Analysis Overview
SHA256
4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfa
Threat Level: Shows suspicious behavior
The file 4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:00
Reported
2024-10-26 05:02
Platform
win7-20241023-en
Max time kernel
119s
Max time network
117s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvJF\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJF\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYB\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvJF\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe
"C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\SysDrvJF\xbodsys.exe
C:\SysDrvJF\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | c829e99b85636a1f3e167155bfdd7736 |
| SHA1 | 6e26b4765db3f8eeb6e94544deca54d080591a70 |
| SHA256 | 34e08d95c0e3ab9ee06bca072c07f2e8d979deeedc3915243e972c7dc4378c70 |
| SHA512 | 03f70678594310feed8b2970fcefea5601337d9337da05793c0b2ca3c686cb500769960b482fe56c882236c43550654ed7b9698a507678f5c2fd9df985bab489 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1ecbc25943bc6d9a4aeaf3855be9844e |
| SHA1 | 78111024cf275807760fedd395592470c498e2b9 |
| SHA256 | a7360a1067d9d0c10f54eb533099333374087429b9dedefa3b4f0564d8515331 |
| SHA512 | a8146845be09fc96ac1d1320cc14999b8bb5a793305132f12d0cfa86cad7f6c5752543e4d181efda7e4ff92edaacc02ff099429db983b05af916a29d71fe6c4e |
C:\SysDrvJF\xbodsys.exe
| MD5 | e587b144261f00aa7df7638a278643d1 |
| SHA1 | 0ff09b7b91d42a7396cc7676ad2601ed870e3977 |
| SHA256 | 72cb77ee3b82789087292879a709e7850446be32fe84a4b6b7746636effe9ab9 |
| SHA512 | 10ae7930653dbcd76d5d14fa6f411ff972d5be2e3640d86e25b89da81b8ec0538cfea830012586f01b7a73c86f9a37454396530e6309de72be94e2e10f5be6f2 |
C:\GalaxYB\dobxsys.exe
| MD5 | d9314a0638010d5220d99d6790a7b4d7 |
| SHA1 | 3ef322cbab7e1211a05a8813f2f26dbf14204dcf |
| SHA256 | f5a3c7159ddd1aa082416284e8faf93beb784a00cff9af7f8d9db47fdaf90b07 |
| SHA512 | b67d246fcf7c5eddcb56e93fd5b67cf7459d3bf4e950515607d85e1e9d8a47f8fd0dc3d014912203f5f17919165aebaa12e309f6173a790dd48e119671bea430 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2e2c08667865bbd5b095cbbf3d3d327f |
| SHA1 | f2f5b43a0b5c9953bb846362bac677df408d6afe |
| SHA256 | e8131289944d32da4a9722de132928149857a8df37d8a3422406fa0200044571 |
| SHA512 | 1404c5760c450d0389f014294d2bbfb19e2b43fc38a95fd0ff74a632718c3eccf47345438528547f87daa134358d670ddfafbe6cc8f91065545aec49a7ccc322 |
C:\GalaxYB\dobxsys.exe
| MD5 | ec633609c35f76b7c7ff237e3dd00018 |
| SHA1 | 0245f950cb967358a1d051975f3ad39e85ac8959 |
| SHA256 | 000ef00313cf83032713812aea46b3a4b018482a8e027fc1597502b82484a5bd |
| SHA512 | 1ec7e9875f58ead493398a553ae45f8a253192b1fe8e6676697ba7bee203d3d1d95e0ef9948456a75bbdc5226abee5cd874f2728fb814a9b832a07e2441945e8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:00
Reported
2024-10-26 05:02
