Analysis Overview
SHA256
115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1
Threat Level: Shows suspicious behavior
The file 115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:12
Reported
2024-11-13 14:14
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\SysDrv5I\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5I\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRZ\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv5I\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe
"C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\SysDrv5I\devoptiec.exe
C:\SysDrv5I\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | b4c111259130544d31f42525e57f10db |
| SHA1 | 8a166cc4debdd537fb91ab007021d40bb1bdc5da |
| SHA256 | 6917841fb350eacb7304b8ce7e0ee661d8113b92c798463354ad6365a14cb7e0 |
| SHA512 | d056d910bf98ad3c9f7654e8ca884ef22f6cd3c44e25a44029f3a0256c27d8ee4643d9f483a1616331110e3a70aa73776a32fb18b6f86702b52928c947e0a7d3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7021160d1d1850a1df1ce6339fc1785b |
| SHA1 | 2a848deb9736fc61c4f80683615b83b8d3d70b56 |
| SHA256 | 501fd2364f86f73c72b8d3a688cc05471be4680e1ac98de0606d7e273f716e8c |
| SHA512 | 87ca3a59e27fdc5fdcb82ef9473ceb61863aa653612d4a0a2e86d9375f88c09baa7a81675faad74374d935f610a54ec22cc95d88b4f3c28493c4fe1a7284f7ef |
C:\SysDrv5I\devoptiec.exe
| MD5 | 225598d6cc84d0f6b98a6d91d7dbeff5 |
| SHA1 | c7f1ebf2c7d47ecead3d48184dfff314cbe17088 |
| SHA256 | abfc310c2fe7dd23d664e8bdbe383f16ba424e1775e9aae16690407ef5498e19 |
| SHA512 | 6ad58d67a11766f3b1ab29470ef58ac5c06d18a975471fbc40519c1c82e2a7acb56a6f5875ade1130adef5f9ec2bc8a79684fca90a94dd7c0b37758ce09ae987 |
C:\VidRZ\bodxloc.exe
| MD5 | 0bbc4f4b50a0c5f6ab33f16b39c77d5e |
| SHA1 | 69fb00fa7b166a617183184a00d50a691894406d |
| SHA256 | 33cbe0f8a1d9c2a39169765877dfef21eab22b5e252d7141ebbe6ab35d874880 |
| SHA512 | 5e122b2f8e139aa0bbabd00dcb70be96fb43b2f2b9afb58b113b9f4b8e43c5bbda6212e7e09f0155194fbcb536f1236d0e62d581472ac3c1c8e018b47786708d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 46ab6e41f27ca2a473f361a394b6178f |
| SHA1 | fe90af481aa021b2624e4ea4ebcd80f3c36c138e |
| SHA256 | 25887acb50746a08253cb111854b2dd0152fa92fad085d30c7d9c4ec51c47332 |
| SHA512 | d43d4b508f7e6cf696ded3f8e46a54e44ae359d574edf5a5c43191d8553757b082c743165f8554b414e187cbcb59fe745b3a998b658d803f9efff7ee950f7646 |
C:\VidRZ\bodxloc.exe
| MD5 | 6877b5ba41f86c6e2d5700639a7a1bd7 |
| SHA1 | 3b17d2a7bca0129560270e0c962dcf131830e88e |
| SHA256 | 694eb8b56bf37fd77230fd3e3c44d20de5770929645e1df6f26d2a48d406a8ed |
| SHA512 | fac149c1bac485283ef68b5681de8273df22e366910ef24395847a1f86bd05d2022027d86b35304889febf4e723d46719ade3d02841add484647ab8b8a1aff3d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:12
Reported
2024-11-13 14:14
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\IntelprocPK\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPK\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZN4\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocPK\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe
"C:\Users\Admin\AppData\Local\Temp\115744336e4adba0e5f0d70e5f9545c910c6a68adefcbe4dc91306f35909a4b1N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\IntelprocPK\aoptiloc.exe
C:\IntelprocPK\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 2e58e8c126bcac6992658fcc8af10391 |
| SHA1 | 7d9441ee6a9c8338dc86faa8fc3cdbeb0e434562 |
| SHA256 | add6c78dec167dd5b8386245577fcde5292f651f46a275cee79e5465d47f25ea |
| SHA512 | 9c9ab429342a76cd55641cb5d6ec6b4121303b343ed2d55864e2e5e0353781985f3c598f395b914104fd71fef611094a5afc73869c90319a092ba29c291c98b4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c6a646a38e4054ed5c2a125639cfb830 |
| SHA1 | 89c47a7bbb49295f9130161c6d65a5bffbfe383b |
| SHA256 | 4d6a6e2b5794b5c0f3d140643d2f2ab430886d22dc8acd4708e4a44fd14564f8 |
| SHA512 | 0344f8c63a948aadefcd67506125f78f47913560dab802a150ab60b0a8287a8629aae411eec108db468f44704a115038536415ac1bce83df47cbeda295e4454c |
C:\IntelprocPK\aoptiloc.exe
| MD5 | 8418e7872f56e67f281f8855ab4f8d50 |
| SHA1 | c8650c8a07fc64a4a7328e0df4810dc004665056 |
| SHA256 | 61c42d4e289e67ad3a365cd4351b6b952161b57f526c97613acc936a1ae5e0c6 |
| SHA512 | 3f2b029c276792ab19eeee0b7cb4b0fa57c8bf6d5aae2559483daae8e65282ac5bd91152f3b2c29b506ce48557689886f851c180b04d7838aa3067bcf7864e77 |
C:\LabZN4\bodaec.exe
| MD5 | 308c8e2306894ff6b6b95c96afcda07f |
| SHA1 | 6d903f7f6384f97acde776bfaba4e07030abf043 |
| SHA256 | 5f77870e2da0c0758b4377a54520b264b44d09bfe1a2961a7f0ea65551111ea5 |
| SHA512 | 5a2a7789b6a0373ebdc0566a6a3935ef236a8c39f5b3f1670f779059acd9873363960ba9e3d062d5a4a7a2d69418aba58e2d1bb5f0c42a81ad3de3f4b8e93c78 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 45d46f5d38931c01ae1ec0170e98d845 |
| SHA1 | aab578e7396a63f47d2ee64a3897025c76664f7a |
| SHA256 | 1f207737b2e9f6b662ad5c527741a91b4c228c57901e55ceea78ae7a29982653 |
| SHA512 | a31b7796c3eab7400c440f0fbdedb6d4ebf358ae52bebca9a557a8c8a8481341b098a3830d347834ebcb6eabda3abe45854cd9a6a93a0faab9c8111291665091 |
C:\LabZN4\bodaec.exe
| MD5 | ac0b505286c85e4b3220f1791dca2104 |
| SHA1 | 25d39413719379b7873052e9d4093d0cfd7fded9 |
| SHA256 | 5523d904fe4c6c07242e43b5864b26e767b7b8a610c19d76d80cd20cc35dad0f |
| SHA512 | 63eb1012e2fc32e359ccaed49555fcddb069433bd96c6c7095f3e06f902ed0b3097ef73847276218ab8fdbe4d6b1073a570df6a04351a89ac3c28aef766d3101 |