Analysis Overview
SHA256
2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b
Threat Level: Shows suspicious behavior
The file 2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:58
Reported
2024-11-13 19:00
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\AdobeWC\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWC\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBI0\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeWC\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe
"C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\AdobeWC\abodec.exe
C:\AdobeWC\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | d0d860d3a90c38d69726c863af686814 |
| SHA1 | b960d56ce80fe2ee854339d5e7e960bab6e9a0aa |
| SHA256 | 1e15a708bab3edcfcf203900e6ae244d6737727f27ef431d91cc92a7e27e17fc |
| SHA512 | 3abac01c2581cdf4fdde722b5b2b1b11b40f009d6f0eed6e44310d24d8a140673ebd9bab810e92fcf5762f4b8213349f659104e2dd6ee7b9726f6a0b79a48b86 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e0f167df0b6e54ffef84559a86604d25 |
| SHA1 | cc81eac60afaacf5ee436ac6679210967447711c |
| SHA256 | 29ef524635b6a114098c9f35b203eb195cb2ea626824e457870cef7ecf964c93 |
| SHA512 | aaa7c05bff0955d1504718434841a68ede24ee514023a7af8fb7fd5394bbe121cd5d81f71edfd105a5479eb9cc0cd2d20a0a6c22a5786a2ab8783945ab40a390 |
C:\AdobeWC\abodec.exe
| MD5 | 47827a6b788b76dec924efcd451e819b |
| SHA1 | 839c38886b9005e925cf8db52401ca255741e9f5 |
| SHA256 | e7d74310de61f7de07aeefb1aa956355e7aaa4ec9703ba0ab64fd20d63163113 |
| SHA512 | 13535618bcf53bf1c6809ab65f59f75bc3ee6a500744bc3823dd4a8df01f4c1b1d4ad0deb7dd4ebcec4dd95ee587fc36ee648c23af98b5b40e3b0aba4a991cc3 |
C:\KaVBI0\optidevec.exe
| MD5 | 00c789f335a4a1088e21576fb51eb1e6 |
| SHA1 | 85169510d79642001a89f153b68029bdf50ae963 |
| SHA256 | 0a34a8dc6396cf908efd2432509844b8c1bac1a9c076c913163332c45e7e9bd5 |
| SHA512 | 277559afbc1ffa704dbeb216a9235f0b8a18d6126ae1baabeb7b9f43903e6053cf51684237eaab1c23151b6b6ee8e872328568513f0305474cce14d7e3c45707 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3508888b83172fde6171107a5173851b |
| SHA1 | 212df06c05d46621cb2d965ed71c3fbc3ffd6b61 |
| SHA256 | 060a5cb57fa14866c2c313c07ab023ed7d9467aa2f44641ea7a6dc38eb2b653f |
| SHA512 | db180e029c937582c23ee5e39954f5637e8638a85e35c66165f9cfa23397d0eab0a9c5ba189e65cf9184becb84a9f6ce4045e0d4445e4223bc1c6426991b2dfd |
C:\KaVBI0\optidevec.exe
| MD5 | 5a5665c7137dbb99c240364297a4a512 |
| SHA1 | 382969d394b80571fb04064003528f6f7cb81c89 |
| SHA256 | 43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c |
| SHA512 | 33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:58
Reported
2024-11-13 19:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\FilesPU\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPU\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOV\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPU\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe
"C:\Users\Admin\AppData\Local\Temp\2599b2d9cc764160cb5153c13fd0af6541721c1f88d8081b23e3e1d118d74f1b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\FilesPU\devbodec.exe
C:\FilesPU\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 29b1fbc0c8e8a6ed846758a9f7508b3f |
| SHA1 | 7a5f23f87ddc049d2840277686351db75cbc1c62 |
| SHA256 | 7ccd2b8a1054a35fb8b047c10bd08a0f105796d6362d53abced6d0bb302d2eef |
| SHA512 | 1d222778534db4a125a9b24e05dcb948e2c540f6af5f5e8b0265101ca620835a35a63e816e9762226e44d0c26548d3d18bd8105940cd54ccf3a228989741fba2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ce7f0d7b7ac0e820b7ec1d180f47001d |
| SHA1 | ffc894dfb5824781646ca5254605389888b71e38 |
| SHA256 | 18f687c47bc527c87d91d48b18151c5fa739577e0258a58c542a9c30612979e9 |
| SHA512 | e985f193b1cbfcc58ec0fb7f2c364e6f621b0dc8a8585f256a8f775a9364a2df95da1d6055ca4fa04751b1209f62b064f69eae76f4097ef3ac523348e545f3d8 |
C:\FilesPU\devbodec.exe
| MD5 | d62768fc5e956e7c1960c31b932f1405 |
| SHA1 | 07467599de5a6d68d91965edfe13b0bddb0c9e5a |
| SHA256 | 91917723909b1242267b567fd36ba5075e6dce75da6f0488ec61dcb6a06347a8 |
| SHA512 | 26f03cc67e26ab527be8a862e302df61c0f9fa37edfe10a2941eed0cb179763b9f76dd46cc62f03140f278c607b375af6bbbe73b05dd7d09fba2dae3753c8251 |
C:\FilesPU\devbodec.exe
| MD5 | 0730bf088a36740d24a6592c31458792 |
| SHA1 | 41f9e6ae4a04706d6f5ef79ad14c698fa0ba09d0 |
| SHA256 | 77ee5b093de1c8fc54a1480a1c75e52bf582edb8f9c9d16733af35e4576048f5 |
| SHA512 | 726d59487cfd13d8035f550c9e239f2c2ad9e9cb7a456874206901fab61d54818459d0a35021a09211169024fb22a0122457935aab9acf2df52e2fb060bc3d61 |
C:\KaVBOV\boddevloc.exe
| MD5 | 01027ed8c964865c1637fb8bd0e5affc |
| SHA1 | 8be8d9d9621b11bcb2e54ac5beb16f3a4c06859e |
| SHA256 | 742a47b2336d8a5cc6e73f8b2a219f2efa9dbad60e2a1f6e9e64911f45cd839f |
| SHA512 | 5c5ce62383e75097f118e80e21c0830002a7bb7a6da533456c0bf75eebbe075fa2e8114605e3f9314e1d1c443d82d7b2727692c788bc9a53963e2752e1f4cfa8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 64958e8abb7d6beff88a72c8a4df677c |
| SHA1 | 8c3a19104ef691c6f60eeda8db4d2b0f0b48ea66 |
| SHA256 | 360bad04d294ea74959a38a1fed45000aa5f90241a07141b8eaf997caf9481cc |
| SHA512 | b79fd405312ddd608d72c7fe5f5bc56be89b98ed435998997b6cf27ae787e211eed8eb0a6e41bb3f85953c6b65fa6cee51281e761ba6e34aa284e4d098fd3b29 |
C:\KaVBOV\boddevloc.exe
| MD5 | 3eb4f1aafd6cbe8e6be23c4b4b934d6d |
| SHA1 | 07061fbf79a2e72fcf6062f28c11c66f33f7b33d |
| SHA256 | cafa2d7a8d44ef558af0237b6a61c09ac0b5d8d0295646d262ad9ac090f2d92e |
| SHA512 | 62627325b4ac3752ef4c5d1dd7ad169701824e781a1ee0f738a9e09290347e55d771edd7feeb01c5bb2262b8cd55c68af5e78063cc7748e232a8246f706e80c2 |