Analysis Overview
SHA256
e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35a
Threat Level: Shows suspicious behavior
The file e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 12:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 12:16
Reported
2025-01-19 12:18
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\FilesKI\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKI\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBH\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesKI\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
"C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\FilesKI\xbodloc.exe
C:\FilesKI\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 7539d89cb1c9bd0152ce218ac321c988 |
| SHA1 | 254dad52f4f31a676f2d71c3a767d55d2babf917 |
| SHA256 | 1840a3884c9e862225612cea40d18e7dda1cb45fcff5e300c9c5a53cd60ed04c |
| SHA512 | 49de2c60f6e01e0f9f4039e75bef67fc1a5305100689c3c38c77c63a0c1b606068d90baa85041b69912b76f3ebd862bb49fc581e4b2160d98760f139799dd6f2 |
C:\FilesKI\xbodloc.exe
| MD5 | da8c685170fc4f38c5f7c1c349b90948 |
| SHA1 | ed843ea2a8cff28b9c34e2c823e13a782086bd0e |
| SHA256 | 4fc0767833d8f19ff966d2bf8757dbac659c600ddc4520dc152e8d43267552ff |
| SHA512 | fbe74ae9326e00509a5fd452fe4ed87ddea4d1c71469e1601070814214fff88dc8308e46517e933155ba514bc75a67c5f9b257b947fc16b9e546ccd9e1d588f8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5ac0ab20a77d12d667cf4d8491725eed |
| SHA1 | 653041405b4fbfef5903d46ab34f1f6322685cc4 |
| SHA256 | e708c26153a3ca2704e0a2e986355a365836e67dcce17e84f05b7fe1b8f85df1 |
| SHA512 | 7388d44b7bdc0430e5a04a81d841c01a58d355c69129f3bb5f4ba509a571639e8aaef589f8116fe57bb1d45bd1976bc001f8e9d2538d6cef3c160d5b8bbe93d5 |
C:\MintBH\bodasys.exe
| MD5 | 7a01fc84f0b87fda93ee38087383d605 |
| SHA1 | a4a46605446df74c8cd532325d2fbe723f7d2252 |
| SHA256 | b2d274c9d0e1149ee6830531c6a2ebe18911728f3c7e1a6871079367ed05bc57 |
| SHA512 | 688086fe7c1bec565df028f8ac90169af4e955e1c4818aed2aadb53aa91048c186016c7765f8ed6cf9dd8c38ecb0554376466181535d59027ed736ef9c38714f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 99bfde0a5175450eba877f77fe1a9a5d |
| SHA1 | 3f75d6579fd2efdb6e4e2ff7c0958585ad74dde8 |
| SHA256 | 3370fad96f9fa121064dd9990d4f6dffd969df185941c4f491e4a571178ea1c5 |
| SHA512 | 7657e9c75a918242373deeee5d8a862a3b8f72db6cf0227b9d69e4512768382b46f29c7c69efc36f37c128f66b610a4c230a87aa32bcdf5d1cb63a1946163606 |
C:\MintBH\bodasys.exe
| MD5 | 091ce6baaf2d0916f9dfa1461237e421 |
| SHA1 | 5902212ceeb2154045b0a0da553e70d84839836b |
| SHA256 | 62d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e |
| SHA512 | ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 12:16
Reported
2025-01-19 12:18
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\IntelprocY1\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY1\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6S\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocY1\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe
"C:\Users\Admin\AppData\Local\Temp\e4b058d02c1c1c35027d84adf4069ce77ed72c2c0c23c75ee499fd24f50bb35aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\IntelprocY1\aoptisys.exe
C:\IntelprocY1\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 4907d91c3cd06372edd312966055d015 |
| SHA1 | 96a5ec2d8a5538b6ecd60dc836a119dec8420a01 |
| SHA256 | 0e21e042f02a51044c92a40a2209714804fdcc6dbc6a5279a327bc4130a58f67 |
| SHA512 | c3d5a49fc59b6d659d2ae16bc7514440e17c47302a7c92cbcbab636e496af53fbe9906d62fa983727f23eb0781969e160905dcfa9a1b4ecb44a9625a4a4c0651 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6347c1aef4481f8de8c7ca26a0d60a93 |
| SHA1 | a4e80ffdcd6543ef7de06b96efcc613c5b41e95d |
| SHA256 | abf830d9a6c71a5aebccaec9bbc1f4a46fc12a0242f1d1d834f0083152a68663 |
| SHA512 | 6cdd5c7c40211ed25c79674fb1a73c0aa308a6163aba94de0041f7f24c0b76f993ddb3acfec0d231816de0605f9eb5aa632bb4b591f25b5dd18bcb8e4624ec80 |
C:\IntelprocY1\aoptisys.exe
| MD5 | 346179b206e9ca4b1e0a041fe6570a6c |
| SHA1 | 186cbbbc35c5d5ce8dac76c3dc30bff38998d239 |
| SHA256 | 3e83876fe295ab267347a9a6a8a379670305983063c3a33930ef4bf22fc2916f |
| SHA512 | b608006b986f7051bc997f8187bb5bc73dc9efa8f43516337e8444fbd218425a17d63b2020ed3c7d5a0037429a2be917d19e30468a0dc9df5b9a12b402c398b1 |
C:\LabZ6S\bodxloc.exe
| MD5 | 0e5466a459735caaaea1479439b6dbfa |
| SHA1 | a144f669e0e2ae89f690a1855860ca41db3afc3c |
| SHA256 | 23641d28db9bedd31d936ad1322eca4ee3bec3a674bee7d6f4bef1a1ad9a6d65 |
| SHA512 | 2a1f91c60bb096c16d71b53bb220dc73ab72931556d77086cf00f4482b364fb82df727dc4800c0d96dcbf10bfc283878839c26b601ba17991a1e1c1a0fa66c3b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 89c888beb21abb59a0a0ac19990fdd25 |
| SHA1 | 5a73e2acf68f90dc57191d4ff0dd2fa4beed45ae |
| SHA256 | 0a01a678a41c86bad6e1dd3087232c26eb51155fdafd8dff7019acd8fa06fd30 |
| SHA512 | 25fc6daf55b4bd26cae78cf317c80b415b55521973aa6123511e19de2686427330673d02ae2b5927075b7f5fd020e59fbc9f2a26b50a589138b28d585e909fd6 |