Analysis Overview
SHA256
b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd
Threat Level: Shows suspicious behavior
The file b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:10
Reported
2025-01-15 22:12
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocS9\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS9\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYX\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocS9\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
"C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\IntelprocS9\aoptiec.exe
C:\IntelprocS9\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | e8658cba037fdcbf2f171e4a728fec0b |
| SHA1 | 1a6125fa00330b6e1f8550dd7c0e870ad5cc5f54 |
| SHA256 | d2c9fd06736fa8a15bc7b2f6c37cac1796f825d7aeb17824728be1c098ba0041 |
| SHA512 | c9a7b8a74d42823c55bd4f440f3e64a3d4507cbf54ae5ec105571bfe67e1819ffda3afdfbf2532f5928a5de36f592398cb985a149e800b5d6ebffb478f4c56c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 876b4c7664c9208980c121181c0e34de |
| SHA1 | dbf6f41e703474abe620d67f44723e7427b7292b |
| SHA256 | fd4df50414666392b8484d889ae933c7f2218973db141861fe9dec73d341bd99 |
| SHA512 | 9ba20b1c6bc802d1151807a2812d857907d2bff435f495cac2d3b12c4fd397d8f13eee57fbeb66928ca31e75c32d69b3ab16c48c34e1053c3b2e0ad8190d9256 |
C:\IntelprocS9\aoptiec.exe
| MD5 | be7ee9f7b0f6ee73c6589e6ca578ae1d |
| SHA1 | 714487c7f225df83838c827ce88d92c442e5dff8 |
| SHA256 | cabd3f309e107987a7210147b25ffedc5447768d2b2effdbb4f3bf2b15c4caa3 |
| SHA512 | 2ef5d33d7875584433fa99ec1845e6ca3714c32d9a024e667f5568ae257af9c0683c8e0c403044a6f8eeb52ac804f0fc778fb1ffd09c9b219f07ef63b19a7eb3 |
C:\KaVBYX\bodxec.exe
| MD5 | 35f0309c15d5d1ae5592c565aaabdc80 |
| SHA1 | fb22b3e296287a8b0a89eefd04c3de714d7747db |
| SHA256 | 96e5ce9636af06b8f1681a9c17b4e3a65c76f717b0cecd73ca4c81dabaf92b0c |
| SHA512 | 78b49e3bf6719a976c504a97fbf776e8fefc3c166446406f76f876c7d3afed0315df4a81d89a09e2f99fba09f9c33abe336ffc7d2c4bff9033412f4f49a3499e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2e0bed29bbc93ff4fa344e74f58605a6 |
| SHA1 | a19ad691b4f2982ff8d1096687d99baaab439390 |
| SHA256 | 5fe4a0a9a8224a91e85a66b7df7f833ad7517c930a642b25f844199622b61331 |
| SHA512 | 136754e48b38f1b8ae86cc01be90f343e2eeac4fc60abad98e1f6b5bcae2dd75af739456160cfa322100e459dbf0bd73d95cf5a5ab2f085ed03181994c48d485 |
C:\KaVBYX\bodxec.exe
| MD5 | f6e575b767ea0bac0360f0075b4fd2ce |
| SHA1 | 9c356f74b5e23680935600fdaa74f47b3c52934a |
| SHA256 | f957cf3c3d3f3fe5aa14bfb38c9cd32bf3b0b5b37f42a29def2024678fe63e56 |
| SHA512 | 51c6bfcb8196e1fcb5a4d94ce2cc7b82a53716da5d6f12392d0bd1e75047c716c71885fbd968ddce13f6ad07f0b3cf6d0eec8391e30228c901a6256c0f77c0b9 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:10
Reported
2025-01-15 22:12
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvW6\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvW6\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB9V\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvW6\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe
"C:\Users\Admin\AppData\Local\Temp\b0d2479862dc51226cbc0e9e21d3497880180bc08492ae3b5fd1155ad3586dbd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\SysDrvW6\devbodloc.exe
C:\SysDrvW6\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 041b65493b4fd1140945ba00c1967a9e |
| SHA1 | 59026f559eea45e692d768706ba4402e7014c748 |
| SHA256 | e811a89d28e8c3357db0440182595b86d4aab08918713438344a343a04e9378b |
| SHA512 | 3e344046394b7f68bee66a8b5d245d16b47a18c5dc1fbf133b233b4ae308e1ba1229dc32ea9d8ec629f57a386209a2dfa74748a403ae2cf0f00050d33147b7b2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9dd40a36f71984a5df766ea41a508636 |
| SHA1 | b3ed8d894dc94965d9905283b2c9e7f1bc9a4505 |
| SHA256 | 7e03e0ffad9ae86be6f8b50b550cd7d5415ff5a19ed041f9f31a0b3755469452 |
| SHA512 | 9b2fe7136a2d0129b91ca1c3247bf8dd3383eab3d410a4bc3fb4d242b2234847490da2f5eef85c9055480e2cec4a3c131e64eb74fd7096365a75e6e88800704e |
C:\SysDrvW6\devbodloc.exe
| MD5 | 613b48f2f05d06983c5e0b9c5cdc5ada |
| SHA1 | f05ec43439058d64c316493be81a57276a073018 |
| SHA256 | e18a292b6db63e81f49fe9988bfa84e52cab132239153481527dc1f191013842 |
| SHA512 | 32ae452c8251c70bb83be06f31f13ae601617cc129afc7dbc0770fa82f253a650691415b87d525332630f624c3142b635ec53559ff0442e278146d78128c58ce |
C:\KaVB9V\bodxsys.exe
| MD5 | be370eadb2d8a1fa776878a357d0ba48 |
| SHA1 | 78b8f9f0e33db180c2c07b4655fce9797d723cde |
| SHA256 | e29f838a0a344a49700909f698316fc91be81d03583735a0bdd4b98e7c279f3f |
| SHA512 | 99ddf60da8f5c56c085e929aab4ad40992a1d932f1555c9c062d9eb12c97bfb5d001eefb1be210664f3343b8f8348abfda0ba00e08989451594ab265bbebf614 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1fbb4821962f32ec9045f1b1943e361e |
| SHA1 | a8a2378bea4da80c465305930ebc04a6d21f1ff4 |
| SHA256 | 6882f54ff901f671fa80bd7054b75526fa35f67805ec0a31773d24a73fca01a0 |
| SHA512 | 8ee203c79ed1c4befc81d74890d09a5e3fb87633d2c56e34bb78c4c2c3367e95279713f998f90151367ddf7122f57cb5b6edb708ace1d1da00a25e5fcebdd3f8 |
C:\KaVB9V\bodxsys.exe
| MD5 | 000c23ccac4cebefa8fc996a1429cd2e |
| SHA1 | 1b589c665c35920250418f8e77f262766b7c2536 |
| SHA256 | d4326a980d59950e4cc40fcf4ea5ca9b2129bbce5bf7d08217dfbf7e8640471f |
| SHA512 | 83e52b6782fb378a36e90d9015f0168f2f288bff0b06846033c7ecd795fc39794918fa23d3624d8b74dd4cb1a236fb359f5b8b274f12a649bd524d8b3bcf5cff |