Analysis Overview
SHA256
0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7
Threat Level: Shows suspicious behavior
The file 0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:39
Reported
2024-11-13 19:41
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrv9N\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ13\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9N\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv9N\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe
"C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrv9N\xbodloc.exe
C:\SysDrv9N\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | b506ba6b6c046a5f94b88b3ef49be9f7 |
| SHA1 | 3932c53041bff4d77a2b545d4de29b50a5a0f815 |
| SHA256 | e3a0b7682e7dca39b1152da0aa2a3d65799f72efad3f70f049f5feb2a55ba2eb |
| SHA512 | 0afc94897a5ca0ad6dcf59bf7a4797ca956e051b5cc53a4fe4e097d20b7ebb8c726cecf9e657805c15d7f96b0c76efe691e49e33b4e6362ccae978e2ad343b63 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6dd75cf8191cfcd50f3d2889701408aa |
| SHA1 | 89226e3b81cbc62804943d6ed5205dbdca716d5f |
| SHA256 | c759f9a74cd96cf9c1e77ef27ca840a018bb01a1289340642c794b6807c245e0 |
| SHA512 | 5e15639e4de874a5f593d09a2a5dad9f44f0fb812ec1f9cecd214562779402880338a8ee6a6c3ffa811cb2631bcac5d9b95721cb59cbc62641bc05d136d10013 |
C:\SysDrv9N\xbodloc.exe
| MD5 | 12f25a7475deb27ed1c7ba2abd7760c3 |
| SHA1 | 81432be178d9c134a354ff0cc96fa692d48bfa91 |
| SHA256 | 377ba83ba13124a6838b1c6d595bdedafd8d941394d202a678449a01976481e8 |
| SHA512 | c2c052efac626bf81fb22548859df986096300445a29a77efd85186e8ca4b255812414c4909723ed38053f1db401ccd3a487a75ad0e9bf09a9437b0d9bba44fe |
C:\LabZ13\bodxloc.exe
| MD5 | df281bfeed20966154202479017c5833 |
| SHA1 | 4bf02ba05985093e394a2a23df43add0038675b9 |
| SHA256 | 5413f4323302e1679a11a57735e607bb6ff9d272be4b1c4c1760047c276d331a |
| SHA512 | a99e6ed87160371c89e4227c2f969aede9f83aa0e79fc383e7ec10c798f9bcbda8c8724403693b72590bdd31c583835bb832da6dc5552d02abbd633c705ca590 |
\SysDrv9N\xbodloc.exe
| MD5 | 0e4cb38878c2c505ec13575d8a84d2bd |
| SHA1 | a079cd6035513818481caa033bb0cb215a53a0ae |
| SHA256 | b01df02c15509bf6923f89e1b6554f08ce4404685023fdc8aa6c52c5d8858164 |
| SHA512 | 692e3bb3f3efd9f596ba56a47f5c5f5aa4c2309cd2e450c83d20443b180b7a0792b2e00469b5ebdd188bfd7a1a491880285773c80850023ed4cb67808becffab |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 748c746662193dd8578e8582c0e60212 |
| SHA1 | d1464f3cd8f31ae398f0ffd39061373cbf680532 |
| SHA256 | 84d498c427aa686e10a1820429434396db477c8c72e306dafb4bf7612a3fac3b |
| SHA512 | 5a7176b81f2a8c9a6fb859458a63ebac56ebf8d35bbae818f1d7b89d893ce8a0af46821b824898033240183babfd6fb7170a97da74939caa750f3d5913b45937 |
C:\LabZ13\bodxloc.exe
| MD5 | 17c8c3ec607e7bde76f578a42a8ff54e |
| SHA1 | e5b770eeb4e2a14ba78c8835ad5df63b796340c5 |
