Analysis Overview
SHA256
5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aada
Threat Level: Shows suspicious behavior
The file 5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:00
Reported
2024-10-26 00:02
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\FilesMR\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMR\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXK\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesMR\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe
"C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\FilesMR\devoptisys.exe
C:\FilesMR\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 57eaaa69b6fc1dd124cdd71748c85f58 |
| SHA1 | e5e8b4a3baa3b5f95318f7fdc468c3ec1fb96612 |
| SHA256 | bbd3e93b2632d2b158c3456c1bfaa81ddeeb6f925576f2cee2642712007b3de4 |
| SHA512 | 08c62159694e3d0e726dd1b872ed1324bc4ed634f7dc99a25c98d9a3b1bd8bcab6a08687de9f369bbe265df51e8e023cf0ae80d6de1b9f8bc518ae4e81f248df |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e6868883541deb6e10e85b2da2290061 |
| SHA1 | be5c7cf40d6c35a96309b38bdbd4177d33b9a89e |
| SHA256 | 3d3212c91b1b6739440f2e9100b32fc40e73d539aa09415badb3c9e7a2f9e608 |
| SHA512 | b18b5bf683aa083af7a24c644ac8ca979d1032ac1a9850516e64e00a3969f9d8fac5f45d5d9632ddaedd403d48a54efdf1fe20651ed5682de3cb0143ff2b3cfa |
C:\FilesMR\devoptisys.exe
| MD5 | 0bd49a657e5fc91e4fa2fbf8b363e06c |
| SHA1 | 9291bb8756ddb6f6e03fd1a003e448df96aa59da |
| SHA256 | 97e5255542851b7b699f7e31a08a451798542d9d96aa99aaf1865a2c9b65357f |
| SHA512 | 7d5144590762a8cb9e83f8a1fcd97144710f5e96c9fba9755c522dcaa3de2ee04881c9f8ff31f7e6a906b65bf2b82f01d47e8a007ebc3db211078f32738beb81 |
C:\GalaxXK\bodxsys.exe
| MD5 | ec06c10dde0e6a1928906985f76a55a9 |
| SHA1 | ae987f162131cd5e89cbd75555b6d42b463d34bd |
| SHA256 | 587c204b6f28339a78db5bdb373dae14e22098601d7f0d1959bb87ef258d872e |
| SHA512 | 62a4b3b3736d3c9a379f5c53ee1d6106f3c6992ea150ed203538444414981aa4608e097c0296ea6d355cfdad3beaf2c4aef1793374699c9d5ab8ff64465b0461 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b69938f0c2558699e802a8e5a2013cba |
| SHA1 | a14cf794c5bc8406631be2d154f94e0fec94a019 |
| SHA256 | 50fbb057a1708296566376678828d4cc27162c2dd3077f1df549f8db3f7a2f19 |
| SHA512 | 651cd073d47d6de36c502aca1dd4d63bbb5d7f890b20f2d5a41eeb0e56bf3c5e27bad6a7d2074b5358073cfb7143d1b73e43164eac5dd6a34b9885559a881a97 |
C:\GalaxXK\bodxsys.exe
| MD5 | b6a3be42755c871ed4a546b6cfb8e5e8 |
| SHA1 | 45db3ee8541418f154843d4a791071b3c3c65177 |
| SHA256 | 1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657 |
| SHA512 | a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:00
Reported
2024-10-26 00:02
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\IntelprocKB\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax49\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKB\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKB\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe
"C:\Users\Admin\AppData\Local\Temp\5c17282d3a96eff8e3a8e34a9cc34c68e75cdee23bfa29aecbfdcdaad212aadaN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\IntelprocKB\abodec.exe
C:\IntelprocKB\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 29cafec35742eb4f263fc2e9aa435ce4 |
| SHA1 | 852fa4458ce069a6019ee0cd03a5a76192b3d438 |
| SHA256 | 5a22d425345300402984feb70199835489f0681e41f410f464c814c1e85b2aa8 |
| SHA512 | 4caf4978be6c2b1de47bdcf2eb3298528dd8d4b9d0ce14965981b3ecfeacc3e032b14b4f03dffad418a3128eaf465013fa07283c20ba487fde6e9bbd3fe2cf01 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f1907a5d478a487588c04b068f7b6b23 |
| SHA1 | 1187d694cb9e2aea62d39ff06c916f8e71306c50 |
| SHA256 | ff7b5d7bf267af7ebba5d3e5ca9b8660a8e948a2fd8ff633f37824e1035e7299 |
| SHA512 | 3235f22d956fe2cf84986e10a931bbe9f2c32f90bf782aab01c2cf609a533de45c8ee47357b7299ff8c145f06206a8a9a22e4cf579c57a6b59aeba4a7171d8f4 |
C:\IntelprocKB\abodec.exe
| MD5 | 7b87698eb8d7761e1c6bddad3ad80eda |
| SHA1 | 6181407de741d5064e0fadd384e930fdeabe76a1 |
| SHA256 | 48c121dbd3e46d495b8596d74f86b4f9011f740314b7d020c99f520932ecd6f7 |
| SHA512 | a392d910a9d9d613daf5b10f750188a303a9f1257a64bb838a105ec71ee1b8c140371be748c352f74dc1a89af4ce6b32e04674e3f0ba1fb63be6fd35c22e78ea |
C:\Galax49\bodxloc.exe
| MD5 | 440dfb0f940497006ee2eb56375785ca |
| SHA1 | 3f7cc900f93abd392d8dcd1b23e181ccf738fc23 |
| SHA256 | 2fbb3cdbab13cf6f1d89c962a890175c59e51778ffecb02ae81a048ad8ea6005 |
| SHA512 | 01387350be2ad143b36ed86a50613ed67c577b4b3d81c4cad4068bc9fc92a330645aba86a988cda5c35d01245f6d5a67e9984a6cb9d4a2f9d1dc0a2c2912946c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c2af623ef0b987bb1a6de7872338c9c9 |
| SHA1 | 2efe7d556690b090194503f31e190832075d46ec |
| SHA256 | a36845491e671d8e9017bb6aad83f6f481e419f748a11e772abfe86940d0a0e3 |
| SHA512 | 71d43c2446fc737d372e96d3fe8354002f0a22d1ae179187786f8f3b997fab3ac08e9462c15b6d003eb1925b3f33375833b496b321bf13f30a4af38c7390c0e9 |
C:\Galax49\bodxloc.exe
| MD5 | a5ce20750f18e6b1e35186981c917acf |
| SHA1 | af27d91427cb9ad615767b57241a22be2659f384 |
| SHA256 | 6508ce62c0365c7de1d6fb6763bc786929d38ae49621fc7a1ce3f49c9b0d3466 |
| SHA512 | 30ac4f5c60fa436d916094ecada165983cca8e3b5a6b3c223c78203bf207f9f56eae882d4d31d1dcb8333113898e8e524bd5ede56b642b00804e23f712fdeb2f |