Analysis Overview
SHA256
9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638
Threat Level: Shows suspicious behavior
The file 9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:27
Reported
2024-11-13 13:29
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\Files5W\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5W\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH6\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files5W\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe
"C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\Files5W\xbodsys.exe
C:\Files5W\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | ef98822b1133a885708311fe70d89305 |
| SHA1 | 396a0e7b43e0a3cc2c140247f7c92191e155bc2e |
| SHA256 | 451221ec48ea6187d23cc487e98658741ffa4a47cbe4e25634281d9dc09e5caf |
| SHA512 | 5c46ee15ef887c694e3c4eca1e591b03e581904dc03db6f9443303c3a964c9578106b0c0f5d56b743832b853e73c0e5a48a0f939d156bc0ef883d2587d528e00 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | da71271dede69610ad9084bb0d252351 |
| SHA1 | b7e1a87c6a8e615dde1a9e74f71faed1570545b5 |
| SHA256 | 3096644a7409e3eebc962cf25184ebbe2d25e63945c86854ee0c8e208ba4b09a |
| SHA512 | 3b63813454f29d09b046beea1b9328d9d8c27454d81b731292c3ed6c978fb5f51335975f22e4772138f3a9a4a0a878e666ad2139b7797eba4b883dcc51e40edd |
C:\Files5W\xbodsys.exe
| MD5 | 490a28ea962b4b05b4367f2b9dd54518 |
| SHA1 | 3aa3a72b00965888d85b13cdecfc581ba1846588 |
| SHA256 | 964b1bfd3257c8c256353b0a05680fa943abf9c7baa5ef1149efdc20564ee7f4 |
| SHA512 | a5241f8e71526cd0a1fbbaa1e4219dc899d5a4bd731615bdae951dee5981fe9739d92b0b4df116457c76fb96f551f9c1b1d57fe20033e41f90eb7c552d63ec49 |
C:\Files5W\xbodsys.exe
| MD5 | 2f738db5d41e8bba1145dccfd2a55cc8 |
| SHA1 | f13d10b0832f7064e7f60afeda4cd5de9f14597e |
| SHA256 | b3f3e7ec7b1d6734ef53bf346d3d8b7d803197fc7dc3f899844da96058a0c0b8 |
| SHA512 | 66a4cf1b7d490acd29990dac3c14a75248de546ecda741780210d756eeffb25084ba9dd55745e59177795eb9d03482934eed97e7ad9d10ebf0c2dddd33b28dc8 |
C:\MintH6\dobxloc.exe
| MD5 | b7d81150e16346c0bb11c31fc0b583c4 |
| SHA1 | d22ff4f22f8bb8b7e568d56c8725f53634165ddd |
| SHA256 | 783dff94a0a9b7222b7b9d8554224ad753299dc182f93c3ff15275b582fb76e0 |
| SHA512 | 8b3d537053ac72165bb5ae528d179782867fed26774bf4768ac3053c3fb515432b416c9d1940a59c0ba113f812e4476fb8683de7682bb220bd593ddea1ff4a32 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1ab1d7872c1d3575697a9b35f451a0eb |
| SHA1 | 192fb3a55e3cda959afb48019db6bedda18d2f4e |
| SHA256 | b95b2ebe271f35bb6209ac54b85c101c919035f528adc1daa4e5df5dc5547371 |
| SHA512 | 9254fa5dba20215fbfeb1cec506e62807f8cc8330b07602174c0ec1c4819af76119b5d3c19688aa54998a21d63c52301f4dc3d84971e4bf18193cf4bcf837594 |
C:\MintH6\dobxloc.exe
| MD5 | 1adbd55f22195f79c7eeb73e8f32206f |
| SHA1 | a5d2a35ba6bd2d3ca4db2c444f34c90cf68e0815 |
