Analysis Overview
SHA256
9a31ec079f9330ff7ddf0422629886da291a0eb802c11a33099e00a5766221b1
Threat Level: Shows suspicious behavior
The file 7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:31
Reported
2024-11-11 23:33
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDotX9\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX9\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidND\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotX9\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
"C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDotX9\devbodec.exe
C:\UserDotX9\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 31b2239cd3e253bf9a0222c258d7a15d |
| SHA1 | a5d718b31fe4dd5e1258e7e4257f61a3149d7f3b |
| SHA256 | 640ab584e19287e8722e6fc446c99fc9df61bbcb41f56d26b8b73c50b8f146a2 |
| SHA512 | 20505087879a8a4c6837365ad4cf00f5a6dfad6db3ca4b42ccd0f0adfeb385749fe9547dd20ad1c62a5ce730923816569fa9515b4d39164bbeee51bd4a8650d2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 510a365a67291b85e3824c8e62fa574d |
| SHA1 | f20ecda34a2d51b223546c34359c018e6e613c20 |
| SHA256 | bdd57dda22fe7bf16673edb5f820aecf97656b748295cc587d43d2d5307b8304 |
| SHA512 | ae5ef1fc4a5725e2e265a81bc9d57e0b41ab0654907a386ec2a32f799dabbf32d97ef6baad2f66388cebcb503b2f6acc3c6408c97a66336fcfa63c92048a697e |
C:\UserDotX9\devbodec.exe
| MD5 | 61b773990ee27e9e908970e63b267f79 |
| SHA1 | 522f4b8bd8207fe759634142fdb72607b71380f4 |
| SHA256 | 8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d |
| SHA512 | 6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e |
C:\VidND\bodasys.exe
| MD5 | 66d955acf067bad35225231bcdcbe0a5 |
| SHA1 | 64807b0b5af24aff572878ae94902c1c37a1e3bb |
| SHA256 | 7263360a18c6bbe64ee48ed0413d9cecb1f859ab68a414e37284fb3bbe44c575 |
| SHA512 | 7e89b2371d637a68e27b182b8dc501c580a6f9de8ea6e92ce157d7dbcf53f5aeb57f8531ab34f336ee9ce59fe0e1ec4552c683b0861d4026855d98dea65cdd92 |
\UserDotX9\devbodec.exe
| MD5 | 69fae0f5168b279dc99e205aa07bd1b9 |
| SHA1 | 4499b872ad386ab003b60e24b0cc54c359a9f8bd |
| SHA256 | 937aafa864a142dba445da0ba21a8f3bc451c002c4a73a8b0f55a3f860869475 |
| SHA512 | 487474095b87b7d29095dd94ff2916191f71ecde5d6040fa800f30df2959c182792e405ad5f9ab964b80886a2356e8d0c74c6a9e602aaa9e86a43508eca47f33 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 88a6a9490ab7d86262f37870f627f1e0 |
| SHA1 | 02cb4617a8dbee4162c1bfb07830a383e4e80c8c |
| SHA256 | a642addacd2b647a2917efc2b9fdae4c2ba93a619b5ab4c0d67fb9b82978c8aa |
| SHA512 | 44e6d336e6fc98edc50e1d73a073473a29a57944f331b3b7242f655cb6adc0dd77529097972e1b2706242a6fcd7ebf0991e0192ea692dad595b1536f775facca |
C:\VidND\bodasys.exe
| MD5 | cbafd637d7eae1157846863c8a8c4067 |
| SHA1 | 4e2a030cd1e33f32c8a06abcaf0567562e778268 |
| SHA256 | ef70d114bbf565fac16330699adb55e1c36fc7f8f6c178e02cc968545d0051a1 |
| SHA512 | 3a772bea948e46c94704ec708f878f73b4d1664ebd44e7e6b065d5158ce6a7fe53d86992a4da2ad3e65e2ae88a950f02ee8afccbc8d748846f58dd27e7d8fab1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:31
Reported
2024-11-11 23:33
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotC8\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotC8\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHD\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotC8\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe
"C:\Users\Admin\AppData\Local\Temp\7666464fb7f5a26a8248c9b57852c8145de692aaf690b6b347571770cab5bb6dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotC8\devoptisys.exe
C:\UserDotC8\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 2d8b436587c21b5e8f3831df4a337627 |
| SHA1 | 0aa02187ce93536ee60e88452a1e61fa437d7ad0 |
| SHA256 | 5e00fa980d16dc0fc41dfb708eaecfc2e648367a97caa6a4904b4ec957c9dbdc |
| SHA512 | 6824fa52a90cffacf54943f9f728fd848859be5ffdb2cad0777c60c579f87d9100c796c1790e23689dd72890c980709bf7efd8ffe698a97bf120a2282c259146 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 65cc5579b175760661356e7ab82c32c8 |
| SHA1 | 8c69575b2d89d647d8e2cf16f294d79fb26f6b77 |
| SHA256 | 964e6adc1d7442f6ddb6a5f8250cd9b76506649d9f904ea558d122529a0151a9 |
| SHA512 | f167eadf32ca42318619abb66ef075415970074f1055278abc45905b3617e69097cc368b2800d5123e30cd270b7bcf8f23c5462272c54435e69f3c913e66b77c |
C:\UserDotC8\devoptisys.exe
| MD5 | dde42f4395c427ea045ec626621f5239 |
| SHA1 | fb661c9b227dd3dd4a5d50658e664c91e81a27a2 |
| SHA256 | 5acfc66994452a6906101a05806fb81f208a4cfcc06dba4e897068c063b3515b |
| SHA512 | 9062f343efd4de8b45edfa712f14b7029269e4ff86f3cc222ae6d19071503f417586e256283154f314eb6efc279bb6b48976cc808529238549c3cc8e0526e661 |
C:\GalaxHD\dobdevec.exe
| MD5 | fd04578131df58619238f8d9c22eae9c |
| SHA1 | a0a05380bf81a6d836f1e2c93573406e4a015591 |
| SHA256 | d7d32f28bbd01a33892dbe344de4f8d347b9443423999717cf04876ead366e71 |
| SHA512 | fc4151bf77250d7d03f9633374482607277c63ee90fbafff73dcfe85b29a2550f8159033493912a9f419431b82642d01b826316dd18c36cd4264bb02e06d2d73 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 53ae2d5866a99f94ba2c2499b58c1c97 |
| SHA1 | f3a50937c3f7bb00dff746615837d9811797f5a6 |
| SHA256 | 9221c7435a928caca93ba02a836aa3616db937580c17e0ed25e1e893478080d1 |
| SHA512 | 54baa5bdf7cada6d7938a6e760e555f31d9f39b2d63c6847c3fe8f84a495baf83ae3f4c79e52b8bba92c970e21c6325c91bcd1e8eed9b23fda868650376df122 |
C:\GalaxHD\dobdevec.exe
| MD5 | bc0ef9b484040b7bf13e130882371e55 |
| SHA1 | 74a9aea8532f13f0a69cc27e157ffdbe927f8619 |
| SHA256 | 1d82534dafd5be101db76c87f5da57f9001178a43fc8898df555e3dc7e6e7d75 |
| SHA512 | 54d5caed5c3c2234d6550f658e8f774e33e49717773ed864a3b120290f5c94b1a315e8d6001ae1c869c9e74baacba51f3415ab42e85bf0ee8b89c8d2503ae5d5 |