| SHA256 | 31ce494f206960539c3891d5e43f43c9ab86cac97eb846a7621748bdab1f4724 |
| SHA512 | bf432cafaf2c4f0c65c96308a737c255ebca82db2adab8ed6171c1e843e170654b27b71d9c56611d4032d514d216388e383fe47bdc6f15618b83d8bad509de5b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:39
Reported
2024-11-13 19:41
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvL2\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL2\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZH\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvL2\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe
"C:\Users\Admin\AppData\Local\Temp\0dd2f7a0d2c0eacf7beb5d6f636b4f08d529fee96d35f78096f09b2f7aa842f7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvL2\devbodec.exe
C:\SysDrvL2\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 4ef5191b387f43de314bd085f0d02ec3 |
| SHA1 | 429369272e2c386971a4134214fe4bbcefd092f7 |
| SHA256 | 599408c6a8c5b3365d7278cf7d1ad991bc3c786a7604c63e15a19d0f681e3484 |
| SHA512 | f0b1cba4d000c3227246d6e3993adae88c381be813ec950aa6b983581f747b3284fb6f6ee97fb1f4a752a902185dc51c31cbdb473434617a9b2a699869e880bf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e7119b409b4859fdeffcab7aaa3b2212 |
| SHA1 | f94f90e12b42ed6dab787e26ad6c6f259fa21085 |
| SHA256 | f40f33394b0cf8610f0fd8d08ba5fdbc4220827c3464ec912e2ce1de13306118 |
| SHA512 | 2b52eacd9a605f8bed864840069e266c331cc9448610847bfe02c91fca63f0fa5cda2802dab1052453498e5b03a23062df41c7dbe392ed2f32e3eb6b8f5533fd |
C:\SysDrvL2\devbodec.exe
| MD5 | 7b5f804a9393a450cb4e7c2386848fe2 |
| SHA1 | 1534b8ff2972d86b385959339db9d695b22347a0 |
| SHA256 | b37633133220c8da5cbb0fedf28c34c15a8840d5b0ffd91ee4908c7bfc4a3b48 |
| SHA512 | eb09b3a238a59cf73600e92e0fb8da0ed25898d8905fda5d7c5042b6e058bfcf20649848ea9953b8fbe5d2c70387e42fec4453e7115d4986008332a3ba967462 |
C:\LabZZH\dobdevec.exe
| MD5 | 5845c2a01d1035a4fafc033ecd7d98aa |
| SHA1 | 66b7873829ebb6155cfa39f7f4c4c1f3cd2d9a7e |
| SHA256 | cba7f4fea9067e658be0b16e1fcdc5eeb8ff4c6375dd74bce3d6efdbdcf606a6 |
| SHA512 | c95afa0d41942086fefbb0d467d78c8686b774dc34f9c1306f2e07c4ef709adfb0609c594aa42a4b05f8d711d134dc0acc38fb56a6755dc625bcafc653f116d5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 570a1423c6a19f53b3f689598989b00d |
| SHA1 | 946c471ea9cea0ee68bba1542fa0b974d89fadef |
| SHA256 | 5e70b8102392a711aa2dc76ee618dc7405d84ba9ede88f58664768c1ffaaeef9 |
| SHA512 | 74cc72c0de886c3a36a320ff4dc0e94eeac335ae1e55d6ac1024bf360a0599fdfacfe612e2888edfb37b230b4285b780696a7dbe5cd0a05b7001dfd3a32dfb59 |
C:\LabZZH\dobdevec.exe
| MD5 | 32a74e32a05cf92791aec97aa74ecd81 |
| SHA1 | 6932d8cded16d823f12748861f6b1a4a65ed0e82 |
| SHA256 | 83610952c62a4a127399a1c5d73c72673ab28debda7ab359c86cdec0a8bb3419 |
| SHA512 | b2a1fba99faa5ae56f52110ae34843b9a024f7db8c0360f2a4e8c078dd9534cdd0c89e4ef9a73ca5320dbbbfa6bad76df59cafc645c59bbd8e0e333d254e6235 |