Analysis Overview
SHA256
ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce
Threat Level: Shows suspicious behavior
The file ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:54
Reported
2024-06-03 05:57
Platform
win7-20240419-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\IntelprocSP\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSP\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
"C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\IntelprocSP\xbodec.exe
C:\IntelprocSP\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 543ddd1348863dfcc13516da1b180772 |
| SHA1 | 2a0d93f55d58ccf43c942467a6d0fce4a6d7b48b |
| SHA256 | 906d9e985404cbe4df436b6d13c0af134cddb03b64c8b381287828f5e18401ce |
| SHA512 | d88b86e88d83b5cadf01370755390f2ab086c8f9a3e96063ce88df6271badb9334e8d51a769e09484ec9b74ab18c6c19c4779726c2dbf1067afd924149306516 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f428d2db18630d89bb941b0685ba7daf |
| SHA1 | 07833edb380ca53f9aa6905655d3c19bf24b8442 |
| SHA256 | 612d1b9667d0a662bcf450cf9cbfe70c4f15e5e24ae0953c85ccf1743e4d2487 |
| SHA512 | e8ac8b6130673db88cf7da8bcacc5f9a3fc1bc6e6a3718f5c5ead6768340c15589a6faebb2c829c06106cefa57ab1e05fc59915af0e3b64d709aff7f9d673443 |
C:\IntelprocSP\xbodec.exe
| MD5 | 8790a2eef729a737561a6c073e57caa7 |
| SHA1 | 8cd615f48f8b10dc93ee35046477a3873bbe1644 |
| SHA256 | 2f334e06f22a8f9bb4de6a9d03cd12c1d59ebffbedb0b2dcf55190defedf8b04 |
| SHA512 | 7aa28b9a944768669f70d9ccd23de51e1eead309f320a17b3f1e62b2915bf04a317357eb740e44af6665ed2d0cf46d81862e4a92191cedf41fadec792d19e94b |
C:\Galax4X\boddevloc.exe
| MD5 | c1b10c11ab8a0884f9e0b12fec6dbc16 |
| SHA1 | b8c449b7d3fab32e0b886358c2308064707f093f |
| SHA256 | e44c0a315d509c2698452d85c293d7e6f21a1bca9d8c77a73588bc2dfd3d210f |
| SHA512 | 76ff2e43e6d122af3498e9aebfeb18861eb69d40996a343c6c3772139a67c182f5417251983ae2b487a61055456d42b2228c01cd9efed16c68761564c3819794 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5ecdc8874a5e30c494aa28896c23810e |
| SHA1 | 2eb6c0e5773188262a625306fcc87d0d96bb3d69 |
| SHA256 | 5a8dcfbec68db8bd5737f5c8b8777c7f23c96d22f8943313b072974f0e7ad24a |
| SHA512 | 4bcb63dde31720290ec7e8f4cbc0d3e568e90296ac3bbaa658988bc063a9de35e789f395917447de45ed557a8ed7ec53a523c32c57c95a04be52ce2bc0f9561f |
C:\Galax4X\boddevloc.exe
| MD5 | 118a6ac478d01026eded6075842616b2 |
| SHA1 | 54257a91ce785b542a4d7dc6ba0f5931db055505 |
| SHA256 | 09196c2b2a2e81f6569ba001d6744825e10ad2a22f1d91ddc0317d1233fa0b3f |
| SHA512 | 378273e61a0359246d07d7b00ebb8bf310a89ffa952a40bfd8846271106649d122f4e0f1c2aeb7c3cac7d3fae5af40093e3456e95ebb1419e60c315c62f12afb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:54
Reported
2024-06-03 05:57
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
135s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\SysDrv2N\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2N\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLZ\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe
"C:\Users\Admin\AppData\Local\Temp\ff3f189b0a5160621c23b74632996fe4efa758d071b52101b02c3deb34c071ce.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\SysDrv2N\xbodloc.exe
C:\SysDrv2N\xbodloc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4280,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 305294c259649795d057cc374e7c728a |
| SHA1 | f17809de26bb9383909ff5f3d6ae2f7371e78c28 |
| SHA256 | 2d17b24772f9faf88fea220dbb27d9ff71dca2360966dd0ec27248c4f76995e2 |
| SHA512 | de6258f1f64ee555aab9faef836557421738ea9d658628a306ac3d90ee5c0501cf92876585f7e5653bf6e2641c2177043a47bfd256a23265e67c8287feae7403 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8f0694a2eac04dfacb046b6b0443d670 |
| SHA1 | 8d667e06239c567aa4529314a828d69716732e6d |
| SHA256 | 4879a02caff82d57fd79503c4c80c35d777d05b58d2d137af401622c63d58eab |
| SHA512 | 247a61117067a3a5d724c122765d666e313621f6bae052d6a5e045639d4f78786a6bac1008e2abdc030a54a38b851339b0146fd07f10a182f3ec768994e46707 |
C:\SysDrv2N\xbodloc.exe
| MD5 | 8a0816733f116370dabc116f84e3dffd |
| SHA1 | cfca22a1d90209020f244ce30f5cbfea850db7e6 |
| SHA256 | 880710a2b4b0e77b8957d2bd92dd664814e41330430694533a50697b1b69066c |
| SHA512 | 708fe47778ad09c18dd2fd20fdb3418e493d935f20395d37e356e354191188d4ad4803a6d5ebd947e1fa15543ab049e85c29f51ceb623f0c01efa83d58d8c026 |
C:\GalaxLZ\optixsys.exe
| MD5 | 1e77c26dd1ae48a08a03bbbea322e3bd |
| SHA1 | 1f192bc3a04d6c4e41e2a957790a4ef0845bfedd |
| SHA256 | 4a088f65dcb5af88e0c2af411c0ae783a770da00b930f576f2bb093b42377b01 |
| SHA512 | 880b622ed0bef7a9aa6efad54fd44757648b36cf476147976411e43e832353bb1391691caa71f167444a975ee7496273b9a942c32674f296131ff422ee3f878e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4383984d7756b866f8bc6aa08b99eb97 |
| SHA1 | 0eb3ce7feb5132643e5883f9ee622f9002b3fdde |
| SHA256 | d452cb74c32a843fda1934f35224a2b77fce01daf50eceb6e9351b9c0d56e849 |
| SHA512 | 3c55328f52abf364140ab203face1bf08602f1e9371836cd7e89c970e7a0531ed201e09428b6f849259c346393b8e39aa3b759f621d25c48999e045e46f35be8 |
C:\GalaxLZ\optixsys.exe
| MD5 | 40870c345cf6efc5360dce7dedb3105c |
| SHA1 | f96463bd75481933082c015968e39abe8a6db18b |
| SHA256 | 1e986aad709d062c9c30d2cc7a0ea14cc1ae988c449275fd489507a6f0ff0643 |
| SHA512 | 1397f94b02327db0e910ce49a4655f5cc10317a8063082eaa6fa86ecee7ad2712aeb8ad34541a02f4b8c83509b5af5266457eeff14e2efead5ed79a179d7d508 |