Analysis Overview
SHA256
6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264
Threat Level: Shows suspicious behavior
The file 6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:47
Reported
2024-11-13 15:49
Platform
win7-20241010-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Adobe55\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe55\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8W\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe55\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe
"C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Adobe55\xbodsys.exe
C:\Adobe55\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 63a5b81546346b13427b1debdba297dd |
| SHA1 | c5937dbe0d5343e24e14446ca1348682396f3494 |
| SHA256 | b10dafc993c8c3b868724631a5f01e6f460ffb3f2da7afdea3038df874818757 |
| SHA512 | d8d19e33373e8a90c4af40bf232a9825fe1da1a326e57d1802532d9633fd316eefdcccc9b92d441d3c25db88c8ca2c88d9d13782d4a210840b6dfb6dea68fcf3 |
C:\Adobe55\xbodsys.exe
| MD5 | bec2994b413777e67c99e3cfad97c425 |
| SHA1 | 6d593bb0c84719c4821a21a3c410e65e1b1b0366 |
| SHA256 | 6f3c5a1089fab8a47fdcda04d98cad743886836b5b609842c9ca2f3177dd0e1a |
| SHA512 | 95f9aa1a4ceac66e4c5f56764bbe0456db00e34ec25908c789e4d77e9fc91876e3f949d9cf17443ff93cd4b9706da792f174476562bd1a5a6f2e96f6e83f6588 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 504271a15eccb087ac20abb3e88b4db5 |
| SHA1 | f71521dd88e211e421628e8287958b97ec2c0dc8 |
| SHA256 | a99cda020ea28cd19ea7db629e94905b69ee3bac55aad1d2d22b293163a9e0e0 |
| SHA512 | 57be12863247ec61a554e5c26f6911a512da3e477c3caf1299957ea04c528fb4291d62ceaf5e78ae424e8e6a32187d7800118d4dc17f0b463784140d14a7038b |
C:\Mint8W\bodxec.exe
| MD5 | 15e1f9d0a00e5509d4e55a3d75c25103 |
| SHA1 | 9a9a902abc9e57da4be845261f70b2682bd9afb7 |
| SHA256 | 40d285da3f3aafcc677e2917ad3a32b90c3e82f72ff6a12b7eeb2e130bb18376 |
| SHA512 | 1a7fe68afd822bb825ac18f64f80c905c5402a26e5c67b151fa697b529a8611d4f6726ce22035207ff93ca6712ecba01304b320ed07b1b4d7a14c8aba5150715 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9dcccdd3859cc2959392fc12196a761b |
| SHA1 | c88379f94bac0d87020dfeb92614be0421582bb9 |
| SHA256 | e65bd25be62be4aeb85de6da4759e04db80fc0d5ba445f4555a08749674d9e76 |
| SHA512 | 24218b5c1e0b9bc0c5e22c8e8e306635fcec5e49b27a51dbe57c936a5900f4d10954890ae039468394e1db76791e93e5e66ff70aa5adf3145728903c4990b9fa |
C:\Mint8W\bodxec.exe
| MD5 | 97c18fd7b447163b03d2fed4d0b6833a |
| SHA1 | ad3af9aa8374980eeb2d7fa3cbbbe6f0af9c0c78 |
| SHA256 | 5d178bcaa92b88b9238917d97c224972df716364d436d27b2b9652175ff0ca30 |
| SHA512 | 75281d26a21730572604087c76761c029ec6290df99abf22b4eb1e365a110605c6b35a7d9fb2984aecb03f9987b1fd03323e59d71eeb5cb1379c681f7de70734 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:47
Reported
2024-11-13 15:49
