Analysis Overview
SHA256
092d2e1ad6c85ba0bbfc8a65245cfdb155b91139c6812c5c8f4068ede8401099
Threat Level: Shows suspicious behavior
The file 7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:33
Reported
2024-11-11 23:35
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\UserDotMU\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMU\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOT\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMU\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
"C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\UserDotMU\abodec.exe
C:\UserDotMU\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 16b1fc60d105dc0b77f8ec3de4696c66 |
| SHA1 | fa6e79fb147412ef61e70202c89e42959b5c8807 |
| SHA256 | 89bc1db28b52b56c9bd2d72d1fb720559c9c41d141f9572710bb920f5ec61482 |
| SHA512 | 2d09e589fb0fe4950e5fcd0bec59c936e5e7cb971150c463fd1bed2bf40ba18c0bb18695b77010f4376ec9e958f9fa099bd895cbcff1bd6f661bb4590ba43039 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 309d8cc8f40a9aedc7ec7ee631bd6701 |
| SHA1 | 5fb6b0b9aa44089a2b5ee439be6b28963fb88e24 |
| SHA256 | bd7f484cbababa216047328b4d69a9c26c39f9de53328886bd545a0657059155 |
| SHA512 | 2df37a72a4e324257577fbd34652c16dae48816d63a303e2c54fcc752c138021a8eba43348e63c8781e0dfb278f2edaa2ad299fcc766790c799f68c33d806d70 |
C:\UserDotMU\abodec.exe
| MD5 | 1b0a495cc5c7a844b24316842be71386 |
| SHA1 | 6cd1dcced7c1850a186431a638242d988d866487 |
| SHA256 | 6e727b1ae17b504043adf8f38e281bd0972ce90f29457618cada2f3fae46f23d |
| SHA512 | 9b5ed4775422a727e9f71335342a63ead897342ad54f40f162f7ecc780cb38bf316b0aefe150b89a723ccb618378150d2a1f7b9d3f77482fb2f9a0fef9f15976 |
C:\VidOT\bodaloc.exe
| MD5 | 6c8fc2713f7b94c8ed28aea51c70db78 |
| SHA1 | edfbb7139c7bbb9521997cfa8754880755ad4307 |
| SHA256 | 3790853bbe8a78e50dbcd6d8e362ceb77e1552608af1f9677e0eac0297def5cc |
| SHA512 | d396f282c69bbb788db6e1634a95ccc9fa44a0ad7c926f98ece9890a2c0a72d10a4728d1fc213ce6a35849f936d42eb5b73419ddb434118234c1a83ff778fd89 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6b8f7f2f98253e763a145cefa8649e2e |
| SHA1 | 5d75c57750b9435d825b00c95634a91e59bd3c70 |
| SHA256 | 3ee570752356688cd31b57e3194df044776bdaf257183091888d197dac07a738 |
| SHA512 | e2589754ec7e6e661d29e5aa17f440ca0a31a32d9e09f772c3a6a68ff477b1e583ae0125211e2145298c3ce63d789dd049b0548c34ebbcca36e88fae4359f5e5 |
C:\VidOT\bodaloc.exe
| MD5 | d43203d843deaa9613234ac08967125b |
| SHA1 | 2a30913b0b1797d1c276c81619bed5af724cf5ef |
| SHA256 | 11976b63814594f6fdece5a349de3674aacdc8b9a9fbbd758b0deef5ecce3995 |
| SHA512 | 234409939b043c6ebfb6888346fc422dcefa74198dc8e0fb7bafffe45487754c87fded7ec9c2fdcf23306bc6517cbdfd9d0ddf880b8c4971c26490dd39cb42fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:33
Reported
2024-11-11 23:35
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\IntelprocHE\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHE\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGP\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocHE\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe
"C:\Users\Admin\AppData\Local\Temp\7fd5b1b8160b79f1b761e2d5c0bec71320de525a20feb5e6bf89bbcf9a2e1dcfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\IntelprocHE\xbodec.exe
C:\IntelprocHE\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | caca2d350e70397bad58b798f81cb241 |
| SHA1 | 73d425f110de969682b08d7c423529f6cdff4e6c |
| SHA256 | 25927850d97a040e9aa4eba92daab82512d4562af360458c9d7c4241d62e09a3 |
| SHA512 | ac5bb5ede487e12ee2c64e20f467f98a913b879ec4ae76dffb395bac90bb3f285ebc3ce26edd884486d35ed407856a2717da5a172a5303b76361849bbeac134b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5bdf40578ca4f1f868fcae0a48638d7e |
| SHA1 | ac3f78f2c07b10d9e1a8a619160a9c1f4a1d1394 |
| SHA256 | 455b914a8eb7447c285fc0e3af2b1f0b383c29c5bf5e561a625bcb3ee7bdb7fa |
| SHA512 | 08b4b00924f85e3baee9eb90d0777b48328f3f4b401617440865ba2b9aa5d3f76b3434ae8d06d573ce17a153a78cba3c9139a3e3fe809c4892c0d0e53c879026 |
C:\IntelprocHE\xbodec.exe
| MD5 | b84f035113695ea2e207992d89b43cf7 |
| SHA1 | 8eba93937d8a00d1448794663c80b17f4c634054 |
| SHA256 | 75ac8beaa6b7b1c47cbd7a1b55a20d4d8e136019d77f847dda65fc6cd57a1780 |
| SHA512 | f304aaf77b0e1a3caee32b1e66afb8bf3fa8df93491946500fd1bc8d3b9483e73a8a4dd5f77430892cfa5137c8c1fb6216c5249deea84be404c64ebd617bed4a |
C:\LabZGP\dobxec.exe
| MD5 | 717162a9aef4c2b2f5d4c50a4a4e7109 |
| SHA1 | b3552f2fb504a87d0ea813c4e20ea81b53dd89e3 |
| SHA256 | 04f911dd7436c73b29fb836913d83cdb526d4e2c37951c5a619a4a48362d5a9f |
| SHA512 | 85631f9e8ce538e1137126a6c575542d10c71070aa1539a9af6fbffe76c40549c05773c8e235c4cfffb899cc745d73e7f85550bd651d9ddceaf15e91746f8fef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e0d7ea5f22cf1fd389d4910d097885dd |
| SHA1 | f6101e1cde674f27489aa5bf4c496e23006d149d |
| SHA256 | 03ed0f64e656f771fface3338dba3219199e2e452ccfaee3dc30d5e15d47deff |
| SHA512 | cd4f3a7673a9384e007b52a60283b78e81eb11723c987bd8e7ff0400ff29a4fabbbc107fe6c206070ef6cafaaf7fba3b33102bb00d1be7e35639ad2873382118 |
C:\LabZGP\dobxec.exe
| MD5 | edac67541e17327676c69e7ce541e5e5 |
| SHA1 | 7489b3893cd631df40fe2c6a3d8b8c059c4daff3 |
| SHA256 | f41af16280d71e1bdcb9e9bf942b2c0e87f1d6aef62b6e951820870edf1fc04c |
| SHA512 | 4764a19827f9be3d915eff21e3f27ccdafc1e507d1ef8b277b300aaaf7265fed9ec7724aa9b9f450d914b321f62414d2209fa89f3f62e38f9a0b74c5b07b3536 |