Analysis Overview
SHA256
d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2
Threat Level: Shows suspicious behavior
The file d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 03:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 03:52
Reported
2024-10-26 03:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\AdobeEY\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEY\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax68\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeEY\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\AdobeEY\xbodec.exe
C:\AdobeEY\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 719dec9fe989a72924a4fc396c0520b1 |
| SHA1 | eab5bb0763719081659e7ab5a2a90fd451ff4af2 |
| SHA256 | 8c87d3d1207b7c3e2d113ccb1f92fdba5a3278ba403dec483978bb822f95ca0d |
| SHA512 | a393e2d1aca37e85667790fbad2ba77cb1b8289705c679a9280905660e6fb0c2d4e371a41902a421a3798934f6a1c29a5761bf4e00385b867fef0d47a20f5cdf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 482a2e8f7d02873c7114ad1599b46f47 |
| SHA1 | aa586078fc0469680b92bad99bc20b48443fe880 |
| SHA256 | 7bd2aeffbd5ab9d56d33a00d320e4f0f915373c18e479480e0f277aa63424597 |
| SHA512 | 839d3f571006986a04523c3c26d0645f5f347ba6e2db457effe619838330adfe0938425e05eaee18528e2fcbf1e8e8df8d3e4539bce98887de1c81b12c68f6cb |
C:\AdobeEY\xbodec.exe
| MD5 | 5ed7252408c3780ee5a8ea2eea9b56ad |
| SHA1 | ef7c096c3cd2d6ea35cf0b1b4ce9b270b002f2f0 |
| SHA256 | 899fc5deb4a3c67dc6102ce6688737370afa958293645285e38d6fde955788e6 |
| SHA512 | 85124201e06a91e36b6866951c5976cc17c259bdb95527397c37d44b0a8aea97411603af85ef5cc6d53780dec43ccb36666be8ad916c813f922e08b83ece9f58 |
C:\Galax68\bodxec.exe
| MD5 | ad79d9d06f3ec82d26a7c8fc0fe2ede2 |
| SHA1 | 3592c42255bea685d693a6768c86a60537d7928f |
| SHA256 | fc4216f6ae5c2005ce2598fa858a2bf0ece79efa0acd0e9859a316d7dd14ccce |
| SHA512 | cfae3030e3f2d895a63d4b1a11b451d90f896f369d954ecab685989d0baa85b92aab9893c7cdb388947556806c9c346dde0a4d602e00374924bc008b211c2403 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a15a32133eec4a22fb295064a6711b01 |
| SHA1 | 2a90184a87cd5d6bafe28d3e253eb6d22a4c1a57 |
| SHA256 | 040d1dafdf445c6aed6525bc9c1815869e52fd67c4a4705349653b39d8102b71 |
| SHA512 | 936bf5bbd694a25bf53c2482c24a68cf3f82516574204d522f937aecb29bf9445e9c3b04dfdb27d074c61dad94e88c13063247a1da807c394f0738ab56493cd0 |
C:\Galax68\bodxec.exe
| MD5 | 5018c9e3f2fb784220d11fd29777f2b8 |
| SHA1 | c1d6abe43eb00a1ac5909595df2c32a8db886e20 |
| SHA256 | 7517feb22f2c65b687a297af5e8ac0733423eb6657c471ba229b579f58cf1d83 |
| SHA512 | 28475e2e2d866da0db90c95c88a7530f0fb331a28a7c667e0b3a8b60cd0306f6c66151b53f3cca7fef22173b2c4f5a78d2b949ce94ffc58cd2de631ec7626eb2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 03:52
Reported
2024-10-26 03:54
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvAQ\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAQ\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMP\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvAQ\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a29438b688076aca60c0bbea9ec1935c61d4534b586a7b386caa005c0791b2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrvAQ\xdobec.exe
C:\SysDrvAQ\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 894cfae85a0de41286d90e75b88f08a7 |
| SHA1 | a52fa5354da642c6e764bfad66488224101c1179 |
| SHA256 | 39401a89ba147661bddb5600a8c0e177dcca832170ac643e34949f90df3e4c3a |
| SHA512 | e2dd2025c6173f4893d611738a34f52b7351c19c7c1ad6c489d77f618d2ccd44505c73d41afce1f21fa879ac2acd53eb45f3ac0060b850519101f4d2d601af73 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5ab8bbecc4ddcded6c544082b4fbbc19 |
| SHA1 | eda27d640020ba79cc9e67461f08ca931cf91ee6 |
| SHA256 | 406baacc05b9b4da49f0060795e6e3a0624edeb49b4f9deb7e0fd44ee888ab9a |
| SHA512 | d1b27e21d01c2257f9689fa820376649467b859dac01b17972887a52a0f8231a916afb0ec7fc8ecfc1ece82ccd0ce1913dace945481ab59fb7ce1bd6a22a93d1 |
C:\SysDrvAQ\xdobec.exe
| MD5 | 17dca6728c3750be0e8e5cc3c45d7d4d |
| SHA1 | 45ffb2ae2d9e6f96852e2b748863c52c820a8470 |
| SHA256 | c422701479bdff3fba63eddf3aabc99f264e16ce9d6ac203fc5d35c51f161f11 |
| SHA512 | 1faceb8676902e3d676d53f32b3bcc66044748bdb87bcfdeadaed105fecc55647a36a741f8fc7ad125b6678c631f43113820d06c09ddca05c381d08048bfcaa1 |
C:\GalaxMP\boddevloc.exe
| MD5 | 06385875dd55022a41a5eadec8557162 |
| SHA1 | 1813249d23aea943a7f5c4785f850c87026dc382 |
| SHA256 | 57fcea517e5106ef77f2c5eb86262491451de635f3d621ce9d7715605c97d386 |
| SHA512 | e4b3748a99525b2600c4f58f67ad87850e26c5d324f202efbebf6e83518177e637603cbee1db22f62acc250c77cc0efd4514b56065381cadb0527f5f01992a97 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bf313a83fe5eb48656a2133d0a82701f |
| SHA1 | 38583ccda122d5a789bf363e6c889b265c15f2cd |
| SHA256 | 77226b12346b836edfb08e0d4ce60aa8bfa179d7da4f679f5e51bf3ba8c960fa |
| SHA512 | 87a2fada08b9d8c72d610fadf859d810d0d3a7e2326d12023ea75f96d429c8a6647c4dd85fac2e137647ef8647a340a057f042988a53e7fba7d49e4152430648 |
C:\GalaxMP\boddevloc.exe
| MD5 | 1fe0d14acbae1f4503fe3c851d715a39 |
| SHA1 | 6e9ecb695f2b07b82aa67f8a0c7c244f7baada13 |
| SHA256 | 61af4ae2b9190d39219d4ea312628eb2db34adbac0aa2bc5b6af808cc0035574 |
| SHA512 | 5bf6fdd03a8c739369ddb3db15ef0efd1fb0d8b899aa9ae205bd5ba9ad2806e27164a613b06c9193fa7bbcb331ac03f2295da8a1a6ffab78db5acc631d95b583 |