Analysis Overview
SHA256
286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87
Threat Level: Shows suspicious behavior
The file 286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:38
Reported
2024-10-25 22:40
Platform
win7-20241010-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\SysDrvPB\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPB\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK1\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvPB\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe
"C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\SysDrvPB\aoptiec.exe
C:\SysDrvPB\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | cfbecf7a4fbae3e0d3818b0a5a634260 |
| SHA1 | 71b5b43a9a6e4b64361c236594219d6886224da1 |
| SHA256 | fba182327b76b327b55bb30a2cbd55ca529c15dfc019108b3e4258fa17235572 |
| SHA512 | 909ce8cc6ccfeef8ecc2123228279cf7ff2d8d11dcd73b58523e2f3e7c12efe980125574172af29502184e3f34f75a8f7136b1c8d1cca605bf26b6e9f185898d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ce4089f5491c6aadc8a1ec2194109f61 |
| SHA1 | c13df4dc9e25bd8dd8785f789dea80d8cb2b11b2 |
| SHA256 | 371c7948b34cc3812ca7b3900dc287c5f2d8b2d5879e3aec609e17310ae334ca |
| SHA512 | 46488c2a831fc034dee1edf714b0f6fde2a2cf652bfcf61e27c6d3f86f865e7f6930f594e84710f2273da8f6adc3b00b6b50b774ebd4990052c8aaa6f06d44a6 |
C:\SysDrvPB\aoptiec.exe
| MD5 | 4d7f0b98b0e58a6d9bc7b5e3ee1dc473 |
| SHA1 | b3b814dc1c4dfda49e4a6ceda883776c3f545955 |
| SHA256 | 115885ad0cc3b8f85a4da336635dc7da09bddabfdc2006b42294066ceb012fce |
| SHA512 | a456c9281c39aaf89e8f09a4de3e060b96fdb64647fbcecf1cf3902d7e67e6194dd5ed5d08efb24383f558c55280973a6518e75ea2625b0bc3db1f9d73fa101e |
C:\GalaxK1\dobaloc.exe
| MD5 | cf3eca02230e95e5c22dd3c68330ef97 |
| SHA1 | 529400a76e989fb48e3c91644af461f585ad33ff |
| SHA256 | 438b57de560690408caebf83b4a59e4125acbf6ae1607fa71b5762acee0369dd |
| SHA512 | 8caf14a52a0d120de11b28eaef2dadf371b53a86ef6b13c61963b63311bc3c37f3577853dac6cd11a4ae947b4f2a3e93bf558d3fb8f365d4756c14feed91c2a4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ab2c4bd05a73dcd7c363eeaca49cfd57 |
| SHA1 | a7c4dc6d60eb7882eef1b0591912118bceeb7f76 |
| SHA256 | ec24e57ae628ba2268596c1a48e2ac4bef3b991bca6794380b7aa12aecd57591 |
| SHA512 | c745e3e186c4137d6b0245f9b7bb3e693b83573f49c0ce912df108f059b2efdd2e37303006b59d901233276d7ffb7937ffa80407bd094dee1a995ec4bcb1823a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:38
Reported
2024-10-25 22:40
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
109s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Files0T\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0T\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNA\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0T\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe
"C:\Users\Admin\AppData\Local\Temp\286ea5dba03fee3eb1116fc3c83330e39e13482fca98be41974a2246d6e2df87N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Files0T\abodec.exe
C:\Files0T\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 70d0a323947a9d580cf86413a9b66eb1 |
| SHA1 | f91df4f0a75b51c60bd60426ce0dea7db365c322 |
| SHA256 | a9c3063769efcba2877bcaac5178b655c20db79fe8754c6af98f813bf92ff508 |
| SHA512 | 69487350794688d574a476f8a63dc26e1c95d49378eb80e6459983404716aa221a32b095e5a00130693c318b87ad4a83fe093335d0cc906b31270d55372f54ae |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d815b323e1939c4e4c92141f12982a0e |
| SHA1 | 9448b2e2ce3a3b2e80da2d6abdbcbe1fc0c6deea |
| SHA256 | 8eb99c21d5745e43665c4849da6bf57dc31517e2dcc6670dc41c95cb4a6708fa |
| SHA512 | 6dd5eb959b929788f55d153e2b7eccdf88ac4632703a914cea79cb0237ce188bfaad6436dde2b08f476e9609f2472894f476426519655887bd92991e4ca67305 |
C:\Files0T\abodec.exe
| MD5 | b94320cd188882fbaf3b90789b048b1c |
| SHA1 | d40c6e2fae1f37411d526a865adb0881f7b6ca13 |
| SHA256 | 66d6c585db6b7ce283d472ad050fc57d51e2b7644e5a806f53077d7655cb4580 |
| SHA512 | 0589756e742657a5b63f7fef78ff9591c629dde1cb7a37882b2700fd32df11d4e9beedd8586f94995a57a6c35b1a371f61498c66946256687afbba3b680ad7af |
C:\Files0T\abodec.exe
| MD5 | cd08d649923b6b3acac5be5c65ce53a3 |
| SHA1 | 8522c611e01c5898ae97b5a55e980351d880308b |
| SHA256 | 48c8a8e8dd40556e4ffada8d5368e4c54071f1d4d2588a85d0d9b1be9a2276d3 |
| SHA512 | 92c86ecfd1707345c95412925c8a596fa8a18b7a8f6563cdc6a3308399b152c9efca4e10d7315034334bcffa66ff5f6d5ed5fdf3f693884fe910480871007c08 |
C:\MintNA\bodaloc.exe
| MD5 | 57e00d79103438c4b9da89de96515538 |
| SHA1 | 61c6f0f3e069842275f7cf4b999c0edad6a54b16 |
| SHA256 | 85ec673c2ebaf4bfe753cfed5302b85c0732af5a04424e8a7d0a55b4ce148b8b |
| SHA512 | eee8e70e581f7c21bd035e03c934dd13c71634d4e9d6ecefe5f6ab3b007ec388a493448f9e5723b0761bf978cff179b6c9a457196e0897e82a8a03fa1466f446 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b76054aa8228bb20620cace6d8d39509 |
| SHA1 | 3c1b7967356dd998c7831032cc3a74f7b2a489b4 |
| SHA256 | c94991e43dc24b17e254d862515463d519ef8a6c9f9de896a3acdb943db90133 |
| SHA512 | 1813a8dd3b6879cebd2e453b88c7141d41359922f3f2ceca836e5b24cccb1c4597a981682e7c78be5277a91f731e55930ad21b9bdf321747cd72ec768881f922 |
C:\MintNA\bodaloc.exe
| MD5 | ec6dcb5f2beea0b90b71e80e42f82c40 |
| SHA1 | 0f4d6a651092f503dfa475ca1c4c2c14de5fc707 |
| SHA256 | 54d026845a524f7fe3a1b706bb9dbf01f91bc487c3f9211af6dc2d2b7e071dc6 |
| SHA512 | a66530612077f50ee3d66ea25ae7b0edc5956d876d1a689c10d074cc877d79e85d18c6279d4534739db1eadcbb379773ea6f65d3b5122dc2bd02fe85a867d04e |