Analysis Overview
SHA256
aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87
Threat Level: Shows suspicious behavior
The file aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:40
Reported
2024-11-13 19:42
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\FilesQY\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQY\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidIZ\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesQY\xbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe
"C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\FilesQY\xbodec.exe
C:\FilesQY\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 041ecb5ed8d2c5c1c790e354f4279aff |
| SHA1 | 13e90180b5f02271a386d098f2d3c661dea9640c |
| SHA256 | 7fac1f3183feef7d569c5ac154633fac03a2174f35f4c476cba02615d73ac863 |
| SHA512 | 9baf8fc58eabc6436c0382c48bf777673795642a2940e9b90511cb7a6b6dd465e323ec8921d6f26243b3207caca7263e83c372e2a439959ecc3498d94f5d5ef4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 369b11ec1eed313114422aacbe782647 |
| SHA1 | e2b01eccc6a03529a79799dd1cafb96bd878841a |
| SHA256 | 14278b994949159775099ebcc7a18ad9f7780b5e8e4e53548534192743fddc7c |
| SHA512 | 61efeeb3d0b0fa0853fbc934c3009932fb4c343a6abb0593cc20f8ba60be75dd63ddddc1a734ef3dc3912627f70d32a3c56b46e05553f2292b319874d35a0e3e |
C:\FilesQY\xbodec.exe
| MD5 | 72fc26999b94e0d93fe0f77d1c04a34e |
| SHA1 | 692fe6fff7ca9755c78d7e5b284a6fc5ec88f48a |
| SHA256 | 0d353fe47bb59be97a51339e0b24eaf2318a41c378acd4f7e4860f8dad443b96 |
| SHA512 | c92b1a5ac81fc4c5efc06966808c52314908a7c3b1f1e618ba6f70c5f51d140d5a39967e56be564bd82fdbc2d17b1c839c7a2c2df122a0ee9f69786c8ee9065e |
C:\VidIZ\boddevec.exe
| MD5 | 4eee51d9d0323fafe8ccbceb161c20c6 |
| SHA1 | 15ea6c95d189bfc88a30fe304d86480ecf6307c4 |
| SHA256 | 6f10d20d58dd0786bfebde73967430232ec2bec3d235f816f647273b1642f113 |
| SHA512 | b3b8a65af5a3f64a36ffd96829a068f9826c96e5c9ce9c1e18ee39e00a53d440ae1193c7519c1d50d483c2350d6af3159ed8d6c6e33b6e60b9725594befd27a0 |
\FilesQY\xbodec.exe
| MD5 | fdbde67ab632ce76337fdefe1fbc19b7 |
| SHA1 | a1d7c19ec64b2374114b16876286acf5f9290f7b |
| SHA256 | 1ff1eca6442ccc34515fd115ee95723c44ef78540814a8d5330eb936eb81d824 |
| SHA512 | af7d79146a89a8f6ebc55d9b3a9782657c0205e170700da8e372a919d12b3ff1040ae2307e802b3f9175844564c06e17d08201b2934b63a2f09b19df9b822795 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ce0973a2a81103345cdb6b5aeb03066a |
| SHA1 | 7dde1081ec289267f8eea3d8d839086f5955c73b |
| SHA256 | f2f79ee5562f6212408ed17d650030ac67593293569a246ba02b11c35b642b57 |
| SHA512 | 1612de212a4f8df5d77ac09f4f277a745e2bb17c45525ab6da02525852f4e3529f401b0f7fb6111f9e8cc0666de41f876c17588e12ebcd7d58f1a29b105935f6 |
C:\VidIZ\boddevec.exe
| MD5 | 120cdbf0db8e7248ffdbec5496eb801a |
| SHA1 | 934a92eb1985dd6777c24eff972b0b2e4b41da0d |
| SHA256 | 416d8517af978d7eebdf584896c74ffff191ee6912e28bafa5b988c5402956ad |