| SHA256 | c5208bf421cc77c51bd5261598d006febd504c6d33690c831f30390805460623 |
| SHA512 | 4a6efb969b5a23841e9a9f46f181addc493371d9a6f437caa4efaef46ab6a38810ef7c84ccc87ddb4116e051561abb25be5a633a75f077aaf087cfe34ab8e60a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:27
Reported
2024-11-13 13:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvMS\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMS\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFR\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvMS\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe
"C:\Users\Admin\AppData\Local\Temp\9bb83a705bc602a5dd463e201cdc0ae8d4984645ad9722194bd5486e29379638.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvMS\devbodloc.exe
C:\SysDrvMS\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | beca1b5c5d1f2bcfadca9e829f738887 |
| SHA1 | 68ef1ce30a46c14dd08eb62027b6f9e91a7772cb |
| SHA256 | 335e5848fffaa86c93141a7281b16ca0241112e5447dddedd48319fd51cda8f5 |
| SHA512 | 65546618ff1143eaf165271572b8a5355ce3006a1f011d27a9f7dea846370108d8ab6378e9f975ef894f343c75c8d65a1c135d3dd99b1da9675256aec15d4141 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6860da30cf41c6a0ef883a568701d98c |
| SHA1 | 063a2fdfe062a6a3e93bf4b8d0572ab5cbf45eb4 |
| SHA256 | e1698591b7331d95694ee9ba72d4926103d639d90b56004b1c8435858d3ce8a6 |
| SHA512 | eb930ca86b74b6760e4084a87c50f27f459fbd920b81deb76aecb1591b207a9a3259f53b0c26c8c369ed2d984aada5fc70f8f4aa44d362e62ff0aa4312440313 |
C:\SysDrvMS\devbodloc.exe
| MD5 | 4074ebc32540e509c9115448f3cf3dc6 |
| SHA1 | 26437b006cfd8d9b557944ba59933d15c5aadb4a |
| SHA256 | eb09979b639039f9b39c1422528840ee10d70c0fc3a203810eb4eeabd3ccecd0 |
| SHA512 | 5a76524ac411ea775b93c9de80a8529b67fa603c8d6f924592ea2ca8095e60b622cbf91bb8e27d1e1f08e07b064a59b4846868044bca9ea257fb5497ca6152d4 |
C:\MintFR\boddevloc.exe
| MD5 | 096195b66d8d5a40bfaca8ba8748b291 |
| SHA1 | 663772dd3c846b6a110db5cf1f4e8331cc1f3a0f |
| SHA256 | b1a1efbfb440bd01de105d34e41ad06c107859afac510d66cb5eec6834c17901 |
| SHA512 | 97c53f962eaf19122f74364d1b1c09f7409a3a2fa1d4b3d7938ca0c5fa3ea56c227b1bca3c656bab047df25928d6e685235ffa0193db831b8c0c8007c6a9afe3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 77fa7ec527ecbd6da74db54c70b1d148 |
| SHA1 | 8545d88420a166342d667d3694dfe6bddd82e373 |
| SHA256 | 52b9e9c1fde8f8aa8ff97cf77d1f12432534710936f7074d87e47e7845d4dc33 |
| SHA512 | 27e4aefd4338264a048f16150f7e6f6bf2107cae1d6b74d1aa268ceb11dd0d589b4532fd5153146572361f008b50d6458db984bb1e112691e93904ac0569a7fc |
C:\MintFR\boddevloc.exe
| MD5 | eb40e642b8442650561217e01809bceb |
| SHA1 | 0b5b00a016a1ef09d73c820d46cb88fe6bd32752 |
| SHA256 | 2bb504501de98916564172c3660069f1651b327352f3769a2208eaa5fc6ffc3a |
| SHA512 | ae301718a800da09ca2fef20f29340d32a3adb3d12e619f8e8762ce9a3c36d3875871cc2c68f363d7ed2843bba886ddbeaccfa1503dcaf3829b45d90578aecfa |