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\FilesPU\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPU\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6P\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPU\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe
"C:\Users\Admin\AppData\Local\Temp\6ff91e84b2892c2e61f2bfa60bacad070f979001650b038cd5089e19f61f1264.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\FilesPU\devbodec.exe
C:\FilesPU\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 53983b666d0ab107096edf7b32d9b815 |
| SHA1 | d44ccd8c4c8e12a798fd77b260de0c95f9bb9897 |
| SHA256 | d7ae1f22909b72dc382d27cc0b730f5aa3600d04d25adcd9d765d122284683ea |
| SHA512 | bba0390056a6d5eb7c25c73a4e49c9d0bd5182b8cc25d59e42e4116ae0be2070475626a6309c9ca0202d7cd330ba0a44f6c73e2e157dfd05b1d53a79b0ed022e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7a9e37cb0614eee7d9568cad2dcc4f1d |
| SHA1 | ab3bf21a175394b5dd45432d14722b08c34f9368 |
| SHA256 | aa2eb268fe596b7419fcfe2a8a912bf4a5768e362ea6697334c9d23ae4d436ff |
| SHA512 | a18770dd7a81eeec756196d581696b97a5f66f721e575a2a21901ddfe48f3976d46cc3f46183c3f0312b8b2a87000493efe5944d2e4a1a8ac7896d5488d32e3c |
C:\FilesPU\devbodec.exe
| MD5 | 22982414cd28f7bd963c7390fe332005 |
| SHA1 | b9780689fc2f225a5f207b3a0f2533dc5e381874 |
| SHA256 | b3c258b288b3f2ef33c6a362503e599b349febb9a0f7fab4311ba488dbb1b44a |
| SHA512 | 905aa5b5e80fa41f962d0a01ee4b2a54155d0ff7e92d1533813efa64cc4ff3ad1cdf63ac6a1e689b0a4b44c659ec4760631e0162fda9ab3741cdf0b0bfcd0cb2 |
C:\FilesPU\devbodec.exe
| MD5 | b25b46714518f10703d95e30f80d14fc |
| SHA1 | ed35890ffa8d3d03fb523726ff56582ab7b3bf47 |
| SHA256 | 6de478dc40a16f0102faa3f6a4bbb02c49359b0baea6e4069c268a66153b2fba |
| SHA512 | 50ac75ebe260f495bd8b4936d8052846c05adad9919fe146f39b9b4d6ad5018756f6c9b42f56c2152710e2082c1eff00ff5b9156f0aa624707f45eb0aa5a70ec |
C:\Mint6P\bodxloc.exe
| MD5 | 31142acdd7ec836bc07ba40bc705e739 |
| SHA1 | 273036c5840bfc756fc8dc28ed17ce6a74f48443 |
| SHA256 | be3cf3ed76db40d4346f6e7850bf01077a7802720a825a401b067358df7fd8e7 |
| SHA512 | 66e2ad8315ecbcff66f1aecf8aa1ebd287fe9aa0c90b43e1684f129556cef6e625e92f59cf8e94728fc580c5bbafd94d938bf963b836f7434db0c2bab0df45b8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e46436c7597a444bb562701f9d4c8a01 |
| SHA1 | 239fe5889a69f6d63e804d341c16d7c0552e6761 |
| SHA256 | b9de938f01f6d241d06d63830743ae86e7ab177aba23ba207127ed37f7e44fba |
| SHA512 | 302c0f45d62927977bfc36182a6253e2c213e00a987020fd686f7bff695ed9b8f3982079f1e71c6e440322b58db00b4532f4be89dd0a890cfa92b3b86c371649 |
C:\Mint6P\bodxloc.exe
| MD5 | 9d85107fcdf419f5e8a33f23d687e68d |
| SHA1 | 7ed6b701f2ceb5422730faeb2900a8a0f5811b0c |
| SHA256 | 0843520d0379dbb36effc2cc5ee63861fa1841578bbd123746e5aab4ae2331b5 |
| SHA512 | c59a3e0e7d49cfe47e322ed7b4a14b7975e3651217a1e69761115b4c53ac4b10e21a3d8fc55899a5c827ecbf67d3f0de762e1f727043761e688ac46cd7f55327 |