Analysis Overview
SHA256
e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677
Threat Level: Shows suspicious behavior
The file e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:12
Reported
2024-11-12 17:14
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\IntelprocQA\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQA\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5Z\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocQA\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
"C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\IntelprocQA\xoptiec.exe
C:\IntelprocQA\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 4b56041271f539a394b272d548a2911c |
| SHA1 | 1a500414baecd6914a68fe6ef42ea71975b01abf |
| SHA256 | 3e60e11df5f2fbdedaaa661c5250334d46a4622ae7d3d6600d2096819506ec08 |
| SHA512 | 2c22eb89bd4d82c29eef7a39e8272d2b243da1e5ed01e8d372075440cfef472c37422d34908d9e85888ff4bea944960878393e6b770fdc4ddcdd29c9f0e08056 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1e923a70687e5bd59979586eeeb93b3b |
| SHA1 | 4a487fc050297479a79a06b4ae6b91e1d455c935 |
| SHA256 | 7a4a2f90cfaa60a981191ab2cd7b2c678348fddd21a1e012d480b4226afd2f5c |
| SHA512 | c288827f0eb3d1d22b209e352d78b952511ec067b7b0f6e4e892517979adecc640dcc4fbd75c4e75ab24e841e6dece75cd5f45fdcbda3254ba6d9abbf85736db |
C:\IntelprocQA\xoptiec.exe
| MD5 | d639aa89ec0f56679e34a7f6d07fc51c |
| SHA1 | 12af856da10e5f5d4a0c09e54c25a5aa98e8b6cd |
| SHA256 | 456012e7d59fecc378b29418053b110c5c487dfcce5793ae71d4e913d20e7ef3 |
| SHA512 | 48043da85f3147e9f99a7b55db6e648f99ea453023502fe95aea24133a1299e0de293d5b7aec0f718b36387ecb48e664070438c0fc8b3aedbfb2fed4b4f10870 |
C:\KaVB5Z\optidevec.exe
| MD5 | 407ede9a7c997f7feaad996d809fe0fc |
| SHA1 | 8b48ce9dca80c90d0490becba5a8de794b1b913f |
| SHA256 | c81d164ac4ec268e12fa2b56cadef3ff6a5dced1eccb978fe1f87e73385f8066 |
| SHA512 | e3015b30468f5027bfe214381c3167f82b325171fb348da2310d8eac89e8b5e7272095367412e03286e13052f291678a55317788f0e204e26b014a7bac68aab2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 84415b08cd4928576eecea4b73a0df42 |
| SHA1 | 0c0b41dae27d70698593dc6931162e79eb464bfc |
| SHA256 | 8a3c4463ac33514b9b3cf4d07767f73f30651a02f254c1a6e6a4752001f8821d |
| SHA512 | d0372248c204666f9e3d29abf63e982393d81a537f6e719b44d7183971c2f08549fc33e928ecb7f8ba1c01b870353524769075f8dcd3062f8776705a63070292 |
C:\KaVB5Z\optidevec.exe
| MD5 | 9d2123c08c52ba41c0ff50c147ebdb16 |
| SHA1 | 1e3a052fc9fbed6f4d2d7d12c734528b6e0d1840 |
| SHA256 | 08fb248e7a48022f47f0ccc33215c71d8bf6598d88597e55ed67f353410ec9cd |
| SHA512 | 7e689cac16844aa61e29c4244026443b639cc488b5ceef78059b5c3c214614f36e7bb888f4da8862456983a3587ca77b5132d399d380e5d529cb3c3594dba840 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:12
Reported
2024-11-12 17:14
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocOK\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOK\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGM\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocOK\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe
"C:\Users\Admin\AppData\Local\Temp\e7296c53ae31f59f27fe450847fc48408a230b715cc12cd7e5dc30b4bf7d5677N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\IntelprocOK\devbodec.exe
C:\IntelprocOK\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 4d497d2dbc6590aa554171388efb4d37 |
| SHA1 | 73d6c8c01130353f184ee077b566718788891323 |
| SHA256 | e0f1fbcd29f959730e37f385749ce2a6deba27f7cc4f7e7588aa915f50012708 |
| SHA512 | cb039c9e2d5f2ff0d193690fe668b32fcf12c2391463b7e766f72d97e72620f6978a373fd12b2f48643fcfe8c8c5311ddccd08016791b652aab6440ec27717de |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d2a99b6b462485d40f50bb541140d03 |
| SHA1 | f6923a6bb17e70e852cd982d5101642a12e65cdd |
| SHA256 | 42902bdc4b1f4e9980fa383324738cad0e1872d4f1b8693a8f29d6c57aec1c2d |
| SHA512 | 3a44f46ade1c4be48b3b6150ccdeddf525376ef14720dee9c32f31850729fe68180dac542330d98812b534e45b8e142492f543987093eb8f881eb3b0e186c11e |
C:\IntelprocOK\devbodec.exe
| MD5 | a08ec3e57b5dae41771b8b3073840297 |
| SHA1 | 2f11b3b8d787d892bb359999a9857b7ec7b3a309 |
| SHA256 | 5fdb8f15fa291474b98795e22259da8e98912bc53b4139ac6dd0fcf392345055 |
| SHA512 | 3c0719ce1220e85721e4c6e03113c59444596d20c58b44e38015c82fdc3ab57bb5b39ae36661743d486cb74dcd14bd7f0113cf1df21a8b91f28c4e92f04470c6 |
C:\LabZGM\bodaec.exe
| MD5 | 98fc73177737cd0c9eff527d66f80916 |
| SHA1 | f5075e8adbf07a4dafe448ae12751c5872d540e4 |
| SHA256 | 11e715ce373687e20413cada9eb2831f387dcb86acf661cb445dc01b4584164e |
| SHA512 | 538e3326775ecad9ef561f75af52957f442b671a5dc94d3441abd54052f20a51a6e85acabf0ac4ecdb41c744b823b8fb775b3caa32bd5ee8a95d6f9b35530467 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 01537ef5891ecae49de1e717964eee19 |
| SHA1 | c6fdfd83a365d8d25327df7b7010c847ecc54538 |
| SHA256 | 3b5f9dfe7a0a49edef4de7b109d92d653677a78407b276ad3eedfb5c65beae3b |
| SHA512 | 254594107d2cd333ac25dd9da59d3fc525d8d0c40e31b270260f6f9663873d79198e4e40e9a31e8b8f9a182aad4ab9bb0ac9d2b143688fc37daafd0c602ec1f9 |
C:\LabZGM\bodaec.exe
| MD5 | 9a9b03df5249404e318e6ca55d983c25 |
| SHA1 | 92eab36ffc075efa1ce4c09f1aeb6230a365359e |
| SHA256 | fcc037d405ea9ffb2ac196987ddf6839028365bcbe2ee6dce1568ffffcc9c970 |
| SHA512 | 276ad3c43253dda2367f601df1d58c11e0301b5bbb43f95a9dbf6065b1c6118d11ef40278792d7309911b267f644bb4d060c3c13d2ffe28c330b57b254ba0350 |