Analysis Overview
SHA256
56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417
Threat Level: Shows suspicious behavior
The file 56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:50
Reported
2024-11-13 18:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\IntelprocRT\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRT\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5W\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocRT\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe
"C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\IntelprocRT\devdobsys.exe
C:\IntelprocRT\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | a6ff2682bdf5a7598aad8fa8bdc65e8b |
| SHA1 | 09ddd53fd5f74586750d962df4b5dd64af85db9e |
| SHA256 | 831f80bfb183279fdfaba13b2a2670347f862bde76296749ecd709d3d6799c7c |
| SHA512 | d576b6a334f82956d9edd573558d4115c2699c568614ebeb1a52e6f9cfdfe3c0d436d1de5c88da4089a087048412b79dbed8ddb3b76a3773f05fb39f4a21a5c1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8182b2a4b1693161b8aa6773241a167b |
| SHA1 | 6194411e465577196a8f1745f4c95fab368240c8 |
| SHA256 | 15039954ded0fc35b004dbaf8297773a3e8c8ebb7f286c817d4ff1b12c8fb0e7 |
| SHA512 | bb89b33ad4777bdab3e1480e39b459877bdb044d8a1c5a525bdf001e129e9db0e796a9ec787606799e0d855069200e58d2f7d6df5bf5dc3e37407aeeeb45e292 |
C:\IntelprocRT\devdobsys.exe
| MD5 | 4ad71bf36c99758b879073337e893538 |
| SHA1 | 9818af8c004e47f569e8c14fb1450e519318d3e4 |
| SHA256 | 32f83bcad30d997af8b5a7bb769121f1a52d71f567071c847528789c57cb2b25 |
| SHA512 | 1e2425d47317a45f603bac4c9e81475395dfde60a6b914147b9aa5a04347d60d69a98218fe850df164892d8f6adece6835ebe2e77a13ce49d0b2a91b9b21ed56 |
C:\Vid5W\dobdevloc.exe
| MD5 | d9e633699699e42a070cd5b34ec9c6ae |
| SHA1 | 1ba058045e0034c063799a95366a3261a6962e43 |
| SHA256 | 77c904bd566ee6fb280b0ba4ff00893557fa538baf5275475a1dc56ca70b96d5 |
| SHA512 | 3264ce77429f9ea4cbd0b1a2a70c341359cb03f7664ea6231c4d858c6435bdd7989757ae262b25304da919286053c8aca76867736366c847d3a41c5dec75f8b0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 42b77a2c0a658d14eb9cb4bb5b2e4b96 |
| SHA1 | beb011295d5bd0d3c214ece04d77911bf561fbb6 |
| SHA256 | 717a0ebad68d145f1ece39dd6a09a78ca32872d52e63319fe0d1167fc0cd068d |
| SHA512 | 945138d7888b1cf70a9e38f4ce1da8d7a697e5cf02dac96c47a91dd6a3d5ffc3ab8ceccf7304c247834a68042046d4fd78215fa768019f977292b7a4f5cda3c5 |
C:\Vid5W\dobdevloc.exe
| MD5 | 6cc4113b14a59254d94fc410cd6bdb87 |
| SHA1 | 002681b2d0e9e3cd8d987d0e2d00abcff57cea8c |
| SHA256 | 285e5882ebc11dbee708582ab80a91fdb11a5763e80f8229666c613fcc95cdb9 |
| SHA512 | 994002def6d865b684695539a9e5c01f0327e3208f7590d9b12344621f74efbb190424ad32c7f898a49c53211679e93dc720883b50b71e5e0d5bb36d82d6833b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:50
Reported
2024-11-13 18:52
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\IntelprocHW\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHW\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3F\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocHW\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe
"C:\Users\Admin\AppData\Local\Temp\56a8ebd987167226d18a87ce32eef2c1f8d26f1c8550c30869165bda4dcf4417N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\IntelprocHW\devbodec.exe
C:\IntelprocHW\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | ab8b9d4d0834b387371c53b7483ad6d0 |
| SHA1 | 5ea73d17c2a3b92b1fc7ce50901036071216a813 |
| SHA256 | 1d8a6eb7177c71594773b77af111ae91728daba3463e604cd996a8ca71de4ff0 |
| SHA512 | 9c1d98ac90e5c514bf09c7bbd027f99d8563962965e92412c4a98f3a0c9d51d269585e279fd024c3c20380defa19f2722ecfaef8dd3849bb832ddf8cf8864f5b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7ddb95657aaaad84765c48b3245b406f |
| SHA1 | 548b8cd774ddb7173f6b5bd93fcc88b37a3b19a1 |
| SHA256 | e2af1ea92f6067c87aaf205a8ee4654c4e4839373271ef1b52ecfd492eb05757 |
| SHA512 | e7510f74f4e39df6a161b465c8d78ec1cb3aaeca5a3c9e6d1b6a96db9c8cccd03fcd22b0af7b4ce8e8d09963a6bfcb2f6e5b7c6f23547fe1191fbe4286b12268 |
C:\IntelprocHW\devbodec.exe
| MD5 | e96d555ef9c1c5f67c62657ae3f4fea1 |
| SHA1 | 0648d4e12a5091988fe5c1b1d93c2c72754a2744 |
| SHA256 | d42e485b99394ff78a095001255f9e54f560f77d3c6a4abb3bd9c863f470fc1c |
| SHA512 | 25bd053cc1020e949349fb743d74b1bb725610bc5e3c50e17ca60ff7502dc733d4fa98e4d55a640d5ed33858ba51605c374abd8c8bdc924dfef3249c5586390f |
C:\Vid3F\bodxsys.exe
| MD5 | 1a6ed6c37deee2a7ae3c8ce944781f32 |
| SHA1 | 48c40b909a0c74aa613d89ff42d07ede9da30846 |
| SHA256 | a59a326ca8c3735f942d237c63793e9878a3be1088e7ac1971b397fa4a949ca9 |
| SHA512 | e19600406f63d198d02780c7fc973d078c840c5ca37a69849174a091551c4b9f00173f5ddd04fdd6e990a23dd60cc217873873c4c2daafac5306ea8ce91c3a33 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | db38157d02b71013a8f508a0ffd23510 |
| SHA1 | 6fd7f7102d23b160a3c6122aca11b2a48ebe8867 |
| SHA256 | 5b9be3390cca86164a73f53ee211a52edecb6caea55fd5a36200e786da54ac16 |
| SHA512 | db113bebb04b2f8ba5901c33fc17f067d09f5bcbb80a3ae0b1cd5ab4e051dea02fff64901e966f6a35eab5e2897701016a7b8013ca5c43db8830021088066204 |
C:\Vid3F\bodxsys.exe
| MD5 | 429659205fe528a81dae4988af39ce20 |
| SHA1 | d41bce4b10837bfcbb9d1a319fa7dec255be82c9 |
| SHA256 | 7b695ab4fa16c5fdcd26006d6d91005eaa959465402e204cfdfd0acf3931a32f |
| SHA512 | 537872190a351a5c6b830c5557b52f3e6b7acd828b7da6c2702b6e3aa0e38aaac2ceef381f2b0454363825844fdb423e4cef202e0cd9f794850cedfb2ee9df1e |