Analysis Overview
SHA256
497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67
Threat Level: Shows suspicious behavior
The file 497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:44
Reported
2024-11-13 14:46
Platform
win7-20241010-en
Max time kernel
118s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\IntelprocDA\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDA\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ1\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocDA\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe
"C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\IntelprocDA\devbodec.exe
C:\IntelprocDA\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | c9d008b85c5ecba83deaca6a1a80bb07 |
| SHA1 | 6623e7681b1413cbf56b904c27efc464ee94812d |
| SHA256 | f8da8874d862ba9d6b4d3e0b96cb3bf6a699847f01ff373818252f223bf6630b |
| SHA512 | d24d35e0fd1ab454509aab8f7323d02f3cdd422018e6331b354de19056c032444af231f4ac00fb09133297190afcc35c4e1338951333cdecd2a2a400d43c65db |
C:\IntelprocDA\devbodec.exe
| MD5 | 3ebac619ac7f450f9f96b0aa93a9de6d |
| SHA1 | c70b10b9d98126d69807abda5e2c3f81b12db469 |
| SHA256 | 03cdc8c9b9c2f85e1a85c32b69e909562f1f471e339e6a8221bd3141b37690b4 |
| SHA512 | f4eeb5523424c18febe7c0da173f268a28d6510ec04012190098c6912ca9686ee5fc0786d54cb1db5d3c9e3efe5a072caf95292bf0538055e45e9968da334110 |
C:\GalaxQ1\bodaloc.exe
| MD5 | 48a7adfd660066412552ea9675da8798 |
| SHA1 | 1e40447f6e9e9e1ebca7e5c68b0ca65f7261ab68 |
| SHA256 | b9f78fa95caa6857992133342aa2b5a249569acb3631400712aced89f7ec9501 |
| SHA512 | bacfef39325f327b4b3fa760061d1d60e188d5c23896987c728602517fa06104e11d93f878a478cbc285c6963237415dd41c25fa3112e7ecc5d3660e4859ead6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0aa2aa661db0ebd6b341b1e4380888bd |
| SHA1 | 71ab00402891455c68caee4de7ccaea40c2e2bca |
| SHA256 | 8080fb5750fe098387a8725fe1751b0ff5615f02dbbef4677a9a59011494b9df |
| SHA512 | 702bb93c98aa6d380daa143c8d95413892f05dfa4c97c186b7e284f1c9eec0fa04c664b6b0771d6302bb44c8e77e81f79145399e997ee0a6f73771076a21f9bc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 61a6edeff3580ca9e5085bcd1053a0fe |
| SHA1 | 78caa5e3d28eb2ccb4716c1f0a063ed315b7cc30 |
| SHA256 | fc00ae42116ee88aa34be30cefff70212cea90e8c89ef1cb93f7a45f20e235b4 |
| SHA512 | ef48bc6b3a6ced92d9d2f4ec38f00c9ee95f80b3697ae0850681cc645bf222cb2f5f0e9651c1285b149ba20d87af82b69fb48ac2a7a25605b85206d00e2f69ec |
C:\GalaxQ1\bodaloc.exe
| MD5 | b6766e4fe20792a49355c11da11baa4b |
| SHA1 | 098f9f71ef67c797dad9c23225166ce824d76917 |
| SHA256 | eae9358c77c2f03e648caddcf4313c428ca1221918684411616d0d409475aab8 |
| SHA512 | d04c01e273b36170f958477a2e51b3b818aa33bee8e9350256e0b6610bdbfdff702bb2050bd2b2b0d501f15491cba88d38e83cf114c78c014df21108f5c6a38a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:44
Reported
2024-11-13 14:46
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDot9P\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9P\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKC\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot9P\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe
"C:\Users\Admin\AppData\Local\Temp\497b1fbac98bf97d9c8fdc0a7337d33f7cc005ed105c31040bb056dc5eea3e67.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDot9P\devbodsys.exe
C:\UserDot9P\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | a450fe1990ef4b66350b0bfc8cc57f5c |
| SHA1 | c0da175a3559958f1805508653093873ecda87df |
| SHA256 | dcd6af810edb1c1196b2c53454647548afb8fdc60082624434090a0d849257f4 |
| SHA512 | 1c4099d96af719765a9b567e8063efbe1116e212c708bbf59c35558e698a14ff5e921c99ce654e9e8604780c2b945c22636b755e47f48bbd78e3d60a243376ae |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6ca4c129eea65bb7588a6b09812b8014 |
| SHA1 | fe758ce26416456942572ffe01865379b8e654b6 |
| SHA256 | 6a5ae70509c2707bba8b6e79a923a486cbbba302b9856a2ebef2dac6831ae015 |
| SHA512 | 351c9c542a56db4a6e938854843b11f55756e5817078738034c910a308b72fac23247172048fe6980c75d19f7174509b87cf592c9dab6a3a2aa9acdae5d784e1 |
C:\UserDot9P\devbodsys.exe
| MD5 | c64408e47fb108e99a9dc785a59c0fc2 |
| SHA1 | dfe6636c0a8ba06c66807d8061e4def8112783b1 |
| SHA256 | d96a716362f3aba9c882938937e7bbe87e5e13e6e1f6fdbbe53d4c2ea81fbc1e |
| SHA512 | 0018dfeff92927a947f5e7a63a04a8d9e705edea609ee035d5187f4b89828f7b3250d03bf1d01965a4b1561ccf865b33fef6df9f7d3af2454701a3c355f26c5d |
C:\KaVBKC\optiaec.exe
| MD5 | df173483fdb1c87ade4ce7027091f346 |
| SHA1 | 1fce42b4f71111cade648fbc9e6be0624980f15f |
| SHA256 | b39248ab038ed79d63ad7da30456086426aa0b4b2e560c541c62e0a4adb98e07 |
| SHA512 | 553f80822c6db2b6ed17b7715b2fe586a721ea9c80de0b63e2a92db4d36d10e93a86e10eec870c11b457e7e8aab8e03f69ff3964544e519d77ce17aed435fa15 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1c33f30df72f7657384b11cbeafe3d89 |
| SHA1 | 6aea8a8e4401a7b727cc2a539462f9ae64f689ac |
| SHA256 | 86607bbfd21728e30f4c60724b5efd485fc1ebeb6a71a9f20dd2ef99f55bef6a |
| SHA512 | 8f124f26df50420408896e8fa8f84b7b919ad3ff175f32c456ba3f527cfa528705e4fb8ecd4bcdc219978d830181c2d515da0e8a1d6ce3b3a727a1de0795b127 |
C:\KaVBKC\optiaec.exe
| MD5 | 47b05811e833c26511a87d22b7855238 |
| SHA1 | 6faad8f3828be6b9719a9a02a73fe167d2e45734 |
| SHA256 | f8bc1430c00f891ddba81ddd6e4da9da9ecd20bce1cd173a135bd25cf1c24947 |
| SHA512 | 1d859e9c16eca26ab74255239697fca6510f4cdc3a617a99e50afc505388a72ea5e5acd3ecd67580eb51947f9a691c95034efb38084188e7937874845364b694 |