Analysis Overview
SHA256
e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e
Threat Level: Shows suspicious behavior
The file e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:33
Reported
2024-11-12 16:35
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvWF\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWF\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1C\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvWF\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
"C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\SysDrvWF\xbodloc.exe
C:\SysDrvWF\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 64680f9ca782277eee07c70177fbedcb |
| SHA1 | f7ec18dc6e063663014079724a71e9eebc9c0fe8 |
| SHA256 | e06fd50175c3589fb4f2088e199f06724fee1c458b1d99a3332e122a12a83a2a |
| SHA512 | cc9706b8b115d1b87dd648ee3ff2dd60ccfe08d97a8ce0cbeec75f056546ee8336d635665dedefdee70cb100d0e64a15b0aab0aa8df6db97c814cae922474bdb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bc32eeec9abc06b070c616f6c523d8de |
| SHA1 | 88873791dd5b07ebfd3f43f87d2f4986f3de06b7 |
| SHA256 | 12dd1cd6bd8056bc78605fcbacd32a4f39573001eff02033ccd2926874698fdd |
| SHA512 | 17e73f6e31ba5bda35142ee3bec38276be09e62be899383c95fbd074f369a3da4c20427949747103d77ca1139ed82230cfe5e1c979a87ec1bee10c146505d42d |
C:\SysDrvWF\xbodloc.exe
| MD5 | 5d9b84d99551c9ee041bb5ca61a8c48b |
| SHA1 | 2311b162de5d208aadd7261717dca6ce7860eecb |
| SHA256 | 971bca7de55d47b25cd8cea9205aa21af502134d154ebfd2007f37ff30c77ce0 |
| SHA512 | 948c844a3ecaa17e9f285c106da7e05d6735675c240243102f9171f6268c1e0e8095390d950cc852659527726b8e31c371a840275069f69b2b916f38f9ac3293 |
C:\KaVB1C\boddevsys.exe
| MD5 | b7a226bf2331f05130b41da79f75fdc0 |
| SHA1 | 4284c1a8b441c78a20c908d2a29938e07d71332e |
| SHA256 | 20db50f7a121c96bc47fc9ee8ca893b999e766577e4f8c8d36321fc7d87d63f1 |
| SHA512 | b749166eaab7431fdf6f2881bf50bc697461ee866025f71d8ad83d3568d373d14605f050bd786df4a065fc124124e6485144150363d5f40df30123fcec2a4db0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7d7e4128542af780492182013b1f5213 |
| SHA1 | d0c2e1f91b2c5316ee6d6ff21e778d2fcc094e06 |
| SHA256 | b6c76221addadff58182d0f45009a9a3adb4aff2002378b15a2f3a512eacbe90 |
| SHA512 | 14bb30f6d43b999e1698f9b78a84c64e5e0307e94472164623be5fadc4a94d10333b1c346c40a1543f4c493f829b27b2d95f9aad212d323883db481fd59b4f77 |
C:\KaVB1C\boddevsys.exe
| MD5 | 2cfbad5eeb6b20fc4af031801d45a7d3 |
| SHA1 | 30eb198ce35220728d5f88b9539e912deaf5029d |
| SHA256 | baaed73e22bdb11d5b9b9573b9c3959fd7f4250fa0c61c64289e48d5ddffc1ec |
| SHA512 | 1eb53fa56ad33b21723c0ba103d4a0af31ddcc98cd7294f760155b7a298cd5df182a5b57bbcb54ff06c58ce3d3e0f30e033fb2832f7580bebc4e0cd4504be1ae |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:33
Reported
2024-11-12 16:35
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc5I\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5I\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHL\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc5I\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe
"C:\Users\Admin\AppData\Local\Temp\e4cadb53e8e60e5cd09c4ba6c994e46fd57ce773d4eb4baaf86674904d2aad0e.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Intelproc5I\devbodloc.exe
C:\Intelproc5I\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | a9e1c415712e45052d07331c420e0f6d |
| SHA1 | efe992394fc9e7e683b78b365cd564434286c691 |
| SHA256 | 0cb33540da0bb3c25fa40ce058d82ed1a2cf1b9d664ad7bc5d3d24f653f6ab93 |
| SHA512 | 3b03bb1d43eee0e8534c580a9a89a79a4451f99c23f9237a028855cd68a4b0df24dfd910e98b93fa521b58a8d977ee24fdadcf1ef3b507b760946c7a154731dd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6688fa3c248d848db48bb84557f1900c |
| SHA1 | bb5c70b6ccec7f9e955cf868403e3e0e18920432 |
| SHA256 | 8933f2ee439a1cb502f164d766f4c8b305aaee57b41bfb7010824d22c02c6e36 |
| SHA512 | 30451cf231022fef85a51ca10ff3dd8f5c706bb341c406fd1421d756e4aa65dcbca3abf5415593fab78d47341193ec1344268fb28391581f43242befffbdead8 |
C:\Intelproc5I\devbodloc.exe
| MD5 | c016eacd9f7efcc81cc2e06fdd68832e |
| SHA1 | 4b7bb6a1abd2e5feef71e2f826edcadd0038a216 |
| SHA256 | b2359177b7252f962a1d6bd661698650993336671be4e388fbe98d085198772f |
| SHA512 | 08096d6d24ce0a1bc78521b99e303acd041c02fc1acb713568c4c709f152bfc02db50c00e905b8685164d5cabf0ed62e220703533ac24681ac9b10fdcb741903 |
C:\LabZHL\boddevloc.exe
| MD5 | 81ebde19c896359c206e126fa279a668 |
| SHA1 | ec28525745c60b4ea0f17b8833b4117661363384 |
| SHA256 | 7160fcaf6cc49f2381c3ca8353d227b30af7301c7a1fba12439e00f79c00f793 |
| SHA512 | cb77635ca197e10f309253a787411a293a8d990cd1a151981c1cd7417c425f84e4c953c68fcfcf619de3b1dd108a9aaea04d62197309681b1a6b9571b1117d83 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 562627ca62c84233c97f80c678134eb7 |
| SHA1 | 78ff0b5ed59955353a695df9f52c8f9723f0de58 |
| SHA256 | 2864e6d5dc2039dc8918ae4eb27bcb6b10c426f62b65c7113de9bd9ce9252d28 |
| SHA512 | bc5e4153845dc7f2131168d9554375fcdd7df274ce49e88d17e1bae5129638d815d94d437fd620f6abd66bda93c2b8ddc002c2d6e7f89f677e7ef6cba6a6d904 |
C:\LabZHL\boddevloc.exe
| MD5 | f5699417138f0bbbc205c2393ec6f821 |
| SHA1 | 1e9d3e24ffd8de764c2ba9bd32921ebbe49976e4 |
| SHA256 | 436c233dec54df9067c1273e2e801421d82274aad95a1e8f630d044c4b067826 |
| SHA512 | 0db53eda99c647aa262927be74e93cdbeefe56fae4d48a5ccdf6d4d154a16deeb107d5cbdbc5b1f446f66d40ea96deabfb6de691453b4fb1c97991dbc043622e |