| SHA512 | d7d5b6aec3d86b0d00783258811e00763469163228661c743f5f5f03a72c9f267764c3d23421a73c6774b9cbdf2094c09621cb783527c67f12e537029fc24c71 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:40
Reported
2024-11-13 19:42
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\Files7F\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7F\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUI\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files7F\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe
"C:\Users\Admin\AppData\Local\Temp\aab4bc1f2224872c6062135833fb65077ead0138fafd0b18c4883da406f73d87.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\Files7F\devoptisys.exe
C:\Files7F\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 0604121c12f583c6470fc3a9e3b563e6 |
| SHA1 | 9ab92104c55fe47bfad6221c90bf8a2e3ed1aaa0 |
| SHA256 | 2f3f804340efdf7759ba52cb57dcdff045045e509f682c2bfe22ddb9eb7091e0 |
| SHA512 | 8bed319e2f64f89a5989217776ee99b9f3e9869200f38f9cf08c8e612bd1a2d4e17aed28a407bc196ff4bff83eeae846a316e90c2372be8ed1057baf85e0de2c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6b950199e5c33bc275627c82a86340de |
| SHA1 | 9252f8936b5f24e1f160056e335ac56ad414fd45 |
| SHA256 | 681c07c326c173d2c67763184b9c282141f70aa2f508b1eeea9db99030d65d11 |
| SHA512 | 0ae4a09e37bb11daa65218dd1816531936df32427955de19d1f667857096e2e109509561ea9d16b5fca4599f429e1e2df2aabe44e4636be3d44670f860ba113c |
C:\Files7F\devoptisys.exe
| MD5 | ce91c1d8bf77278ffdcb62b3fc120b90 |
| SHA1 | 42d9c74be50eadc1fabf34269f99d9ce92b4e323 |
| SHA256 | ea1e73ef31dbaaa666efd0c5afe11328641671001103b4cc12b01fd014f87176 |
| SHA512 | d355200e4dd00a6938fd34c54c9c87f0a7f0dc7df69634ad1966c85e728e4b35f722e1485b76280a41eb21f3b7253ceff70894c286742a7dfa11eadb6cfce7b5 |
C:\Files7F\devoptisys.exe
| MD5 | fe81099a79cdbdae789e0be8dc6fa449 |
| SHA1 | 223372b3890a364448115e6101f2e74f301178e3 |
| SHA256 | 2cc6c543fbdc0319be9e92b838ae0b40b6a7463678c0074e99ff60da887ab684 |
| SHA512 | 1102b810b520dbb2b638756cf0bcf2610cf8ce47a3c67c8a2b1900442087142a59b967091ade0a090e56e1dabaef4764ed230eeaa842a535b1714d6ac0c4b48d |
C:\GalaxUI\optidevsys.exe
| MD5 | ff622d0cf61b2d1cdc157092a56455ba |
| SHA1 | 0c2c01175503933b97dd98db59caac8efbeb34cf |
| SHA256 | 386e38895b6aaaa12339800de399a4d38ce8f7283f1cf77f2b5d65ecb82f1b3e |
| SHA512 | 8728d7a8dcb914acfededdf5899fdbfcda902f711538f7877d1fb76b8a37fb8da30fbf1079c190b470c0bae50727d29d13f775e9ecdb01d800f98f4e6d9bedc7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 21b677537c99850566b0797be6ca9891 |
| SHA1 | e695c55f6199ea87945d6588f8fd4e8b61024bd3 |
| SHA256 | ffdf07004a05186781cb9425124086080b2efb1c67e3289faf94e82336e09a1a |
| SHA512 | 2b62aff0920e556a26ba646044c62b5c178a2ad6fb3e8ed4837bdb068846388fb1ff92903aa36f9b18792a079c9a3da83a28dbe3276fb94d8ee61a04f8329549 |
C:\GalaxUI\optidevsys.exe
| MD5 | 9066f9da2f6e14f558228b695e72cbf2 |
| SHA1 | 91038a2a5cdbee686253b1163db1462b67afdc3e |
| SHA256 | afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4 |
| SHA512 | 41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d |