Analysis Overview
SHA256
a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14dd
Threat Level: Shows suspicious behavior
The file a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:41
Reported
2024-11-13 13:43
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocLI\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLI\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB3Z\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocLI\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
"C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\IntelprocLI\xdobec.exe
C:\IntelprocLI\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 33ea9f07e29dfeb60bcdb963064094a7 |
| SHA1 | 793603c48ff6e6781324d69a971019d835a54702 |
| SHA256 | f82f429e3cfc207f56add276db41bcc26cadbc055eee6e58637922d287827a5d |
| SHA512 | 616c8a65a349e84520b585d245c6af0097d6db3175a4813ee8e80b2c13e4b0bd257b5982d23190c81c21d5d8edee72b4af1e94b2585fa32a6a89470aec22ca5b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f348bc501f1a74f403647395d8d0d766 |
| SHA1 | 3af0aa7f929fabbfe1bd396fd69afd58077bbce7 |
| SHA256 | d17049dd81e4bcc75170d68963de970fbce45e5c58e09909f71cf590828c041d |
| SHA512 | 31e61a1a9094658e35f1ae375a81ad6ff83ab9d16ba9c8c63fe898f88680ce665017ec2fc37ae25f2dc1fb204e6d78ce19d86125d0ebecb5c36b1f71af466b78 |
C:\IntelprocLI\xdobec.exe
| MD5 | 557588b5982ee60422bc38138d315908 |
| SHA1 | 56e17e352888d7664301e1a19cef84c1824f544b |
| SHA256 | a24a0dbdd0e80f6fa5a4b036401e1178f14a68dfb500fdee8a3c122edb7a1d80 |
| SHA512 | 36853caafbe507895b1844d78762792758ed5a891216db3c9bbce7e094364eb04a6b0eb3e6c3cab2bf1a055a04e863d194a089908e1607395ecea28678ba80f7 |
C:\KaVB3Z\bodasys.exe
| MD5 | 6e11cb30f62f8cd386d00255c50be71a |
| SHA1 | 4aeb45cfa182f2b4015b98e191d3114809dacc9f |
| SHA256 | 3daa3251b19d6ee25450bda1d842f008eb1ac38893b643c10cf05e9424beff07 |
| SHA512 | d295e101225e7d5d78e3a71b144dd7827446e714924c08b63765cfc17b94876c5d62a4ff8f29b764fbbc83f9d73bf44d592548dbeb0aac43e016122a5ab46b3a |
\IntelprocLI\xdobec.exe
| MD5 | dbda7c25d2b3c11c3a43f3c8e4fb230b |
| SHA1 | 9e8f2deb40266be77ea745d41043f321565d4525 |
| SHA256 | 0352b8fce892371eda02a0fc036093d8f7454aa26b636561f6c60a2213775c51 |
| SHA512 | 4f2ff8441965c6475552e2871f049c428658b735604a860437cfc4e297e241b2f7100beb296c302b1bb93d7c8d3e8db2ea6ad164a8ce98ca75493b872ff13f06 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 03705cd718d63952b0c073dc88eaf4fe |
| SHA1 | 5b53fedcdd7a4ccacd680348f76cdde66bc1876c |
| SHA256 | 6bf99004847ef8435734b1953bce8ce4c9d2b4cb338885ebe7089509745c4aae |
| SHA512 | de4b860353690cc080c6da16d3307a8f852d3167f4c31b200b03ca36b3c1aa4d51c02e14c0a6375301066835a0c7c46f09beae40d307259eabaa7bccd3605ec9 |
C:\KaVB3Z\bodasys.exe
| MD5 | 0adfdacc3885e032eb1fd49992ceffc4 |
| SHA1 | 73ed7fc873d51ca8524a6b3a295ad5b0528e31c0 |
| SHA256 | ff47550d7958eb05d4bde24a1bac7be0f99f4f7afd0da28cf157ae62d7098fcb |
| SHA512 | d1482a2a567e9aa4828d8323e0981ca2b58bd898cbd4d57f78296b038e4fe8014ed05ee6ae7f9c54fa0981b775f1dd8e5288cccb35b96e3d4937e49591989d6b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:41
