Analysis Overview
SHA256
904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcf
Threat Level: Shows suspicious behavior
The file 904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:16
Reported
2024-11-10 01:18
Platform
win7-20241010-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\FilesP3\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP3\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIX\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesP3\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
"C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\FilesP3\devdobloc.exe
C:\FilesP3\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | fd61a2eb30169a059a4064242badf0a6 |
| SHA1 | b3a28dc6da04f7842b607efd78f682df6901feff |
| SHA256 | 3587de8105d92eef1da3722374212e36f13e8f197584bd3f7db9158ec06d361d |
| SHA512 | 32e2e32d525ddaa83f7f48fb7fca969b2c443fd0ff0af3d41284adc46eb3c4b45654074bcadcbd27fed9d37b69123f98880a0045750e67bc09c9bad42b231b0e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 25a7ba2da9ad8d75279f4bd1bd8adc65 |
| SHA1 | bb38e5b11bfafacc5263f36cabc40765309506aa |
| SHA256 | 6a4b5015808bdcf1211731e246f79b018e1b42dbcef46ee0cbf0aee4abde9d55 |
| SHA512 | a5675af2be709c08106fc27cb76516c3d757b375211a653cbb1d001c07208c689276b0ca9eb2e608f97df2c52a1644482437bcdfe1a10240e786d8347c37f8e3 |
C:\FilesP3\devdobloc.exe
| MD5 | 6ca420c0b3deb8464cb1ea2944838ae2 |
| SHA1 | 751971e0b99bd5a11c1e0dd44da7cc8ae078e0f3 |
| SHA256 | 16dec6099530e3f2f275ddd611afcf079cff895777473626f07891fe5422cdc0 |
| SHA512 | 13df060c6d0980cf2ad48452fb7e0eb1f786b94e7fe7c4dcdc029398ee998e83c514313ac8d54719c2fb612662260a0c5865075abed08f7c895a4e01b1474726 |
C:\LabZIX\bodasys.exe
| MD5 | 010abc54ad22b0097656874fb22a7154 |
| SHA1 | 45bdf3c1248bfa8c3561f645584b422b09487bfd |
| SHA256 | 705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633 |
| SHA512 | fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545 |
\FilesP3\devdobloc.exe
| MD5 | 4157a839ed802a193c37c22f97b64fa3 |
| SHA1 | 42731071bae6f6dd8d83b72bbfb79fd548d286d7 |
| SHA256 | 3596924e9fa084388399674702f7f9190f317986ffcfc7e35f3b4d48e4c2abcc |
| SHA512 | 3c8633f4f9fb27be5989997c69dd7704bae4ab700b83e2532c64d814d6d1785f2a72b2a0760aa47d6ffcb5317177d1900c617258fa1379c67613e73928818dce |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b14a79cc399d851745678957953e4e1f |
| SHA1 | 221357c6160169c24d77214540150806829683c9 |
| SHA256 | e529fb5d01346d06a3664dce1af2f53edd0b7d46d64189477f1302427f140260 |
| SHA512 | 3bc3a941927a1b3f8d0e47b7cee488aa3b237b5b3478ff98c141e0ddff93d846f615a007ccc5a3bfbda1e0e10aeb8eab82f0cffa28a08efa79112ba499963d70 |
C:\LabZIX\bodasys.exe
| MD5 | 5a5665c7137dbb99c240364297a4a512 |
| SHA1 | 382969d394b80571fb04064003528f6f7cb81c89 |
| SHA256 | 43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c |
| SHA512 | 33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:16
Reported
2024-11-10 01:18
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\Intelproc4X\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4X\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC9\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc4X\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe
"C:\Users\Admin\AppData\Local\Temp\904ca72c62216ff69f692495c551ce8a909daa1164ec3b0816683e4d0bc9abcfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\Intelproc4X\adobloc.exe
C:\Intelproc4X\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 4129f842e4774654cbf876304d32990c |
| SHA1 | 4a1023185d9bd2e65a57658531d89af71c5dfd83 |
| SHA256 | 01dcb93fa1a596fc866046f4217a4a094d99130617092e6c5d0bf80ed7af8c34 |
| SHA512 | 143ba8d18d69f758f8376aab4daa88b9dd92ed289d939c67ecd234144af6e137fdca582e70ea64acb1f1ecacd97c6aefbcaa14eba13efd369e61420e0437e006 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b2b1c316e726793f9019748527d2bbfd |
| SHA1 | e71bc8817d9e59d6e8a46cda70c2c8a7e9d9b949 |
| SHA256 | 13670891a0d80dbea94274b8b3558d50650bd84fe6e01f049ad57e473204f480 |
| SHA512 | 1aa5318b9b19e9851ab3484fec254b0aff1dcb0a89431c1c73b22f82cc36793e7b4b7ba4a73a8298a4ca838abb5f6ca1e3909e2897d6e5097d31ac9c1e22dda1 |
C:\Intelproc4X\adobloc.exe
| MD5 | 6f1ff0d2d096ae4842d2b69bf1ce2a21 |
| SHA1 | 9fc3c1aaad44c01b9b0bae3b479cc35c2239d9fc |
| SHA256 | 2556aeb88ea8c5c1e04ce755c136f6630d517ada3210fd1d7db0ae2e005dae45 |
| SHA512 | 4ac8f0e846c1c744536e5fe9858768797fe573d3074b4f380bca9f6cecb1815251e931a4ab946853b71ee460618ea8bf3dac651fe8f4ceadbddc2c7f2d739611 |
C:\KaVBC9\bodaec.exe
| MD5 | b85ef880820ad2f02706b10170e533fb |
| SHA1 | 71378239fb161e35c8f79d7a951d7d09d4f45b33 |
| SHA256 | 824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78 |
| SHA512 | f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f8ab6d8faf85ee56838f737e91d39fc7 |
| SHA1 | 7e06cead2ff139961875dc7ffaa17faf78426905 |
| SHA256 | 44ab223fd74758dd23b5a1694f1191040fdc8d664d611ec67ec11c48813dffca |
| SHA512 | ed9cff55984dc9c99cf194da98ef236457480be4ca94f97714a78af1a932b05c5d1eb9c2ec4294181158d8a2cfb9da0e73f203e378839efd306013ddf495cff1 |
C:\KaVBC9\bodaec.exe
| MD5 | f4680eb1f15a20b303fe8bf5487d4fb6 |
| SHA1 | 894249b35def4fea40aa3ee62aadf36676366a16 |
| SHA256 | d7f08c7c904af30e72a91fe6ac96fa50c8cd9a28678e6013a172752f1c2b37e5 |
| SHA512 | 529ca9b99a64e91b6940b160d1f303f9e8ab42790784c4f342c32db0549d1d0c5f3ab04893d064d1b839bea4ef44aa35a5d1c5b368284f1bb12820c805913a4c |