Analysis Overview
SHA256
87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236
Threat Level: Shows suspicious behavior
The file 87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:54
Reported
2024-11-13 14:56
Platform
win7-20241010-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\Files8H\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8H\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW7\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files8H\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe
"C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\Files8H\xbodloc.exe
C:\Files8H\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | a4a83baff612c07e6b5d565f79db2353 |
| SHA1 | 45e0d7fd8a3ab8c7730193e5c8af51e469e00abc |
| SHA256 | 1084d7a633f476cab0dff080207aa6db5d4fa9478362121bcc5e72c02fe5a48e |
| SHA512 | 34f68430d338903ef38acefda1371125aa250e929d4be29ecae565da03eb77e1a05fafaea25308fe0077b945a936d92a377596a556282eb19b8e4fcdfdeec9b5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2f3b24e0eca829e2ae28b0de343c9428 |
| SHA1 | f8f99bf98be0d81fc2b4a04c33878c47c929ae15 |
| SHA256 | 033d88f1a356af7cd9a2140329e176d8e9b0c4481299f3f5bcabfeebdcfe63b8 |
| SHA512 | e27f5e6f3fb395486d1d151c39bdfa659ca7cd683c1786e3b04cc36dc1754c865deb06acee6eee235fbe987c35eca5e8515bb53b93f486d047cc58059a5590b3 |
C:\Files8H\xbodloc.exe
| MD5 | d21f3673406f1dbfed4b9f8dbcb13144 |
| SHA1 | ff42969ee5605fdd74e69dd55880060b54fc71e5 |
| SHA256 | e053f0854ce8b961fe1536c17d3fd97795676c6b3add5f7ee29f52bf1fe90559 |
| SHA512 | 41ac35da19b258e3ed4a5c670419ec1ec6c7d6e9e5290a3b6c8298a9b9f642d4ff6fdf0b515b800bd3318c3d3de9244da9e0379f97764bbc3870a0a60233cec4 |
C:\KaVBW7\dobdevsys.exe
| MD5 | a0d770e5c41c5f2c1f7523fdc748b08b |
| SHA1 | 80fee0191a9a7c0963ad4ae0b0457c9a39c07889 |
| SHA256 | ffc66b9ca303fc180341a85771bc03a395dc3a40922789bb8ad58b961ab888d7 |
| SHA512 | 001a7a157f6f4e6eda79e52cc6a2715e3db52defcf9923c6c462252dfc3b0b0f5ea7b2ed9abfa7b14a741df27cfa73d0a839bcbc5243dcb1fcdfa33124cffb5f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0f5d3fda251d443cedba6b955674c3ba |
| SHA1 | 95dcc864fcdea4d1ffb0f582e60a1593dcbc5e35 |
| SHA256 | c1b68d489c4ad6187d264dbb3ba991d998d2b6b5182d7841833d1f4ea25b3858 |
| SHA512 | 64b5730144b9240ca89b7cd6c611df3b7e6ee1bed0a1a43e8968e82c704eb530dfa1d76d72a4eb69e6c2adf103cf380c9ccd34c9fa7bc51763fba10663e78a07 |
C:\KaVBW7\dobdevsys.exe
| MD5 | c7ac4c61ff3d140fae59b197cb024903 |
| SHA1 | 1579fbdd8c21625e50696de40d9bcf6cdc340ca6 |
| SHA256 | 0d5b1413c219fc21a22460c065b618abc19f0e05005525c4f6eea4356770f4a4 |
| SHA512 | be00b780c688fc87971fa9bbfded7efb8551e9cc65ec82974f8649186ef718fa12a58e6d6c1a74a2adc5f48aab8ae422109525f9c439476b1bae574bf9292dc8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:54
Reported
2024-11-13 14:56
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvQ5\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQ5\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPZ\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvQ5\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe
"C:\Users\Admin\AppData\Local\Temp\87d782b5d6f9537e15690232ca93a8253fc672b83b808f20fe6afc34aacc1236.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrvQ5\devbodloc.exe
C:\SysDrvQ5\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 640168bebb0fb792a3e0d574827f9429 |
| SHA1 | 0ca278afb769c01b8c42c3fc2490b0ff9479f7fb |
| SHA256 | 8910a7cd2470803e7e7b4b551feb7b687f24cda4d8eaf42f40ff19421a140093 |
| SHA512 | 7c3f79580ec9e58c49e4925d4e4fefaae47e776d755aee2e9e0383254110ea57d3a5afa048bdf5e44564ae6183755f06a9f1270ee900a41462a428e62003945d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 41a834919133432e300d7ad11b0b8b38 |
| SHA1 | 44afc6c50bc29736fd317b01130191e6ecca979b |
| SHA256 | 2a35d6a5139f15baa0b47f7d0f5eb643a12e054804fc8f615fed92f9b4441b0a |
| SHA512 | 40335ed0b0194287006ed04092742c18f74532e4d124372e2b54b58dacead0591e5bfc9c3657ce264ed71a56dff49499620bebca4d180ef46ad0e67350f0db55 |
C:\SysDrvQ5\devbodloc.exe
| MD5 | 41209035c948fc0b5c1f3e8d073ae627 |
| SHA1 | 88bf08a8460916b556e26a1d83d61cdf43b541e9 |
| SHA256 | 3d64e3d7ddf2a84dfdadc20016be23066fb80235650fd7ea85e357a5975358ef |
| SHA512 | e683f1e5f6657cb86e161c1950633ecd638e46ee7328d1bde5e59144902e88b01a67f9d8b87499561c68e55d095a4e93beac162d2a1128ca62019434c703c926 |
C:\KaVBPZ\optixsys.exe
| MD5 | f09a3e0a7e905a27e234df908a185a98 |
| SHA1 | ef49335f5afdb12861209dfcb78a31a1f3d0ff86 |
| SHA256 | bbeb60f35af1f69e5f96dcfc7f887d21b9904a9ab5dfbe0d01baa9c856099cbd |
| SHA512 | 3626c0d7c059be6e988accd4c6c9976bd9084c4d0b7c2474ef17dcece62db27607993661a995f93822f238bdee9557e16e17295e7290aefb3311114a9bed3888 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8532edda77eb34500e313d18544f8bd6 |
| SHA1 | e679ff73e8332e05d553317c3a4a6a39e7636b2a |
| SHA256 | 075b87b63dfcdf62f0081bd6dcc5b7f090905ad1083787d9ed2014a3a0535e97 |
| SHA512 | 9826e3e3011e596342bb02947c5725a2b31583a95ca5b6547e96f266616beecee53f357736ab5f0658a95061050449d278bf2e7fda1d7f3c70736a96206c7713 |
C:\KaVBPZ\optixsys.exe
| MD5 | 1cec13f3b229c01101d81b80ce1ecf42 |
| SHA1 | f08f987356df1839a8690bbf9246591ceb944897 |
| SHA256 | cdff5c85d0224af8484787fdf92d46fa0f6303e8dc903aecdc5652335343b7ed |
| SHA512 | 48debe92fc59eff61dbc833ed15c1000f38647d8a2461d97ffe49fa8c6a346e466179647c0e23f527a1d18e771c4bda74dc60449a1b77584d625904c17e93719 |