Threat Level: Shows suspicious behavior
The file 693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:03
Reported
2024-11-09 23:06
Platform
win7-20240729-en
Max time kernel
149s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\FilesAG\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAG\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSO\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesAG\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe
"C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\FilesAG\devbodsys.exe
C:\FilesAG\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 8008a2e4572d957e70bc6a60be5a5385 |
| SHA1 | 325c31f549d202d619c2322db39d8630e6e0aaba |
| SHA256 | 16ba402611bc4841b9d7287ff6ebb910142a470de3add54d779e23fdfed6754b |
| SHA512 | 509d80825031ee46b62c494e316bcfbf5ca5119b661e27977610fcaba2e1a684d28003f7203ac6469178ff41da73fe3fde19735ce685240fc4a4b8b80f2ec0be |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3ebc79e3758010aba29bc8c5901c2b83 |
| SHA1 | c2b6babb2361c722f870a12cda3f06a5af813e90 |
| SHA256 | 9bf0184cb2a063855fe90b22acf9e61754a3fb4129833e7085b0238195fbf977 |
| SHA512 | f542d6e3c6e3935cd75dd7df499c92979ebd3b2be0585b3466e3570d05b4db5d358b3fc9859c1c1f6753a6c18fa316a039c9cc58f0f239045d7609d92c60205b |
C:\FilesAG\devbodsys.exe
| MD5 | 62f17a18e2665228331086e6e938bfcc |
| SHA1 | 8e2aada25ef3eee33045d7c08ce27d04adfb7da4 |
| SHA256 | 1f30a15b454a01e1f02a566860b6dea8fe2debfee04aa9dcd02eff1b374b5385 |
| SHA512 | 0cde9444b74a958f01e657a2f49550b28dac6697a6d01cdde84a080468781943e73e4ca36b1efb6ce7bebd85c014c8ebf526f60943adf83ef100be6249c3a5f3 |
C:\LabZSO\bodaec.exe
| MD5 | 6843f8f48c6b08412830d6db1f113935 |
| SHA1 | 83f66b4ef66565beb675d2c879fc5e587eb37efa |
| SHA256 | e9e64960df16bd6464d3814dfe634685bc8354fd7df9d86c0178bfbfec8dc821 |
| SHA512 | c7f05aa65f869d626cb413dfbe06a29647e34f2dbe0a53c7af081d9af6b2a3c621e228b4bc98e54a4b8ca83f8385bc087031d69914592368875bf83e3bea4382 |
\FilesAG\devbodsys.exe
| MD5 | 9d939c97656a33abdbdd188c78e6e306 |
| SHA1 | 45e16da273f9d4984973d87f11ec2bb1aa37f2da |
| SHA256 | 035047dc9e945d73a4cc7bab846f50628165f1adf63f9ee9622ea67168f4848e |
| SHA512 | e0d8f81cc99c4e4fa48c6644b410ba129baa1bfeb4dc079c4dc876c5c2dc16518afa1a5f4e3ab1ea00de8495c6398d1751a017066a385fb3f4ebf02e96d0b780 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d74ab52bea28e8347c4119618307c6c2 |
| SHA1 | 35def0a61770a7013eee8da92da48de8eb33c92d |
| SHA256 | 759a2529f54991351cdffb603ac4ed5224affc3fa240614f093a6c6bd44b4b61 |
| SHA512 | 24d0065c79d381eae2d53934893f3d239a152db1bfc008384b70b3a2b6e9640fcd6eec7ac57e369cff0fd38d96bae76670c5f2f40c078d1d70f937091166e6ea |
C:\LabZSO\bodaec.exe
| MD5 | 9e3102892540198ce28d09d213fd6a3b |
| SHA1 | 4abb9435810d0c94ba75e3b10bcb2122b12fe7cd |
| SHA256 | 721712aedb0f02f9b6b737f6e8536f20afcc2e2f67e4670e22a22dd33845f448 |
