Analysis Overview
SHA256
9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6
Threat Level: Shows suspicious behavior
The file 9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:03
Reported
2024-11-13 14:05
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\IntelprocLS\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLS\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7K\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocLS\devbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
"C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\IntelprocLS\devbodsys.exe
C:\IntelprocLS\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 16eb8daf81b0cb24e5233273668a891f |
| SHA1 | 6ad845c1f49748fcbb9e12d769ce80a0f9020e76 |
| SHA256 | 98bcb696c1f451c11aa2af7e5f5cbd01bb106d97dc4b1f91ed77d9d9eb40066b |
| SHA512 | e551c81fc535b93f95b0121a1e4c747bf292e109bdc95b4a609e6b6989f055c9336b2376674e11f081ad81e1028c85c019191e9406a238aee3dd302ae9474020 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a323af449f19b4029b45410512675414 |
| SHA1 | fe30b5f775b68f24a5ebefe2475d4a1a4681ffdd |
| SHA256 | 7f0122cd95ede0b520a863522d4a8678ca4a28ac0b5d53e7c8b79786d4fccf39 |
| SHA512 | 2e30117bf5aee84a25de551050f0ffbbfd02e44365ed9ec9408d059aff48ba9633ac92d6b7a81c7e08f43f542f4621711b28074b2524ac392c518c722eed14a2 |
C:\IntelprocLS\devbodsys.exe
| MD5 | 5472ec4779c66e08ba32b922588d8644 |
| SHA1 | ce2a322ed201915abe64ac312135009f1193bd64 |
| SHA256 | 5284a8f70c4579f6676c27f6100d5bfd693a24febf9a9fb6e352eea0b15aaf6c |
| SHA512 | 66b9e0beeca9af2116cabbb6c09742b3dae9e5468feccd0703a2578f8f7274c525ac445dca448846964cdd39bc95d384c0af81646a7784b1626b404414ae55ff |
C:\KaVB7K\bodasys.exe
| MD5 | 96dfcdbc9a767ea0c036ff4f2919d011 |
| SHA1 | 2267e2951a3b20c4fd812a5f31ef9fb5187c3a3f |
| SHA256 | 6de9a38b7cf118daa4f091400b440298e69f898c79d78a9e52408ba965cdbc4b |
| SHA512 | 7612b80361f129bf49c59229f71363960aa884c9b01c62d25f4c25ec659c5ca0e874ec2de9313c35001609c0b96d4b3f095e04e8ae6925e143f9b9ce8d326a2d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 73b3691406e262bc64516f17181a0d27 |
| SHA1 | bdef5884bb344d356052a281bce039e4407f7da1 |
| SHA256 | bc0576482a2d4b05f27afca47c125eedba9a486d042b703685844a77f6762423 |
| SHA512 | 8ee5d6e4dac30faea0e3a9c07ca88cb394fd49943520701e381ef95f8cbd08d49fb736d69678a0d374eb43d040edb26740d0d73e65e7942ecd3ff1cfe6c94c34 |
C:\KaVB7K\bodasys.exe
| MD5 | ea842cb1561876361cd3f9c432d6444a |
| SHA1 | 9be3afb6886b3bfe3c4998797badf1c3383c5aec |
| SHA256 | 19d8be71ad1d089eb25c98dfaa1d4811445f9eeed5a8402c4590ff566e2ba9da |
| SHA512 | 8fe6ac926a7ef33631bf3ad511a03c8d1fd0e8c170fd064ff81aef8e1ef239937725c0c18123bf23bc48b938d38e547be48cbba01c0ffdee66379df9b96b63ce |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:03
Reported
2024-11-13 14:05
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
54s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\FilesSC\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSC\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6O\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesSC\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe
"C:\Users\Admin\AppData\Local\Temp\9cbc8ad1433260b914fd2716d0200ce3540be543fb28124891000d4c249552f6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\FilesSC\xdobsys.exe
C:\FilesSC\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | bc358f64838292329b4e0cb510f8059b |
| SHA1 | da26e388421f9f8b3c7b9d08955b682557f95196 |
| SHA256 | cb45b94dd94525af0e96fadbe7020fbcadd084502082eee41a4831d6e9edd105 |
| SHA512 | a025f939ff84b0e043e26455a639bd12ffe1651332cced0d53549af2d712af89596678000738953d2605f7791958c034064e972a77074293c9bb8a5fc12a0a94 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 029d6b7e2070177ae11ebe5b15e16b87 |
| SHA1 | e662ac80c221c19743e1eee01811893c406ba42f |
| SHA256 | c46634033fd2513456b033e23010a9cff4c44231075d67596192500238f235c0 |
| SHA512 | 907079615735d7d17248ddd3bb8d46a6133a94b21b8a5faaab4377f28b6078f433e4175052d88791834c727b6c626296dcf2356b4182081c7c37325e9201fb37 |
C:\FilesSC\xdobsys.exe
| MD5 | 1b98da710b7e4c97e0fe5e64d09c5595 |
| SHA1 | d07f1f2dda13dd93972dbd74b7e35be0121445f8 |
| SHA256 | b7d206bdfca50ffaf078bad890c2429f8128f9a86e76bb4bb97d74bd4f7d7a0f |
| SHA512 | 4adcf16e2c213e44139b9b2408ce31ffc80ca0c0d61f9d648a31b2cb615c53192a959fbb45c9ead6c6c13f55407146dee2c1949a9b3f2cafcf8dad4c4c7b379f |
C:\LabZ6O\bodxec.exe
| MD5 | 906e3595156f9e420811629768bf2c11 |
| SHA1 | e7fee45fcf34468246ba5185127f2751af0c33c5 |
| SHA256 | 8a64cd9ed65b9872807349266e85034ffa20b5bb92e12263ee9ba6a0b72c0da3 |
| SHA512 | dfed7178e0bb47cb2c2e89e638a77874116c879c1120ac7182cc8052b222b24c7d6c6da840d97e84a9dc6b2ff4452ba7ec0a4d9e1f632a4105149ec942fe752e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9ac6f8c366920e91f6835dd5bb9afd54 |
| SHA1 | e7a69d22fbf6bc8d8f349e65b47d0ea144411958 |
| SHA256 | 857ae51c2a591c74c1abcff5f3a69544be1a7757cb5512d14e701392f8d2b108 |
| SHA512 | 09ffb8931077a0dccb368cf131c40fe9e6030991e86506092d31db6b44df2975c24f5f1a5ddd34c4290b2d7884a9102aa4907b29d155a212dd7019865a57c1ef |
C:\LabZ6O\bodxec.exe
| MD5 | 1406f16434002a4237254b696829cf1a |
| SHA1 | a6d6b2aa509addb642e20b14b143f0b0272d934e |
| SHA256 | b5cbd821b4aa397b94c4e7de6e7f2fe8a1ce68d8967ba7ff2d971cc4da2f432b |
| SHA512 | cac2c4b00628d51c7b1873dc17c82aadec310a894da368d9e820050b5503c0c787a593b2ab179944f68c2fa0f21ddc5a7e2573a035661289165fa08d052ffd8e |