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\SysDrvBI\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBI\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1J\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvBI\aoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe
"C:\Users\Admin\AppData\Local\Temp\4aae49c1596dd8795042796d3970c16e50c2141ed1e5fc0f02bc5ec72272abfaN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\SysDrvBI\aoptisys.exe
C:\SysDrvBI\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 8fa1191f496756a4b03837610ea108a4 |
| SHA1 | f5daed3a9cccc87f0e7500604f7719cd7ae3ff4b |
| SHA256 | 410fa5908fa622cfb36c1915d4a2d4f4163b154954a9f7c799c72591455ebd47 |
| SHA512 | 6eb0240fbab853e8957a1cdeddf6f8adb7ffaf0a77c1a12bef73995f1bb950fcd12e600a797dd5d1f58e9c931cd25789f36f9fbd8def428f8343c63fdcd33c89 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 637629d9916ed7bedf650296d38e405d |
| SHA1 | 73f532a070ff0adcbf3255d26b15844ee2745504 |
| SHA256 | e7d808dce14ca9e815a09fc56b1bd965f0fdb0dc9a284d2167243f2d4191dd14 |
| SHA512 | 94ebce95843673fc2c8017ca446f573efc967cf375a88f869935a613bc95ce0b5892814c87ca93426c42380c4148c56c47315cab200c1fa319e5c9bb7d73b122 |
C:\SysDrvBI\aoptisys.exe
| MD5 | 6f67d9c0b59fd6d0b405952caafc9bb9 |
| SHA1 | 54b45dc282309609cf7bbbb505b045a8064ecdcf |
| SHA256 | f4d5b3e24b01c4e8668e9d18434168f3e764fc98570ea301a08dfbec95259502 |
| SHA512 | f9a366ba7e06dfeadd7bbeaeafb8719c232592d6de83c637ecb4b7ed46da02db859af862e2e1c8279fa710a04e07c9d142cd24b6ec359bd0789ce41819c81b97 |
C:\SysDrvBI\aoptisys.exe
| MD5 | ce0902c6c62b72b4432fdae82541004b |
| SHA1 | acd858a0f904e6362507d9195408e59cf0e1be23 |
| SHA256 | 43c434fda9a82e1ff83528f612d34c37b0c4995d3636ba7ccfdac04795aace57 |
| SHA512 | de7fb1faaa1169fac2618ae903fcc14ad6ef94a012ffd8132cfe3b2d3a1c59b8982bd7eb3ac67234e3ec42e13e61ad71a88e0b72e308ddb39f72838b6e30d5fe |
C:\Vid1J\bodaloc.exe
| MD5 | 22bf1b64ef40a679b09c9acaa6c73296 |
| SHA1 | dd5cc7a2821b0ba4ae5c26e5aae8addfb2646530 |
| SHA256 | 4cfccf3b57ff9f07132fd56411f1dba791f37982d87b00531122e4caa3f89eb7 |
| SHA512 | 3661bf0733c92ca3a06802722039b344fca5207c504905d5193bbe1deab8f667c598d516bd013f209584dbdc8255f4cf9d927387092b8d792c4fdbebe11625a5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9df79012a85345a7d0474fae3f250e79 |
| SHA1 | abe820af610f7f8c88d1e2af8d09a88e8475adfe |
| SHA256 | f29fe5caff6bbc4ab481822e45c82e520cadd91e836b103135d146cada962c68 |
| SHA512 | eb658dcb8d4a800393c6f64c82e998872f11ff6da5699945dc541f82ac5aa1b90ecc892f149275a2b8bd49f359d149f6a06d2f7f192370a70c7158d14bc458ab |
C:\Vid1J\bodaloc.exe
| MD5 | 4fab23e875d8e978183b479fcd42e3c5 |
| SHA1 | b669194a13af73287672067ff9f688b57791a848 |
| SHA256 | 194431822d31a08e814a53df4a6daab3f060df50035dd27f027b08ec904ddf60 |
| SHA512 | 1652c61769aabd10ca2b693dc1df33655e6fa5e6338fb20fcb331fc19dda3af89aa110cd5aa6d3cf34290e2efd59ec2b8740d5c77e41d25b0de14f326ca20ca0 |