Reported
2024-11-13 13:43
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Files3X\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3X\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint24\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files3X\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe
"C:\Users\Admin\AppData\Local\Temp\a36b3267bffee22d3d9d8ba53c10e6a0eb18d2af5691d194bee9a7f7106b14ddN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Files3X\devbodsys.exe
C:\Files3X\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 2af1e6cff6bd83ea0cc520674d99018e |
| SHA1 | 9889f5fe58ab872e8719a75e85e2d6bdb72b3ba2 |
| SHA256 | 9962e7436db60f1f862595ec8db5cd6fe26f6dd2cb991275f28bb53d7e127127 |
| SHA512 | 1c68986d5b979ac0579adac8ee6d7845f0a997df00d0dddcfc1394a995163f4aa06320233bc3d493bb7f5257dc7db5466e7b55f2fdd59fa667456c0f456899f1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8c5b3679a6129fa5859c383b8d763e8e |
| SHA1 | 9b97b3a6a0b810228b681a9db79e2463d3c35cd6 |
| SHA256 | c6ec3f14e2bdd1ae8eca426f68410dc0e6127bcc743c4904030b27cbf9ec6a3f |
| SHA512 | a0d8a204b9eb2d65ab5f5bfff714fd6b223f4559c598aa632874de09c8914d780c6d6de3434ff3cab5ad802a7cea384e5c84fb4c25ad8f00ae8f4b4465e4c678 |
C:\Files3X\devbodsys.exe
| MD5 | af48ca2c61e0fd1391631f72977d5f22 |
| SHA1 | 5a069efa238e8af1beaf6bf300ec197273f50bfe |
| SHA256 | 67e11321d3511a75faedef813b792f1598531262b54e549353e444a1f356ace7 |
| SHA512 | 649c6c2497748df61e4cb48ccdaf89fcac780ea30db667d836839258e29655252eed7c8ef535636c69049b16113fe2ff44b7dcbab942e8a0528a5caaec50df8d |
C:\Files3X\devbodsys.exe
| MD5 | e1fd3e00e8c724a6bc7d22dba26f4cd2 |
| SHA1 | 9895aed0837024758229e83965913983626af0d6 |
| SHA256 | c689d9d3de99bbb0c86adef071952b6c3f719707857d3c7561de7e9543ceb0b2 |
| SHA512 | 556c17a93ac38dd59443640320046cc91bc7a03e162a93a0fa1f7f351b7ce1565a07c87e1a1fc2116a58ec1adaf9b994496b26f86ea6fc439021486111c90d34 |
C:\Mint24\optixec.exe
| MD5 | 0338a4cf0378d68995be7fa3967d963f |
| SHA1 | 33f7e6c185fd6a86d05ab285a56c3cb7ee2bf006 |
| SHA256 | 85064c05efaef64c5a8fc08cc059e815bfbc409f1b9560537f98df71dc7e4aba |
| SHA512 | cd53d5ed0a62a83fcb2ed49436abb263e71faab6836517aed4ca775ab305c18173810da334fe60e9e9e049fa4a367532ac73aad467155e3148c6f9fe2dcd0a21 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5009f6c79203061adec0bc3e435a0201 |
| SHA1 | 2269e4c35414e2756be4ac53d5710a7792ef0005 |
| SHA256 | 816fe5a408877f1beaa6d2ca4d2d89d67c88994c1930dd1d4c09368845878ad9 |
| SHA512 | 9ddf43d2648ddc09538137a7dd925e3e59eaab98bba3295b95efe0afdf2872c19f117687e3a8a6679e6bb8a7847e7f590ba55c1ff9273467c4079e8b836e4f0b |
C:\Mint24\optixec.exe
| MD5 | 2ff3b564693946493f10ffe7bb943e15 |
| SHA1 | 16aada0c1829f111494e7fbcad4768c7cde22290 |
| SHA256 | 4b6ace786cdfa5d0331a775c2e516904e2cb229717a42bf5b40e1d6dc336caec |
| SHA512 | f6dabd3dbad932481e6214e6d95d810c8bfe65aa68befabfe98e7522c7c566fdc7f52716f6316d8bc4a47dab2caeb56f1f1d16e888c3a06b51fd62909b476fc2 |