| SHA512 | 3161548cad560d93b910a80e133db97faa02ce0934bc106c3d0e370e9b5b48d97bb8e66f92d94a5cc70bd6fae7780126e2857643a6a58c3353049c34e8f32f7f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:03
Reported
2024-11-09 23:06
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\SysDrvMP\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMP\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJB\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvMP\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe
"C:\Users\Admin\AppData\Local\Temp\693f398bc8ee687fa38287c356e37741d73ec3aa274c1dea46ed6c26df5b4da1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\SysDrvMP\devbodloc.exe
C:\SysDrvMP\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | bb2badcc4d8b3945b977bcc59534ea5c |
| SHA1 | 3f6f1f66f9ad150f6fd8be80472614cf07fced3c |
| SHA256 | 1b8db88a6bba0d72b109a08c2c8fd23e90f6b7b7679fb82946d66afbb7436409 |
| SHA512 | e71ec1bbb5286d039ee5439e0aa3b52020f9049fceb652ec82b501cfe7dedb7e745846d2def2c4e8898f8e02f4bb43f4bd5ac92faee8c15d8a69876cd82f582b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 86a0e31dddfe3ceda73c38f3c5507f8b |
| SHA1 | dc9dd424f2138dfc555a4566ad944dab7a80043e |
| SHA256 | fa7fcc01fd8a6083a52423ea92b7c0afd0e4747642ab53c6d7f05a908ed08870 |
| SHA512 | d508499b7077745789bf77c365712201e84ee7473c86fbe644d68144288f47da94ba9184d9de86a011520d893b540b627b62836bc5c687c921f4ba76c51054ab |
C:\SysDrvMP\devbodloc.exe
| MD5 | a60407fc558f25d989677063f9e89c3d |
| SHA1 | abc424b307dc110136c98cc87a5c26533d1a79a3 |
| SHA256 | c515934d65a4dc296bd7af3775cb6f750d2dee5cbef042d47ec5c1bbe3485e05 |
| SHA512 | 35a530d7557e23b0d9d991c6e930469f08e65dea62029312207d5f99a910fefd4ef8ce9fda5f100420a13e03c8753f7095cc4a2ba4717a4cda976d5704a22e7a |
C:\KaVBJB\dobdevloc.exe
| MD5 | 730313bfe680d1b2616311eef3494f80 |
| SHA1 | 97cf45fda6a8b9a9a801cf00c6789f0cb9fbc9d9 |
| SHA256 | 706b2fcc77cb8134e2f223e77a840b2683adad7ab8829758ff64527cb08cdd59 |
| SHA512 | 00b308b65a2855a95b719e21b5c1ed1aa094d4c416650e372318df296c60301d4dadd5fb90e6035cc3360a67cf2b7c44a34fa047cb1f87b3d20b4506f74f5a10 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a54d2ceed9c4dc141e6f0ce969c201e9 |
| SHA1 | 1dc5af1555748d77da14bb093509b7525e88266e |
| SHA256 | a3ed0f062aa88bdba8a3f34a4876b05437ca14824370e578f8d90951024d9962 |
| SHA512 | 4c7650e2f7a24b2c9043409b6867d2eed90ee2ee3999567bbd52739e2b2c37f589381b04d7f274d77e87910dc1f345e73ef2c9365acfdce8a5fda16ca969ad57 |
C:\KaVBJB\dobdevloc.exe
| MD5 | 5baa9ca6f71f13b2f0959e1c457e071e |
| SHA1 | ebccbc54c6d8c231469a8ad3ef91c8de2fc5e874 |
| SHA256 | 4b1702115ca7be9fcbb228d4ce02dd9079fc0b9abf05a6ef79d2d6e827537665 |
| SHA512 | cbb798a774bee045811c5f76c935b2d3076b9841b1eae46f2a1b5d9a5929ec4988814e92c702cd024f19b85d4c6c797443b3ddb74fae1225bacd3f11196b0b22 |