Analysis Overview
SHA256
bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602
Threat Level: Shows suspicious behavior
The file bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:23
Reported
2025-01-15 22:25
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\SysDrv9U\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9U\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFC\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv9U\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
"C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\SysDrv9U\xbodec.exe
C:\SysDrv9U\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 30dbc8db6259acf35250033b11f52ca3 |
| SHA1 | 66e97d0edaa0718c102f9594493bef916fe46505 |
| SHA256 | 439534e953dcaf6481456b74c38570c78e30dc3cc5e624a690b5fe946da05dba |
| SHA512 | 3bd35236a31446075cbb961f8271f5eb7f0c962ee04173697fd63b830a21a0472509acfbddc839d8bfc90b15f2db5822b2c37ef49d934881425ae6de4d825c33 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f555c5c330cb2d6cf9ffc9b3f8ffec5f |
| SHA1 | f2b7478e93291976cd6620e45ab08bb30f88684f |
| SHA256 | c804143a41668eda4815e27aebbf60cfdd2c57892d37fed4dbdff1e111d75bef |
| SHA512 | 73169e479780233eca1398889ed860b55807106ddd7ce14bb653de2faf54279049f16f699d58e1c72602626f4624eb57fee50aaaf1694b7c03ce4df824126787 |
C:\SysDrv9U\xbodec.exe
| MD5 | ff40983d88efa695db0f234024d647b5 |
| SHA1 | c5fb7e015f16f5f33d2c7ccd3698a0450a61ff84 |
| SHA256 | d561fa4d132969c5eb40bec150a40103354f4173b28f03ec01c2ed7c1c7586e0 |
| SHA512 | 4379b7761e2b6a532383486cf070b520513805448a3dede8b9e90cefafb958814dffb4a094f86ed241694d51f966ab41d36184c11e3673ac70ce7a7975374dd2 |
C:\SysDrv9U\xbodec.exe
| MD5 | bc17c5baa4a7dc876f8e69813267210c |
| SHA1 | de070610ff6bc102dcf8fab9ff8fa9301a058202 |
| SHA256 | 9d2c3654f55eb33f3e75591698e15659eec0c3cf63415032768a850947f10abc |
| SHA512 | fdcd27017ef8563800b9ecabd52967ed0cd42afb84f7c5000460428b2ed4f6921e7a099752b8d84034ecbd12b224accbd9a6b99100a0d1f736ab788b20bb4a17 |
C:\MintFC\bodaloc.exe
| MD5 | dfbaddceb6d9bea5c2d9005d5e6de1a0 |
| SHA1 | 2fd996df9f1492c970ffb4930a6241bced11fd67 |
| SHA256 | fd0a90952f495811310a0cb7d2b93f8323eaf326015003e99811758f84f7b9aa |
| SHA512 | 282ea69da2ba20b3b34653bc079088b6efc14e73a8f1fb31139803c2164df9a2de8693a0926583cae478bf1faf3283cd1c77692ebd87d68ecbeb43ed1e18064b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 563da3a064bfcadda4f764d72341e523 |
| SHA1 | 2b70dc1588fc232d9bdeebd3cc91d19c189db247 |
| SHA256 | e988c8e3a54ad58b29ad739eba70f20073f9407f7128e37edbccbda9940deafa |
| SHA512 | e9cd024ed8670387d5402afb786fbb56027edde89ba50b7562041e5535a830ecb76d18efc52e13732552c0716588eeec88853f7e45d0b38019ac3801a79640eb |
C:\MintFC\bodaloc.exe
| MD5 | 84c5440f24c9935959754a01da280aa4 |
| SHA1 | 3ba44e0a60dd46e4a3294239a56a36532bb4d5d1 |
| SHA256 | a8057b3592266fb7e9ba472aa16a5d8ea22da0306a5a1e3fb4522d4fb86e21eb |
| SHA512 | 1478eec04d4699f8947610157ecfa53fb1253e1996ee3ecbc77e73468a8073d3ff962863b5453fbd3225a0f5411fc1c748c55805ab326557c289c8c239b498e6 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:23
Reported
2025-01-15 22:25
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocBX\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBX\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPN\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocBX\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe
"C:\Users\Admin\AppData\Local\Temp\bd8822057a4cc9bdac2028707e02b620c28867de4491cd5b819b87362cf5b602.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocBX\adobloc.exe
C:\IntelprocBX\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | e17c37fbb7f98d4fef081bbb16aec72d |
| SHA1 | dd36b8db73b31c3a98e5de85bd46b7595f5c0b09 |
| SHA256 | ce3f264497596ea15a0f76f8a3bfdd78efaf06c2d3226ca16414cacceed3688b |
| SHA512 | 125da137e3af5c03cc37193c959683d5825c41f57bc74c27d2e8116bb01275ee39000c22524f688aba4fab072a405d72fd513a70a10610d9d875de13a177536c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7db9c0ab0f642e3e8a79a63731f0ad7a |
| SHA1 | 3d8f606fe5ea9ccf85e9dc873cfa9674adc72858 |
| SHA256 | 199700680c8b2ef7fefab12872c17a08d792b4876eb730b6d142073126b8eeac |
| SHA512 | 5ec18a7d97687b51900c9cbb5ee927a4011230d9c04809c3d09a935b31191e13d80f4926754bd678b997b1e8636857ffa8cfce56b4564b447eb9d6b204b724ab |
C:\IntelprocBX\adobloc.exe
| MD5 | bdd5159659c3553b63b02402def48e62 |
| SHA1 | 1652159d53a2a0536354ad663a5749a00bf3f773 |
| SHA256 | f9f3ae7544816c27d297838da0cc5771eca1e5e6aeb1977deb76c0a16753b39e |
| SHA512 | d0f79ef3392ffc3d0164653656bf3ed43bad28a7a5cd0603681cdf933e3b3621f2b54ab929733240a4faa41e82c5772760d52b3b41690ee6a711a9cb73a09dea |
C:\MintPN\dobxsys.exe
| MD5 | a159bbdc930c70b159452e1bbfa22f9f |
| SHA1 | b1161997c3c5ddf9fe1e4b01aa112df317d6ba75 |
| SHA256 | af7e7a3a6538b0ec5871eb43d412f6cfee0f7d39776891ab24d3fbe18f88312e |
| SHA512 | d469ee4983500f03e0199c0fbc3b6ebaad5b8ee518a14eeceae0cdb2c2bcffc74e54937f05e7b7fffb48afc7b8ff924c45282877261e98bee84eb6496e9c7a83 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e5fbd02c3fea7ad97c4ed2cdcd6da036 |
| SHA1 | d5aa9ff1295583ff1fbe64372ee27e17683fc5a9 |
| SHA256 | 4a4e45f7bc5ac2e85f0e4cf0dc39003042820e678213d0068e9bcb49a2aab2de |
| SHA512 | dd5883790f80720daab999ad752449f1264a2f66185c07e66339093e5e6350f3c1da624cfbee27547b602a2573436129e7d17e453a9c88f1923fa17ebe91f660 |
C:\MintPN\dobxsys.exe
| MD5 | d6be2cb3ef854fa57410fcf395c19da0 |
| SHA1 | 2929e6dbe8e957759549d4ce37620ca7ba22f3f9 |
| SHA256 | 0b46b81360203f4735aee07d025e74eda04f4e1ebea12741d4cecfe6e8390a9e |
| SHA512 | b3e97823f1c3e0724b3e427cfcb4adf98674c5f352b2781b06a5a34604978901e92b797c7ccfe69e10820565f56fd1b31e48889c1d53e8c5bbb276400fd7c641 |