Analysis Overview
SHA256
88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109
Threat Level: Shows suspicious behavior
The file 88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:52
Reported
2024-11-13 13:54
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\SysDrv4T\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4T\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFG\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv4T\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
"C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\SysDrv4T\abodloc.exe
C:\SysDrv4T\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | fb0e91eb5ffa25b47b302ab073cfc18e |
| SHA1 | 9a786ac9d12afde29e7db803bfa7ffd113076341 |
| SHA256 | a2ebcfcdf9afddf00a0dde56740fabef8fc8779f8ae0a121281ec2e20c27c851 |
| SHA512 | 321158a69ff6aa3d9fd05cd24b14ca069e5b22e6b262ba48004e93bdb6e53232d4caaac54cb1376250c9e0c59ea581186257d91b780cbd2360ba251b0dc60759 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f89f6efbbfa7a8e2dc21c781f72c59c2 |
| SHA1 | 50de7d6feb87c66dd53d97eba97e179c6b8ffaa7 |
| SHA256 | dbda1a9673975c515e599dfe9e60fc7133a2c4d04aa28aee011f6d8588027d96 |
| SHA512 | 42aedb72083eb0382829eab199628817a359c16a95fe5431edce99039edf753ca817ff80ff679376bd3131a64a239c9521691363fd2d04701c900b5793029978 |
C:\SysDrv4T\abodloc.exe
| MD5 | a6b70624db72357bc7f2753e3f4c895f |
| SHA1 | 297e4c3986d53aeea385f299c352131ff6ed64d3 |
| SHA256 | 2b8c8b8dcb5c5170ad0988131774b5a23bfe3016f4cf1522686b88f7138ba65d |
| SHA512 | 24b53f7fa3a2a4268b68f6391c9c11953b4c1e906afdef3c1b4a98968ea0eff2f02701f3851fb5d363d8d1320b1eecf4fcfa3edc9fb359ffc1109611fcbfa51d |
C:\VidFG\bodxloc.exe
| MD5 | 68b3c5bb08141c9475075002142f6c4c |
| SHA1 | 15324ee1ea079363f5ee1d2db87c07e9be05fe7a |
| SHA256 | 82fe3cf5891275833a4c26394b47f595df69fb73a3b45d41fa16d99dd5002177 |
| SHA512 | 07b6b5e4050eb0d0971406f02d12c7185f164244d7ae212a73ce2e367ac247faf3243d558dbe7eb76b203fcedffff17cfb05d8a04bdd53aa9a7cf0e99dec39a4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a13c89395d2437687795fb42fe2dd089 |
| SHA1 | b3373bee8de2c71b2569c5fce8f0d55aaa6acf9f |
| SHA256 | c12c46958996c19a8e9d56d3bbfc305ef4f1d7cfc3ff104ed6e5c07b57dcc445 |
| SHA512 | 79b88aa43d099204375ce8c083c44e6b9fb5b54c2254b22bc15e4fa277a2b8aa7207e21b6df1e9d0dc4cafc77c5bf56d94c22eda3263e095806fdb5a71b67281 |
C:\VidFG\bodxloc.exe
| MD5 | eaa87037017d3173f95e7dc71ea5c998 |
| SHA1 | d30452b5f25962e9558d547277cfae8170ec54dc |
| SHA256 | 996498e5c16dee0540c8dc2a8081653201b8298580acfd34ab6bfe0cd8bc6538 |
| SHA512 | 22031c3d38275b7ce3ae07d262e870d36f5f4ede1e3b135b9c00a357a25a96939ecb0d047012eabf514cdf1619c0d6d43de582543de2e3cd1dc04b920be78a32 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:52
Reported
2024-11-13 13:54
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\IntelprocEH\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEH\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZT\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocEH\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe
"C:\Users\Admin\AppData\Local\Temp\88bb02b6d277ac6446f20db79f7a4f82cdc22e59a9ffdfe00bb03bfe58bf8109N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\IntelprocEH\abodsys.exe
C:\IntelprocEH\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | e543027f8915a2e2e51aa7ba7bf4985d |
| SHA1 | 565b9a01f89627ee0a1cb016f75c62e69188a7ef |
| SHA256 | 268ca18b5169469cc562c405fdfb48b51e300e76dbfffbf99ee9f1f0cf389c57 |
| SHA512 | 28a1bab01118e5fa5d6d30bb45160e1dc34b81793d423740fa83e34461b48e8d3c54cc6d0220ec7308d21af567bca3e764ce88039a77c79c3a7a2542e823c107 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 51bc193499e6a2b803b9ea4b75e64907 |
| SHA1 | 5ea0fcd9fcff8c275f60ce76facadb7bc6f843e6 |
| SHA256 | 9bce529778e39ca4244e5292e6e5d99424cdfac6c3563d777e23c8ed7354461c |
| SHA512 | f85b924070b8b4d85d574fd83c2fe36f920f8de829d77118dafb72f522926a80b6e09f44d45bd2e3d232f3f022cee617d2d73993852ae74d597d27e3daff2c67 |
C:\IntelprocEH\abodsys.exe
| MD5 | 8c1c896a5eded367b0123e57e80f8942 |
| SHA1 | 58b9ec3001e2af2ba7f99089d4b60c945dace020 |
| SHA256 | f9912008bcb976ba2798d7a276cc276b6ac32c80860d60352ae6ad7dd05dd7aa |
| SHA512 | 6902c3b9d5523950ff08a7b155e6e36ba5ba99e81ca94d7742a410c37812cbd2c522ccaf499f89cfafb5f594d56caa21c57ce63a98125987acd1ad4de00754e3 |
C:\VidZT\bodaloc.exe
| MD5 | ccde3e37a4a69ee82e64c70e983fd4af |
| SHA1 | 6e48f17ce495e4dc994ce309767055db42d9c957 |
| SHA256 | 11576c48ef7443acb159726500dff23d5d3ac5a3612af6aea7c6232ca5ec055d |
| SHA512 | 3229559a864172c26ff4be7e7c61257347dad751672d244f0b1c1a409f1474156203e616a5cd66c33e6bd1c93656be310d3b014813b398f1649e0d5bf38eb637 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 73518b704a0166169030cb137348c03e |
| SHA1 | 81151da524a900bfaa3891ee7b1bcc506626d687 |
| SHA256 | 0c380269a32570ccadb2cd759013b7e3fd371e49a4d705d55c2e7943c5999a9f |
| SHA512 | 0081bc10c20a542b1e0fb7b76d7d03b3b5878d9b227db49f6142cfb182613dbb27f69ab3ab9c1333ac3c4049f4fc4f4d1d620fd4b99f7b01ae9fcdd58e9756d9 |
C:\VidZT\bodaloc.exe
| MD5 | eca5ea25f6a32a95c09d2d11f140c43b |
| SHA1 | fc7c4ffc46b345747cc079073a62c80c129f2442 |
| SHA256 | 7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17 |
| SHA512 | 27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61 |