Analysis Overview
SHA256
54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904
Threat Level: Shows suspicious behavior
The file 54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 13:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 13:43
Reported
2024-10-21 13:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDot0R\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0R\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAG\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot0R\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
"C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDot0R\xbodsys.exe
C:\UserDot0R\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | a9873b76a82278cd3bae5209187d41c5 |
| SHA1 | de6b50075229d88fc6d7c8da8f912dd91be81db6 |
| SHA256 | 6578b2929ed78b4e3311559adcec4f66af5a0c167c6727c32ef9336a1b462f6d |
| SHA512 | 7f5a2db98aa3fe2354d20bbbe7e84f2ba74984058a3f4962a59b38bbda1309e06d224e5b2327dfbc4f5dc2adb673a23ca5523cab3a78597cf22db137a34c6aaf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 740a8cd29c1e649f9dda8bee73f7fd0e |
| SHA1 | 7a1702c103210c15f76c9c283179a80ceec2d8e5 |
| SHA256 | 95f36d908c2177dff251c410f5217e9d48c85c8c5dd70c2a942ba19d6aea4925 |
| SHA512 | da263b67494f2c3e2936ba1b44f6ccc9bfccff5751ceadaa144f69709f405e4b59411818810d7134c8785984b9f817f6279c78484d956c25a32f363943120284 |
C:\UserDot0R\xbodsys.exe
| MD5 | 15aa7b0583c526fc67ea17496d518d6c |
| SHA1 | dcb514fb3bb989f25ea8c458226ca1d7137940fa |
| SHA256 | b0fa3c69e11fec50de5fd2aabdc24820b75631d2726fa79025b058d0b3656fe3 |
| SHA512 | 86bfa3c7aa18e93742a879e2db5f7814ea95d0a26cafbeea5587f25aec274ed6fbe141ffb2dc15514ddd8c4d486719d663c3c386f58dfbb900fbfb4200c54075 |
C:\GalaxAG\dobaec.exe
| MD5 | ce2193fd462b020f43065dec4150ca1f |
| SHA1 | 20b76b4dee1c041d30fa754a450e3e6943404851 |
| SHA256 | 334dd85d89773c53f2593c3ac55879135c9dbdb0fabfd649b07c3e2165fd5717 |
| SHA512 | 376a85554f74ee327734d2a4e56470bf736f5a2574a848825ac658be842c21de4c2a8b77230064ca73ba80338c18714a7e811e20ff2921fab28c1a76f403dc5c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 72385154e7e9f3e5d957a23b99ce2409 |
| SHA1 | 0d690556430fc576f3d74c0d4b703981e6d2e807 |
| SHA256 | aa65798974970730cb2e416ce0450316d91c471a4bb0e0905c8dd5fc1a7348d5 |
| SHA512 | bd9f4bfbab735e5a6c906a703a6bc46c0901fc1bff6ee5f62847cee6c1cab0a5d3e74e198fa0503813bc5116f2f2b80445478c6aa974b6f0409f18e58ee29e5f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 13:43
Reported
2024-10-21 13:45
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\Files1O\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1O\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4Z\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files1O\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe
"C:\Users\Admin\AppData\Local\Temp\54a9888ad9f98666ade14f7be4a719b0e233e325f39e5ec3f593ed7a724c5904N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\Files1O\aoptiec.exe
C:\Files1O\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 00e6a9e7a3a8b9b41abe44c13d1a4085 |
| SHA1 | 746f03f63a0833b3437016fe8645b6cb66a91cd2 |
| SHA256 | 325966b84cdbaf8e73b2fc03fbbbef64fac8902f8c00d02e7e5f62aa4ec2a93f |
| SHA512 | 966ea7cdee1778796e808f5654383c05c9058aa0426c0cc7342271ff742420c2d30f7a8f367d05067752490511f3f3ee8fdc01e13833ac9cf3ec756508e098c2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 897f766a5006fc1352b43b59c1ab728c |
| SHA1 | 7a74164c36f6d737be9f12fa1337c662dbf9365e |
| SHA256 | 0a27024f7a752d2e34ad29702cd1bf7968c812da002cde7081fd4feb2b60866a |
| SHA512 | d5a38282be6dfef77894c372dc17b9b0c719d6738edc6e25ab2025fd3677ef82f94a54b42a417c8ca9dd5978355807d0c5eccb22b014133991208611e8ec440d |
C:\Files1O\aoptiec.exe
| MD5 | b5c0de4a0aeb209ef138246a7fb84861 |
| SHA1 | d1d8776f857ca62f150a0ff55e52436c1f0d285e |
| SHA256 | 53a2e937a09f39809cf6cc39c9c16b6f04c72a56da860d85c5682e9c42221093 |
| SHA512 | 8238641d9edf8d17ca4b133742898b11a31eaac6d0c14fb8b9bcd281980e0e91d247b5a07b0fdbf51312d51d7595a1ea2edc4a7e6a4ec65cbc9474b4dfd896c7 |
C:\Files1O\aoptiec.exe
| MD5 | 70080309d1cf5ac0817d1e56e38026c7 |
| SHA1 | 654a44a7013bc0d8fd46ff568a71ef2c4fb51eff |
| SHA256 | 8bef7198499be009425b3d9ad2237710a000d8b7ace1bd48a2af941a9a955a3d |
| SHA512 | 1c53b8097b2791b2080d8992107ebb082cc56ab4b5bb599beb1d790a10de18dbf2eec1ecdc861650d4fdecc4a58f7ab9ffc0617fd85164721a652d0ce05b63b1 |
C:\Mint4Z\bodaloc.exe
| MD5 | afc3f238d7b77db08bff177f42f0da56 |
| SHA1 | 23638de8b5081d205a77e7617bd11cf26b7e8a02 |
| SHA256 | a2eef49fb4aec5ddfea8f1deb57fb39e92cb83e7b2a26bd182136fe8b2a6f2b7 |
| SHA512 | 114aecd61e401401ab3b26b18a49bf3b6f44d09f0f8bb0f71ed7461a3bbcaf5454c8dfcb6cecca433a55bb473249ab52b202c8e566e99710104f992b12554ccd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f80bf74803b3472042ef15449cf19068 |
| SHA1 | 32fb8b8ed1756a7ab77eba0f6ba55d80c1ea9a92 |
| SHA256 | efa278446cd18a84941935b346039a335be87dd7284967c198c04681341de8c9 |
| SHA512 | d42aa2907526736a0e31da396305be6f9d9a3d7af6ee5520a5dbe3ee334835a4060acb93e6dbea28068078bcf46e67942a14be9b2249aa6e3e8a88c7650dcf70 |
C:\Mint4Z\bodaloc.exe
| MD5 | f723fd14245742bc54fdaa5ce3177ac0 |
| SHA1 | dfce84126d809b47ae87ce723b290779380ba5f9 |
| SHA256 | 5a0b3e5642da5a6f5dddc996ae2d7c8f11cba9debb86835c041953f7ebc2fc65 |
| SHA512 | e08e6388a8b777cd03ce50af18489246b563f5b70af24c693decc03b7f1ad43e8b007b1758b9fb65136d2a452575a052a91461bfd72555122174f54a5f072bc6 |