Analysis Overview
SHA256
e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348
Threat Level: Shows suspicious behavior
The file e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:53
Reported
2024-11-11 22:55
Platform
win7-20241010-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvUF\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUF\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPE\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvUF\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
"C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvUF\devbodec.exe
C:\SysDrvUF\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | a4cff8d98b430dc1c21c0869be3562b1 |
| SHA1 | bb9e68c7678253fa511b03d151ab0835dc266fc7 |
| SHA256 | 36a35f23cd5efde5c7247c40113358b7622c46eb8c11b102df5d9091f9b66bf5 |
| SHA512 | a252e91bdefc017e990f9e4ab542814fc2e3d23e00881720aa7b6154600b21d56c3a7ffaedd9ece817f0bf62dbd6bae60a9b17a69252e3364ebf1de4a47611dd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 141524b70056eca78247a4cfa55b90ba |
| SHA1 | 460552fcf0e7c80c46e7bbd87f401a64ca7eda42 |
| SHA256 | 676e4f3c0ee346b061f44ebec8c5d18aa417a8ae7d06ce94690243d4afc59a0a |
| SHA512 | 5581503b102013765a2b1efd733c47860a32f6b6a0eb8114d4f11577e5e245f8a8a0150b3e2e77251ee5737964d18b9c0d9f2d72af38971017a019af644c8258 |
C:\SysDrvUF\devbodec.exe
| MD5 | 85e3d76c6e1037140521fc61b569fa5f |
| SHA1 | a04251210ac9f13b99b3aedfe3ded1f76f2cbe10 |
| SHA256 | fb724dc0acbb4736e1696c344af5932d885bd0e2bf3b6ac99ac37e0abc1334bf |
| SHA512 | 05158b0bc53f42946a0ac34c1225ca66dcc1da890c70410f567fd4e57105e96015a8693d43cc3430a70e09d696a100bed8590ff098d7166437725c5192c4e445 |
C:\VidPE\bodaec.exe
| MD5 | 91c69295f6b45020d2804a51bc5e50af |
| SHA1 | fc976342eedb3e9f7ede9577c4fb98dddd8ec052 |
| SHA256 | 9905b582841c010db0f17903dcf91a83c3066d729391b5a863135e9490daa776 |
| SHA512 | 2ac6280ba837e82177e11c1111c61b121d297af073b860414853aff31df8266440b07cc50fbf9e39bc5a1b12c78363722533171b1f95889a489f515c9a52ec68 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5e83204ef3fa4bce2de1e3ea10ab24b7 |
| SHA1 | a8c16d535f64bd84255a03da79c5cf9255b38f88 |
| SHA256 | c73da94fe1fb34969e5d53cab61806201369eef2d7f2a0f03879aefbbfbcbaf0 |
| SHA512 | c18d4e12535ffd11d277563c695366b0f07e18e70eb60563d96800b9748a365e8f8f1baa01269e991e6d76c6dc4dd065981f8711b218f7c46156df92adb35319 |
C:\VidPE\bodaec.exe
| MD5 | f7d010d14c1c051d957992a6dfcab3ce |
| SHA1 | bf851da7f6e53330991ec9227f0c74dfce7015f3 |
| SHA256 | 0cc5edaeab931ab7ec7289303155a4477f29e43eacc364c5d1f101139c73140f |
| SHA512 | 19cb5fc3b076782535b9ce16a53ec238ebba328c1ef278a635e8caad7265d5e1a06d72887c844edb486d7567231133ef88da18d137113b62a9610322e5f2c3e4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:53
Reported
2024-11-11 22:55
