Analysis Overview
SHA256
fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30
Threat Level: Shows suspicious behavior
The file fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:02
Reported
2024-11-12 17:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\IntelprocAC\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAC\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAM\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocAC\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
"C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\IntelprocAC\devbodsys.exe
C:\IntelprocAC\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | a63b66e74e8e27ab591d281e4bb7db59 |
| SHA1 | 28db36803db6dbb558efefaded94a97305857e88 |
| SHA256 | f491697680f4cca7ee5f369aab3f3a045f04884f34dcd1e8bbd62d20c0465e33 |
| SHA512 | 9ffd68aa70cd52b4edd1edd48a1db423985a131f2a54d75fa0bd89d05b087a2374046b21464757749927df0947744d74b82f3cc845a8ff350a770ec76187a11a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 93e70b7e92487ac930f2b9f73db812e4 |
| SHA1 | b5a67cd09f64650c268a7ff24a7386d5e10c4653 |
| SHA256 | 7762d8f936f20e4791e7243c2530cd913ee4c81e3aa87a174e70cf46ccb3d796 |
| SHA512 | b8972e3d1a15ec49c4c7dd40f70099558b4c6c6169f7622d3c486cfe555a5d5e9c657ccf73f8c0f9be0297fb3c80007f650632000d654250d1bb46a35389052c |
C:\IntelprocAC\devbodsys.exe
| MD5 | 59a48ce5a74f8c922ed04e5f9065512a |
| SHA1 | 4edca80fba593207101ea059e3f114254b57a0bb |
| SHA256 | a6325b8bbfcd9316f91ce21f6813e168d329c64b9bdb53cb12f7579d1114ce73 |
| SHA512 | 795d81469ead76b3440276e99f749f6c01516877fd851bf1cbaff36aef76278f98cc2eeb831fcbbaa4a6c0d7af359f378de068acece5024a8f57541cc48f0b5c |
C:\IntelprocAC\devbodsys.exe
| MD5 | 0455232c5f9f9f72ab1b7c358cf2b952 |
| SHA1 | 9f8eebf483495941b81df84038de58827f979704 |
| SHA256 | 2f301e3de255f4cbae139d3b49c73b148d78d8c89b901112f1e13ad8c47796ee |
| SHA512 | bd7630f845f46165e33b17b9c04ac06cc82db70e79c0ab4f0e1612f174e2bf89cad666b6c9f6b0c6f572c7e6892fa70d9e23017d8956f4ac7f3a906298af9c00 |
C:\VidAM\bodxloc.exe
| MD5 | 6c29ec948cb7cc49beeacd44edc7ba5f |
| SHA1 | 3f8fca2e9b5b524f47534978205bf11999d820c9 |
| SHA256 | cd7177727a4301dc97e033166992404a9a43f7d190e00bfdd55a218f6ad3e5b9 |
| SHA512 | 262f29baf7cbd523aebff3f4b306df7ec1a227a93fe1d8d79b44d56c20c6a4b54b46346c65ed0f9d448af2f70dc3f830bce322289f015bb4b11b2ea0350a9330 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 875e764c94eaed6310810a1d24036e94 |
| SHA1 | 2557544ec6861445d815640da6212dc140d6dff3 |
| SHA256 | 0fd81a2a395fa7756a52e6d5ccc666c94f6ce1248a6c537993cc43c22a20c793 |
| SHA512 | cad4697cd2485d2f322a30dbdcc98a67d126031283903b329064e9d5769c558c7220fe1a3ffc144060a21722b1fcd5526c477d008f4f370793406062f6847b93 |
C:\VidAM\bodxloc.exe
| MD5 | d405a6e6ec1ee7e8bde0fa127d94f818 |
| SHA1 | 3a4fc1b8659a42c0c87e2cb68df493ef10520626 |
| SHA256 | f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1 |
| SHA512 | 0db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:02
Reported
2024-11-12 17:04
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrvL6\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL6\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUE\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvL6\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe
"C:\Users\Admin\AppData\Local\Temp\fe6301b1a15a6e74d79cd8f499bed89c2b12f87a4235d2665a4309e417787b30.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrvL6\xbodloc.exe
C:\SysDrvL6\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | b3cb1b4185d70856f37547ebd63f6e24 |
| SHA1 | 3f03a47f40997caa4ce4ff749375d271915350e6 |
| SHA256 | d48a016cf5780ff92b11496b518932b02600a4f9d6106877d399585f33b8e213 |
| SHA512 | 79092c07bcd67fb3228502c46c16d5795c7397984136d27914b7380a19810c5f77e146c4373bfdb8ca917811b0ccb6e7bc5066fd8aced404fc5472a293b68a16 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 83cc3848b71ecc575fff5e2c636801ab |
| SHA1 | 60fe80f1a018733f5d3c479ae010594b8b954b3c |
| SHA256 | f1253ff44f4a03b2e5205cd0be12da50020a3f5b27647391d8508d7c626708c3 |
| SHA512 | 7c19ddd9f042931979c7d0ff3adc61ac1563a1ddd43c918550d08c3acf0b5bd230d9ac605e656b9df6c68255ffc5e81e1f4a26fcdc5400a3518eeb3d75d68545 |
C:\SysDrvL6\xbodloc.exe
| MD5 | 0860ba7ab87e6dbf893e728aa4621778 |
| SHA1 | 6296ec6dd59bc3b8a68b647437f788d3632c62db |
| SHA256 | dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2 |
| SHA512 | 6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef |
C:\VidUE\dobdevsys.exe
| MD5 | aec5969d646c0bae3722930622715bd8 |
| SHA1 | f10127d7715ced86c08b46905ea0bdac8221a158 |
| SHA256 | 2fee50b0289bdf20a500c87533c01f680ee7742bf20468782678d9debbdb634b |
| SHA512 | 3dacf03231fb3452b9e6a8258f3ea3e53566d356fac4e9df909c7263f02a30e6ec08ed53f9821b9862bc3508bedc2a6e53a9aba401ecbbdf29030f1866118f98 |
C:\SysDrvL6\xbodloc.exe
| MD5 | 041dc284b91064ab8f65bbb0c896da88 |
| SHA1 | 0d22fa16a6f47cdbd8f725b0f9e9bd434e2e1aa6 |
| SHA256 | fbe867e6060f0d6b7f662ac08fc3f9ecc8c982058cd99177f78075fd51fb3df4 |
| SHA512 | 9d122fe764d412fdfb0f86c2fe734a0ffac6f6bd7160305cb67c6be27a6384bf3398bc7199c61e7f8ddc140ae5cfbd21e14c0ab3ae97195b9e265893d04c9689 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7d4802bc054bce832268988623554ab9 |
| SHA1 | f3dacdb1b1e57cd2a2ca30b8bff9077117f807b7 |
| SHA256 | 102b4a8055ff7964fea1436e423ccfd38528e738e0af7303cecda233c977535e |
| SHA512 | dbdfeb8be600dabb4032b542252858ce15375207f38c6fba67d25a0166348a22b2baf04f3c0d27c4e8e5c31c73ccd9671650862901c8ac0b2a5e75d4896cae67 |
C:\VidUE\dobdevsys.exe
| MD5 | 5ce46de9d1c8ab23eeb8a98bb0b2232e |
| SHA1 | eb2b026ffaf5a7802065fa5971c5c4495fa6763a |
| SHA256 | 0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0 |
| SHA512 | 173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712 |