Analysis Overview
SHA256
a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514
Threat Level: Shows suspicious behavior
The file a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDotEJ\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEJ\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0R\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotEJ\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe
"C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDotEJ\devoptisys.exe
C:\UserDotEJ\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | d27e3b96bc8ee4c864613adfda9ecbcd |
| SHA1 | 041d516ab108a1d6a947b648df86a19f2af714af |
| SHA256 | 54ef5720b58a92aee3d8ac5ab0393e84fd3b68f0e662c9700951b2ca736c2954 |
| SHA512 | c08bacfb9554643d3ed3fe10b730c250818192a45c1d8c3a92cd48adae740cd7366859a144f29237070e741b09a301683d5fccdcaf0fb7135de8fbff4ef2f127 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 24ff5cb3a86783db44bf907b5f364681 |
| SHA1 | 9205c45d9525d884457ffe759a21a46ae3101956 |
| SHA256 | d4cc489d76d44ddf319bad3de3b4f86192d5c368d2e42bd061ec751dc5b5a18b |
| SHA512 | e38b04755f4901af9a9c7b901c91d04c196094a8fd1e352d143a07418083c16c3a7a7f08ea089bc82f2ac7877088bdaeacab241765f7a184939f963f97aa67d7 |
C:\UserDotEJ\devoptisys.exe
| MD5 | 5ba9e70c087a5ab9b86c2e57bace2f8b |
| SHA1 | c34813b34bf3983b6fef6cb7102a7392079e4719 |
| SHA256 | 5d91d2a88b7dd56fe30f5c60446620915eb52152828f97f9d6343ad09e1b21a4 |
| SHA512 | e9119841efe6952d31e75b5835956dafa08f0826aca0efad66c0c1c2ae4abc5fc9338aa186bf9c0e4e65822bdd527f62cea7527a639ae89cf03533ef70a913ce |
C:\KaVB0R\bodaec.exe
| MD5 | e579cbadbd6be82b3876583e7c57bb9d |
| SHA1 | 7e75f19adf306037e57f68b6ff6eef62c681a1f5 |
| SHA256 | fb4cf05a768bdd3808c90c4ebab16b841bf8db95994ee6b98d449be484f87748 |
| SHA512 | 15002a6cf7248373eff87e0efd2e47a82ba06db2e3804bb89ff0b737ec9c11f632e3b79735747250d266f10cfe16a48b4a689df5f2848eb06468a3fab65fa935 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4825223699ab6aff15209fde4e51b677 |
| SHA1 | 1b7ea341f668f7eede532261a4bf923575bf8378 |
| SHA256 | 5aa19ca8564d24fa7939fbf90fafad4686f48eaea8c419bc5d2a5818cf47a60b |
| SHA512 | 314a96f92ddce27584878f9d1914b5287d2fff378dbbeed3049930b5ae0d25ea7122084dcefac8cedadf130f458ee0a10d76c0e803c298b541ea47fb047e6825 |
C:\KaVB0R\bodaec.exe
| MD5 | 31e408b7259b4390b67f0ac0c3a6cfe9 |
| SHA1 | ee24de34a106ac3e79bf9e8e98408c2692ec439e |
| SHA256 | 3e804dc66cb0689db1be32f03a0aa6cd46a2063d01a978887428ddee2fc64073 |
| SHA512 | 430c990edc4cd88feb1c7ba2d3f2f98f20a91e68f842901f6712f409a0d00f65cb4291f35282d85654b8819725ec0d65114d2fac9bdd568c8c6f9691cee84105 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win7-20240708-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocIU\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocIU\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUJ\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocIU\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe
"C:\Users\Admin\AppData\Local\Temp\a7047bd9f84a58b8d309e3246cd1fc34f2e71e7e370bd51be024599d8edec514.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocIU\xbodloc.exe
C:\IntelprocIU\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | aa545731939bb739a809a15b8ac53850 |
| SHA1 | f08a4d3afecde275105e1beb5fca47c41b73a59b |
| SHA256 | 98f043ec3f3454ec07994300238bc2d3dd222f517348e0e977ab93089ce57084 |
| SHA512 | aa8ce82690f0c266d10a3715ea3c70fa5ac2036fb5537787681796373abaf3570cd39f42e427418773791838db4b1fccc041a13f209e249d1de88d858a01b0a4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1dd4de3f85bcbd3255b1e582bb5376a2 |
| SHA1 | b8d8677ad7ab735f0625da58e7fa9d9140a9ddb4 |
| SHA256 | a1362c15a0ce48f2c1d0e726a40d68c2172cf7768c08b0d7edcb1604750dc9d2 |
| SHA512 | e379971887ae753b6ed4df02c6772b2dd2f778f5590ba20968367bffb6692e4300ae648974bb6b3f11b002cfcc25b7aba621def119e1c88e794570ed232936b9 |
C:\IntelprocIU\xbodloc.exe
| MD5 | 153840a57f6cc14d90cc7c8f1c405af8 |
| SHA1 | d90906d0c814fae988b5558659782739ac3a3ed2 |
| SHA256 | 0c721b04d13ead92db6b4e8b07a503417f75134605e5dd2ba11b928e03f7a0e5 |
| SHA512 | 601482632cd0882275f87335a9744b9be96e27217684f3863c466002a2d1c2136c95366609958433dccb077d1340d5cdb7d906af37a24d371b9a8faf987a0df8 |
C:\VidUJ\boddevloc.exe
| MD5 | 6ff3e58ed4d22b21dddf28be0baff86f |
| SHA1 | 3f4338290ffffbbb10c3786661d5ad29e22ccb2c |
| SHA256 | 1e9fac3fe21d1c901a9eb2742327e93953e647ece9d768a8985d9bb7250e404d |
| SHA512 | fe12a3ced48b01213cf1de5ffb2a018ae8d8fe849866baff72bdc04921469b8549b90189cd1aefcad56ca4bba1ce641a431331128f1c194a0ee7351b67e42343 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ffef729fa99e55d764b4114354c03069 |
| SHA1 | 1c9f034cf68249852fde2e186dac17078451a835 |
| SHA256 | 592cf57e4a46a45ceeb7d637637c42aa2c7253d1c0f164b979be495e3105623d |
| SHA512 | 44b2cf031b5333e5937e25577586a2b0a7da798b4062833f7a0f27fb3f340f350a5ee0cd353eb72ebe97640f18b167b69647f85276adb1b065512fa506b8f396 |
C:\VidUJ\boddevloc.exe
| MD5 | dd99f6521b1a7a4de7c9d3b8b910bda2 |
| SHA1 | ad6c005ffa76a0637073ab6d5eba18e396a8b23e |
| SHA256 | 5fcef78e70c2b1abb79ff84c20dcd0c1bbf0d046ffc3d40a013d68fd07304d45 |
| SHA512 | 1729c2065455654b45b927dbebcd2690433e32819e1efc34c450e312c8ef7c7a0505c421562f779a7c059a893783edb50f7aa9da89c299701ba4bdc4b720779a |