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocZ0\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ0\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBDG\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocZ0\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe
"C:\Users\Admin\AppData\Local\Temp\e40a6f7ee30a05c0da81312c1b56f4b38f5f5abaf9d9e4436a1dba967775d348N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\IntelprocZ0\xbodloc.exe
C:\IntelprocZ0\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 59ec889db8355036ab617b98af05fe3c |
| SHA1 | 460835db1f8a3a90f94e793eb00679b47ade5e28 |
| SHA256 | 1430ba44d10868327474c48f46ec9cc23a474d07e2848ec35437882189623524 |
| SHA512 | c81f942fe1a3b18f946977907026f264b7d38a517e4fad72b826bfc9d9a578217e722c00266fef0c96221230d7dbb4cb78b6da4bf8bd6d7357ec8c9a059b40a5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b0c0aecdcb00dd07a5b517f5bd39b161 |
| SHA1 | e76129ffa52ba5dbef676a98111a38246989b03b |
| SHA256 | 49c711e4607e028d063517e502c7984b19374997682de083d68b9c56f699f1f8 |
| SHA512 | 39d1743754dece3454cdfe7e3b35f0b0e65c1dbacdb7bd2cb56a4952c3a7f5d3a79ae56c572d1f2dd8c07a363fc66f6daa780917e2aa3f0435112c4233de0a9e |
C:\IntelprocZ0\xbodloc.exe
| MD5 | 21c54beb83097ab82ef74c730e50fabd |
| SHA1 | 39f4b770534b562d4a9848a582e10badc9b1e01d |
| SHA256 | fd5b82c1cc131c4c7d9c806e640bd95d5baa0df7adcd1462670d7c07114d6a51 |
| SHA512 | 3c4e75c4fe85b198e5a4a89098b628f61981843eb543d7c5ed70a98a91b2d4cefa93a0701bf185e9ef55413bb0fed14b9af2595c86fc56d4a14f42327997cd94 |
C:\IntelprocZ0\xbodloc.exe
| MD5 | b550e59e6acb8517fbc445c31b6346bb |
| SHA1 | 11bb85065e4c5ce5ed8d8bb2717ce3a1d80795e0 |
| SHA256 | 992cad33ce6718ac397ef73d2484685cbbca6a07ef73600b4fa77bf1ca9c69a2 |
| SHA512 | 15f0edf215477abb8c40d0a2c656d640581cab41f67bfac95ab18ccee1eba13ea46ab0241c5152a715ccf5a30ce4480cd70379edd096755965e94a57c684f540 |
C:\KaVBDG\optiaec.exe
| MD5 | c13b94b59867a8bb3d2a528c78cb658e |
| SHA1 | 449b04c57357c29af83c46d408f20aabc367c734 |
| SHA256 | 8f7f340b39217ca3a78d8d50c07cdc5b7dc29a0ad713dbbf1429720ff8ac78a2 |
| SHA512 | d8a2ff9e68e1f293090ad734c896e25c81c5dfaf511d116dd96d21b298461784887faa9c4547afa22fb97edcefcd0b23d23e16e8ad884b33eb4c874e415c97f9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ee3409effb682cef31f1272bcb7c2e8a |
| SHA1 | 4967a618d17d3c21898bf79aee6c609da2906a7f |
| SHA256 | 77ab83d6369f4e0c8489e5e78c2feb8de215580b666d46a1fb5f910e78e9bfc4 |
| SHA512 | e5c7598235acf0038eb5cae6f40799cc7dfb00668674befd03ddea0ecfbbf01f3aabb96b61edc86699ccdf8b1614b04c12f4f541df7e8e81862718526b59b19b |
C:\KaVBDG\optiaec.exe
| MD5 | ba4e9e4d805d152e5205cf62a80efeaf |
| SHA1 | aaa02a8ad588eba63e211885738663e34fae0ed2 |
| SHA256 | bef956ef1c2542d09c969e02f3901d1b59ef00e82c4d90da901b0570dac3380e |
| SHA512 | 85179a799eb187d617cbd99ac9f0f77a35fce3df6b1a4d956e7f17147cdf8507db121a5ba31fa19b3b58b914c48e6d8dbc7f6696b8a65c79a86c1fc933e036a4 |