Analysis Overview
SHA256
278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cf
Threat Level: Shows suspicious behavior
The file 278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:18
Reported
2024-11-13 14:21
Platform
win7-20240729-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvG5\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG5\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid31\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvG5\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe
"C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\SysDrvG5\devbodec.exe
C:\SysDrvG5\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 39139c79d53b5f3d66f36de31d6806b4 |
| SHA1 | b5ca0d66f7a24cc7b79ef2a0159e6189ec17309b |
| SHA256 | ef8c3b52700f6a6257b21964c8d58f626cbc22b203757051099aa380133f9e94 |
| SHA512 | 4756ed15145cff87c8aa6d776b92fa840838ca7d1e11050a117c0f7657faebd50bc2c18468930d0aabeac14c91ce5a7aacdcaac2849a8106566a0b7b1cc0f651 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5e5f742d2510388a2515daf5838dddc2 |
| SHA1 | f93dc2a757ab0e1553a51ac1c9facb70810a72b4 |
| SHA256 | f474057e99621f9c7b91db9840e0519d744089271af926fa46f12aad090c3b04 |
| SHA512 | e3a284d62cd6db6e15d7784564fbec920daf6c3e3c3d5203a17af3564ceaa7430a7bff42338cdc08b1923948945feec656d8448b5f3d1e7fb07e388181912cb1 |
C:\SysDrvG5\devbodec.exe
| MD5 | 20ec6effd447fb35f7db816f8c616148 |
| SHA1 | c8c9edd9f30b93dc161fc035c69b57e7af305dce |
| SHA256 | 43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7 |
| SHA512 | 6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf |
C:\Vid31\bodxsys.exe
| MD5 | c0578e29cffbdaea5b4e33a2b2b26148 |
| SHA1 | d6893c9be7f05b461fdf569d003676f38e9d8fb2 |
| SHA256 | 69d4f1d7786e5671eb1724577a825cc2ff72ce551f0514733620bd7135323361 |
| SHA512 | 70a645bdba507f2ea40035719b3f9bfd4dfbe6df68a1aebb7327947a608daa47b65024bccd3b94da1f87d7db5a2df6e6da557d0a97f709a8048c642f7e1243fe |
\SysDrvG5\devbodec.exe
| MD5 | 73a3a64252e15dc750342a386251ba70 |
| SHA1 | c031ec830c1db5302a624005e9d1fde4e2e284f2 |
| SHA256 | 93c26d34bf0c5f45224749b25cc498e1fa7b33b16617bb0cc8ad2cf35d568a79 |
| SHA512 | 6f7ec900525558037dbb44be951b792b151a97e9bfa1f7e0d74ce7c93a21a62f9da4de3c57e21b2aee358080b022e105001e9edcbb88b79f01c41d009847ec41 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6c7654391cf9c46c243730b1b9624a33 |
| SHA1 | 008fcfc130fa5a65e703b73c997060155465cbc0 |
| SHA256 | b9bac0d74b3d8cc21a340bd2243c79f836b444a9d5c28ea29dbcfa5f5abdb81a |
| SHA512 | ca9b9cd25dd94568f027ffc984b6cd09bdec45323d6396b1802c0f61b88846d6f8a6c2d48794042104acc5b32012ba4cbcb4ee4173deed4cbcad594d5590c2da |
C:\Vid31\bodxsys.exe
| MD5 | 9f7bf1aac60709723c812867ef34d5c9 |
| SHA1 | c0426e5e01889ec70fbdb1b7c1b19578cbf26522 |
| SHA256 | 7c98d90b03d65b805eb6d94e3ad1943b6d0068af8591deb4484ba9b7e626e878 |
| SHA512 | a58670a63a2e19eccbc79e15f52b144e01bb0833154eb67f0484fb2cb1e20540ace584837d3a8e36e97dc8036ded95153a0ccb7be506580b2287b793d8c5c775 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:18
Reported
2024-11-13 14:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
92s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotH6\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotH6\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYA\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotH6\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe
"C:\Users\Admin\AppData\Local\Temp\278452a3bd3a4155145ec626e6b1b66a8bb60e3635d1571bec25a8afab03d4cfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotH6\xbodec.exe
C:\UserDotH6\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 3dc38c6da64b3fbcdb61a4413c8b7cc3 |
| SHA1 | 3ede0b107c9074aedb8859e4e7e8857e25b6f47b |
| SHA256 | 999f962760448144c428d27b2d2bf2b93ddde65c5d9c79c21080bf127f33dad9 |
| SHA512 | 05bdcfd93fd715a558349d20209163e779486ccae7934d1ff2cdfc3d7dfa3081e639c3e86fa469c98986f3f376074484dce2dd1ebfe25f8d2a6e8f2971643c5b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e569590c541917ca91372c9c09694598 |
| SHA1 | 7ce7d037a955cfd2662a89c3706aed682dc909e7 |
| SHA256 | a2318b16811f2fecdc97c1f7a89043bebe220d523c5501918aba8ea23bc96153 |
| SHA512 | 0304966c4f4fead91d7380230b19ba6b0572ce5bea3c32c26995b79666dc63d090da1e9f6453070c8bd422e47d4f87a3878f58b1ed3458d5cfaa8c8ac3b760f5 |
C:\UserDotH6\xbodec.exe
| MD5 | 61848478caaba518da8b119d1ece6ee9 |
| SHA1 | e3d421c7a2540d21c440db083b2230f2e98dd5f0 |
| SHA256 | 1827f2cc7643afa7a1601b140552507c29992efc346e3ee4087406a68ec4ef85 |
| SHA512 | b2942a6c2981c3a26c96131e6f58eebc006db6b865ddcc063478c538fd890ebae4768f8fa929033d86b422e4aefc2275f2b39b7442b644c558f6d5e329ea13f8 |
C:\GalaxYA\boddevloc.exe
| MD5 | b3325972eb5c52b6e07005331353a080 |
| SHA1 | 263b5f458dced3a95bca996c9e8e763a5cd52a66 |
| SHA256 | 898b4361ab20e750162ad9d87b83d97ce04fcb7b9e27ec4e4a683dc47fd4f735 |
| SHA512 | 1cbb21b7e8b92529d238e54c66db67aad640ea930e6b68c57bc773b35c95c38c85541d2a84bd2bfa83f2e8b00a358cf25f5721b02967dfe6b31299241b6ad9f6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dbeac94fb7d054b4210381b81f0282d6 |
| SHA1 | 270c96da3aab34ad00cc7b132a8d96a75b4bcb04 |
| SHA256 | 7a2ea250eebdf975cb69047b1332cd7ed0e21ae74456f8190348834541f6b4bb |
| SHA512 | 9202af59a862e66673f45ad1485de1e065f83d15265a96fcca7ca8358c06b58c45e0815a7ec89d2749ce042579d8db2bbbb136bf0536c4f18371e8a3b6afa273 |
C:\GalaxYA\boddevloc.exe
| MD5 | fa2f1a1aed80404eba206bbb9dec3cce |
| SHA1 | 967cce30285a18719607f41b03ef12f6043f2ec7 |
| SHA256 | 6b2cb83f9b88e855bdaef485a8bda3cb0154b2dace0127629034e395c034030c |
| SHA512 | 6b72c461e1623cae96f2ed18f1e42dfb26c4c8faba2dc9363ef08c892743dda9409aacc22dd385fc341e1e8c6de298c9c99e8e5e6e5f526c34d6a396f5540145 |