Analysis Overview
SHA256
4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7
Threat Level: Shows suspicious behavior
The file 4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:57
Reported
2024-11-12 16:59
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrvHA\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHA\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUG\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvHA\devbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
"C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrvHA\devbodsys.exe
C:\SysDrvHA\devbodsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 98be63f93b9c993221b9d12d5944bcab |
| SHA1 | 71d7b3046763c7daa281a1af2be0b3d73031aad1 |
| SHA256 | 2ddadf5540601cffb7936c87eb9f7b34d6dbc2c911a9693d26f5dfa1ec2fb58f |
| SHA512 | 269f545fa4895c5480684a5c141b0576f2384d13293dd2a29b10cf631309e3864117753993e9edbc0673534586a619a04a442057195f79cf3524b47b8f2137ae |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 97762cf95b750e6b541f66f7c87223a0 |
| SHA1 | 4e2bab6c957fa98acaf47b89d7e1ea9e7a6fdca8 |
| SHA256 | 09375f3efff1584a43b660d9b03ffbd1aad06753f00d89b5fe29424511026bda |
| SHA512 | d76af287e4d0456b953f240fc106abad9e90b35a65a928ae551ed1b179238b70bbe8f6c3b21688bf7de94086017d53df9fb57bfc2e950289690e4da117587f0c |
C:\SysDrvHA\devbodsys.exe
| MD5 | 9f968c29d0364e3aef464799521c466e |
| SHA1 | 18cce70b7a64994df044436c1115e909c249f140 |
| SHA256 | dc5aa5581ad6df11ceb36f9a9b3961437895547bc1d0de190adf8db7c636d149 |
| SHA512 | 23e2e344fcb3d2ab8f3ddb15211784096cccbbca99a09f8f4300fe9c02791f4e96abc3a9eead505fadd953932fd47db5ddd611a379a265dd41b2fb080aff7f03 |
C:\MintUG\optidevec.exe
| MD5 | ee8308ec3538882294c37bd2b0a043b5 |
| SHA1 | a54b31033f6f31107fd81be036a2dbca19503619 |
| SHA256 | 8f3e92ce231b89363fa1a284912da64242e22e6a93dcab18d8cc810c3fa02c67 |
| SHA512 | d1d880e4e5ea43a5deb3594ccbdc2e988aa68389b6c9220169b80da32dc10dcf9ad0c2d74d143755a0bc767d9992457dbe2d50620f5ccde42e28a94b336c2d0a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 896d592693a50a2ced0441cf6231bacf |
| SHA1 | a562d818e7ea7108e3e8c4a34960f90349743334 |
| SHA256 | 2e32f41383edb8ed733579051c95bda85198a8dfa9becc9624dd4b30f7dadb6f |
| SHA512 | e7a6e43c4f89855bbf2c9bb9aa268c938d8dcdeda8a64c9cc7dbf41fe9e74ef21cd805a8d9e7247907ce566c76075632abbf9514b724c46353a54ae3003053e4 |
C:\MintUG\optidevec.exe
| MD5 | ad837a96287ecd1cb82ee70e2a4f217a |
| SHA1 | 13385f883e3f2d5fa0357247ea327f93b4db644d |
| SHA256 | e419b549396e981b2e563cdcc3a11cd4299e1903cf33ea44206cd8b2d4bc3db2 |
| SHA512 | c450277f6ec8e52c6a7385933742962879e89dd96b4f3fd0161c3d128c6ab400001c9f0bbfb80013169e4a5b283676a0a60b494cee3f46fc300e7daaf47a98f8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:57
Reported
2024-11-12 16:59
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDotB5\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4W\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotB5\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe
"C:\Users\Admin\AppData\Local\Temp\4432c2b6a9e197160383c298943a3b75aef7fdb6add9b6aebab203b0dcd0b6b7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDotB5\xdobec.exe
C:\UserDotB5\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 59d5f4a5ba8cdbe8a58480fce0fdd6b8 |
| SHA1 | 949edb9f117c6881fa1f0cd8f66e799b3a12641b |
| SHA256 | 8723c1868bc6c93e46afe3894308de08a731c7bb82af3ff70cc24eef2ff76ab6 |
| SHA512 | 2cdd5bd9cd8e23ae7a0b5abf3750046651a2ac389a9e9bb5ea163ca0a54950b7eabb847a838ae337bd6cfdd0b7ab6b999810b76bea1147c74ab1765d7cb4d4ed |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8dd51ed7c0fd42f6ba68db74bb1f8af9 |
| SHA1 | 1339bd2ff1b739b0e136f55201fcb05ae032d8e3 |
| SHA256 | 8f2896a479a10e9a773b7857d8a38880a82a73fdf0719b458ab3208bfec51924 |
| SHA512 | b4c04af7d2527780af0a5397d0a8772e4488bbf02fb4e88fe4c1c42dad391dc1839e4c67a021519cb98754d8a467112049f061a3aa6b1f992a4d6e3066eceb53 |
C:\UserDotB5\xdobec.exe
| MD5 | 9aa9611efc6843522ae5df48d37410ef |
| SHA1 | 45ba78ad660eceac178116c3f62a657b5037ce54 |
| SHA256 | 1fff33631ec6692dccc1bcbb29702613e03c3ff95a9bb094c29581210fecf964 |
| SHA512 | aae57c228b44af99eb737f6d2a9b67b45fe7fcf9fc7d6a1dbf45d4bb8ead94d404c644f6876c85b82f5127a647b752c6c313e9d4ebf439b54acd5036c3597c10 |
C:\LabZ4W\bodaloc.exe
| MD5 | b5c0de4a0aeb209ef138246a7fb84861 |
| SHA1 | d1d8776f857ca62f150a0ff55e52436c1f0d285e |
| SHA256 | 53a2e937a09f39809cf6cc39c9c16b6f04c72a56da860d85c5682e9c42221093 |
| SHA512 | 8238641d9edf8d17ca4b133742898b11a31eaac6d0c14fb8b9bcd281980e0e91d247b5a07b0fdbf51312d51d7595a1ea2edc4a7e6a4ec65cbc9474b4dfd896c7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e096f89193d31f2f5daea4549f7da64d |
| SHA1 | 6d8002acfd71dc968921c32b7b48fe832b43a832 |
| SHA256 | 877bdeac6e06a0043c0e0a808a2d25069287f546dce1fb782b93480e25bc6141 |
| SHA512 | 98a9a2c7126d4303444e8d82a6a67b23e7607e116e73281f518c1d5d8a3cfbb0796037f8718e70b7559c8261b35d27939d86ed278e466b1bd2df208d31eb2b04 |
C:\LabZ4W\bodaloc.exe
| MD5 | c5fdb4b9a0515c491c6b5362fe13900d |
| SHA1 | 41417bc36274c7e90bba38e3ca9c453b55fe41a7 |
| SHA256 | 6f1c709d3a2eb4c7e74d5ce6bc53d92057a6b2e105a779882f63157bef1b22e6 |
| SHA512 | 30906c7bcf7edb03c1830922c695efee6caa321d26cfeef027028f508ff22a08076501889520cfe14e39010766b488374f126d4127ab10d091a7ae4d8dc8fc20 |