Analysis Overview
SHA256
298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273
Threat Level: Shows suspicious behavior
The file 298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 14:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 14:08
Reported
2024-10-21 14:10
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocBH\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBH\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBZ\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocBH\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
"C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocBH\xbodsys.exe
C:\IntelprocBH\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 1b17197225f458814da214ce4200d5f6 |
| SHA1 | a140f9885812260c1d23b7c848148660bde7367e |
| SHA256 | c3f5453883d3a78499e2969aeceb86e8b48b64c78a71d3edd65e500d64b104e1 |
| SHA512 | b44de425486f5e5bf8e4a0b68a147b3a7ea2156e1fdfb8fd5645df1a3d0949c890788dfff9d4e19f8bacf0b51ea8930004a213a64d02f35840b70dd0a37b5cf3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 55e0dbfa6eff772945c470db86c29055 |
| SHA1 | f76162df69191c8f7d193f3fe114225162b435aa |
| SHA256 | b03ba3c418a57c8c295475e0218ff8acbc8a415f81ba27ed9374881db1811aa9 |
| SHA512 | 542a9a8b949511bf2ed1e33b6c040036634d4feb06f60090348825ee2a021f7b2212462dda115d0693cea4bad0d44d4af1710225b017a112f02e988bb161386c |
C:\IntelprocBH\xbodsys.exe
| MD5 | 0ac81f0cf65b0c10b3a47eef0fe8f03b |
| SHA1 | c7581ea428b30139a83c14d058c2eca10db8f679 |
| SHA256 | 456cf555aa941a4b9bde06bee683275d2ffb6d57a9b96d273ac5ebf5408fa350 |
| SHA512 | 59177009c5d964497d74ca7eb7e742391864f4169f1db809fc152e7c19bbb06dfcf3a19276ca24f148908985cb09f16bc93816e368ce60ea96faee4f36895525 |
C:\GalaxBZ\dobasys.exe
| MD5 | f352f380ae889fc106c5cd33d0f394f5 |
| SHA1 | 86a1f5e36cb8a125dc78e4ae2afecbceb51d5693 |
| SHA256 | a77b5c6fdaf62dc9dd33b6abe3ba79d4ab08dea242586b669e6612bf8ccd1bf9 |
| SHA512 | cc8d37edef07224579dd77f8d754422444598ec344e6393af6eaa6b466f60ff68c77130a110370c4120a34dd0fe73434da92c75495b63fda922c4d639a7b8089 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a2c8139958833a967304ac5f05b8908f |
| SHA1 | 897c56e3e6ea8df50be483e6d1d38daa09bd17a6 |
| SHA256 | bdcf91815db69460eea86e529a99b2da9ad2699808e15a71ecb5c6283e8b892d |
| SHA512 | 3729b1d1d71e2719f6543b5e2bf65dca3495801df2cf4307016e06ee79e4b800db7db8e626ab4dc90a907d35054b7190959f93153b7ae3706e203ae8abcd6a62 |
C:\GalaxBZ\dobasys.exe
| MD5 | aac74e8974e0fd5da63b44dd061f80a1 |
| SHA1 | bdcfe26b91d968f331913268a3807ad95fa7a3f3 |
| SHA256 | 18c566d77b99cf75275f1a1c8e0c9d7557ac511d2ac4a4391e8cbe9416ad65bc |
| SHA512 | 100de874a1517b8974e6ee0266f35aa1d234e882667b7ebe55bfe170889c5d3cbf3c68f32b5988d8b4a0fcf7e50143e85d2a7d37789aff13de2aaf9aeadb6f12 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 14:08
Reported
2024-10-21 14:10
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
107s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesNL\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNL\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU6\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesNL\xoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe
"C:\Users\Admin\AppData\Local\Temp\298e3583e5dd80e254d537b98d24c9c0089b08db4008f722c683563f05398273N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesNL\xoptiloc.exe
C:\FilesNL\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 1c1d17a26cef2a59a19b29797e34d6eb |
| SHA1 | 668f2f8c10993395f1708b5f0643965d99c72be5 |
| SHA256 | 283139594342fb2aedf485fe2d26ca4d5d8e09680c0a9accc364313ddbe256e6 |
| SHA512 | 07bcfd5fa3c32eb4a05ed0ffc214f1552c65ce737d339568114e729a9f74e39800e1be454425de8497708202d31b8a4ad29e051ac9a1d5eea5117b50b5deea65 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c74fb3a991fd102e060e77e577dc81e9 |
| SHA1 | 6335d37e0a29a829857e5e8d1dab86af2a8fb84f |
| SHA256 | 4c88590da3c9e1b5ce7565a36cac4d84733b4818eaeeb4d4bc304549370c00d1 |
| SHA512 | b776cec75889ec198fc2d020610e4733a2e02a61050f7265a7f78ad2023f7f304175e9996db6b504612acc096832cf0cc20a2ee2f76edd039b0bdff98f4a23b8 |
C:\FilesNL\xoptiloc.exe
| MD5 | 0dba904eb032551427b8718b07e5bab2 |
| SHA1 | 9ec080c8e9a7aedc4d14374832a238826996584d |
| SHA256 | 36e6ad7392b2ceb6957c8b7fc2ad4086601b6e3481516b536b38582cf8852062 |
| SHA512 | f40599249d0c131931d99f83851030073e02b5514964415bb847fb6c85d0d0be96d7e7d08f0a1bb11506368d1b43ab16093898975d25a459a704dc08df58a701 |
C:\VidU6\dobxec.exe
| MD5 | 70f70c4590c0534607615159f37ef26c |
| SHA1 | b5693b41c3141b8f0c1c5fc2005fea75f33fbe5a |
| SHA256 | 5e754484008855b9db6f71232a0cb88627044c26251aa899e9511f6c6411e88c |
| SHA512 | b2810df83f68968b6b30f532afef9c03155d01f9639af8ef4ebc7c14aa319c3d3e2f5dfa46c962caf61fd36e7073832b04556482fb9253ad5e77a47ab68d4bb0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d450c5278e69370596539fbb52f1d92 |
| SHA1 | efadf7292de97b659a3a2c25cea75b8a79ab7600 |
| SHA256 | 03c9228c5d513f561a9147a638fd9c792739a1db1c609955add33d60a3b2ce33 |
| SHA512 | 1474e2bef270af34e1afab5b7f5611bc32f19a8e422b6498afa8f7cb844233a0e33ab1522500012a34a543ecdb8f2313d9292b65349e50f2e5d7391d54f32f81 |
C:\VidU6\dobxec.exe
| MD5 | 9301f308c3fb4e2dd4c6bfd6fc04f002 |
| SHA1 | 8735a9dc60eba451fde077f4a0cd5e1bfa0306bf |
| SHA256 | e2694e529b793c267f51ec3b3961d13c7cb85ca8c9ffc8793a43f6555f10b878 |
| SHA512 | 86d189fa6638bcfcfb8fe7d6366a6654458af8aebb592aaf4309ed7c97250e1d8f00f4eea0f78d968cc562b1105e7ea3d48cd5fc21653ead9af7a19c2dd24a2d |