Analysis Overview
SHA256
e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352
Threat Level: Shows suspicious behavior
The file e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:42
Reported
2024-11-13 13:44
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocKT\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKT\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQZ\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKT\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
"C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocKT\xdobec.exe
C:\IntelprocKT\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | c74f6be92edbdad4ca265931f65a1a14 |
| SHA1 | 32fc28f18362c0a09607afc42730477f98f96682 |
| SHA256 | cbb8e1bf8d9d17fb89d843d69bb619bea2267c1c31d377ebdb7204139fc13387 |
| SHA512 | 44ec3dd45ce3a8bac8ab5eee9de6f3f161d880f5472249e0f0056a9c3f4b464c3f1069f74a6fb02f7226b8601c829fd8a0f1e65f3afa5bcd6a5ae634c2242250 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 06f370af9732cf665d6651dd6ce5335b |
| SHA1 | 7568d18c536f61f43f605c68d4b507e16653a50d |
| SHA256 | 0be0d0e1cb370e91241c36d888f54dd3b904835fdb468ff059dc700cb278b7bb |
| SHA512 | 0fc39da54e812487b65df904d850aa936773d9dec00677b23ad533538e582cec7b46762eb2fc44928982b82548e7c769b513e2c4bf08fc824b62ae15a8e9262e |
C:\IntelprocKT\xdobec.exe
| MD5 | b7a0938561c03f53dd6693a80e33a2d8 |
| SHA1 | 61e07d0a3cc14ff558a41d8ca22673d1649816f3 |
| SHA256 | 8e351def9669cccd284061eeb3d786846edf17f12f0b0e98de153feee47ba113 |
| SHA512 | 0ee2e50cfb075c5f33cdfdd74418ed4cc6beb7c51f56562ccc52bfa588f92ceb3e5f4e58cc63321180b11005b19b14a85092b21b2ba0bc23baab47c71dc43974 |
C:\VidQZ\boddevloc.exe
| MD5 | 34dacd3f975c6150bad652a7c69a80fa |
| SHA1 | 6009e79836ef7e2f74037f8653f8b990c4f92ff0 |
| SHA256 | 225352dcacd2f2bbf965e25a4c70fc6229f04a91ebd2cd6d58d6a639d045030b |
| SHA512 | c190f5a47d0e87f9f2c9c153a99f28a438faeacee32ef2ff754285c00893508109bc2e8abbb7479f3a85c4ff3c4512bea7762d2dc7119620f5683bc8a5a6abb4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ee0d2f62646a71604426b21aef165618 |
| SHA1 | e2824c3e249f0a84d7426f7e223b5e858270a1d2 |
| SHA256 | 490214d5c66986af042293eb9e8cc518a1b8a8097b9e529e14262082ae9a20cb |
| SHA512 | f5c1d26193adbf42d0f066f743a9dc5460c3826103f2773bc2343e7692e12c81b24c2c727e22ca8e6ae7fbcff7afecf370ab2f23e59ce4de2fa402e0ed340baf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:42
Reported
2024-11-13 13:44
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\Files0K\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0K\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAC\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0K\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe
"C:\Users\Admin\AppData\Local\Temp\e47f5ed7037c6201f7203fb8b9acdd537ccfdc8524b34cac3d9136e83c47e352N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\Files0K\xbodloc.exe
C:\Files0K\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 140d47b2025034deadb15a30d69ca833 |
| SHA1 | 85b7edb780a9b21a0689b436f9b617e40c129cde |
| SHA256 | c2557c032d7522350d35e87a58e91fffbe4dba1ad3d2da4b51d5f73adbbba004 |
| SHA512 | b756a13c38efebb38018b192e3a55fdaa9f9d33aa7e35395affec25c71c702affb229c3d97a09042e3450889ae3a3847f6d7cf28da60e88485a5293a1ff9681c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d0555bd51218fa73b9b70b9968430965 |
| SHA1 | a7c83dd3d8f00854d5824ac35909aba5f56359e2 |
| SHA256 | 2558d6be60a2f9e431c335d77cee55d2364d00451bc46140fa5306bd3550e2d2 |
| SHA512 | 72718235800c2d0aeeabc119e6cbe1e7d579dc359fa6b3d3dd77ddc7b6e465a4c3af78e120820c2e2d4808736e60fc88e038e49166de54076933d9287ef9ff53 |
C:\Files0K\xbodloc.exe
| MD5 | 1a84319efbcc2411a83433a97cbf94b9 |
| SHA1 | ca48340030c0140632c2b600ffa9b017505a4118 |
| SHA256 | 1d1eeca6f7a7b91686eef75f9fd0ea5bb2d879f9226b70c5e54041569e8f7713 |
| SHA512 | c2406a92d0f6d77cba79329cd3de7eb3f34180812e1435fe63b1ce29430f679c31f2e1f0d1affb1e5bb8169daab1845c4a3bd1c34f79bed903cba5121f90de09 |
C:\VidAC\boddevec.exe
| MD5 | 1cf901b195a1379f2072d593c4493a43 |
| SHA1 | 86b1a05fc7db62211e984d172f92a7c4f32ab442 |
| SHA256 | 3d52e7bc0bc4f8ff13db145f916000655626046a3f08ed385bcd51f41324710b |
| SHA512 | 685785d98f6ca9ca9db71f03038554ae82202d6191f5ec7e15b4cdc282ff83dc603677f48390116a8ca031ef11222b0f062fb7fcd0a2bd13222562f6774917e9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55abfb73f88f00f8484bfc7fdc4f927a |
| SHA1 | 486bf23deceac14ea27896a5741aca302c77ee48 |
| SHA256 | 2e97712022dae969814d022183d0fc69ff090064eb2e8d0cff7b9b9b0dc0f574 |
| SHA512 | 9e782333c3fc80b2560a48a7732719ea1be95ed1ac892c4d555dbeb7ff0c422900109108f9813e558881a95c6e192fef6b21f99d97ae574d76e531eff61be1b4 |
C:\VidAC\boddevec.exe
| MD5 | 1519c29f81a2d882266b0cb2fc08c6ef |
| SHA1 | b0ea222619b2b6c3014b8fad8c91e6390fc700a7 |
| SHA256 | 2ec36c1f9fafa5616d4181f2813942079341183fcc0f429595577437979d6c60 |
| SHA512 | f4b76c8600eb13c361989135e23b195d09b85fa67057252b1c87b7844af0853dc400687f96306963bcfc6e8cf5fc4c2401650b8d7f38d182e6813a58b7354297 |