Analysis Overview
SHA256
314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf
Threat Level: Shows suspicious behavior
The file 314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:33
Reported
2024-10-27 21:38
Platform
win7-20240903-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDot0I\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0I\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTV\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot0I\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe
"C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDot0I\abodloc.exe
C:\UserDot0I\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 54a04ddb0914a3bd03ea8936a2f1ada1 |
| SHA1 | 118689a7c17b8c3a01970dfe2cdc215adbb35204 |
| SHA256 | cd434cb35c0bdd93468168ac212f145bef596e8e83ca29c067ae0e595e26ccef |
| SHA512 | 22aaa2c95e1f9a8946a7499b466386db76ec296b7db40df83d1e38ce4ec4f67703b575e6217291871acb083b1537712acfae3b3577605756488480621502f8dd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ba546b2b26777afb44ed7728b729038d |
| SHA1 | dc95b468fb6ddb0a161f956f7d3612e3c9ebca34 |
| SHA256 | aff5ce4016b5406a29aebd9b6c1e1be1b7a5a4218cd1d381bb488923f5803466 |
| SHA512 | 84674accf497a552c8050dffa1142cdcdbbc39c9eeb8f232a1dce43e4a172b595d87e7e6b0c498165ed89bb96604b4730d78d5fbad9fb8f8b5518376e95acb58 |
C:\UserDot0I\abodloc.exe
| MD5 | 0ca2ffd34f43f1d5c71764f1e493b207 |
| SHA1 | 06e8c9c05319c63fcfd48f724f1905ea493759f7 |
| SHA256 | 8385cf72188b4be8b7b3db612b429695574a9a988556bae9dad71f04e5385418 |
| SHA512 | 11a80078a75c3b4436ae4cea035c0d329c3045b72ed3f275992ae4c09e8e20fb3e6a5a95001a11f63c425981ac7a45d4f33459dae5944b07fb3b67bfacbda8da |
C:\GalaxTV\dobxloc.exe
| MD5 | 92ebf883c88e3a972e00567f4217b906 |
| SHA1 | 46dbf10dd5f176ddaf7dbf19bc3d69f8ebf6adfa |
| SHA256 | ff6f5808d17bb71ab467c42f4f4ee74979b487317e247e3ff96e99c33e1f1563 |
| SHA512 | f9e0ee733ce305aac330f7926499fa700d8a130a41ee14cf736423242d903243c829f0bdd5b76a3ded0786850bb04d7f6258ac1d91f3f900e739c834a566f599 |
C:\UserDot0I\abodloc.exe
| MD5 | 885a152fd7bbe8ab6648d6813fe8fb8a |
| SHA1 | e03184904b863393abe297c89731d06f209ebd6f |
| SHA256 | 4af46f2ca96f5809bdf4dd09ec43091c180699a36417194f4978fba5202c31bc |
| SHA512 | 73d5dd40cbdafb81940e6816fb0fc40ca0c217cc45022018eab01758debbf2b0a40909834f463236a3c63269142bf38e7685ac40f514802d1939aa3878b6361f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 284174317699b071de14f23e906f4382 |
| SHA1 | 9945345fbb34e292113d117dd188dc58a6bfc400 |
| SHA256 | b9c02664a50666f18d907a71d1bfbaae5231cc8a71065095db6c606e702898b2 |
| SHA512 | 230809cac7b6013ba7097e725903df3801f08da9477e5a1af5af8513a1b0af43ffa8af4eafb3374e14b03752ccb6a7a95dfdba689a739238f3868b33bf901728 |
C:\GalaxTV\dobxloc.exe
| MD5 | 3bede2c0b18c8c98613293de0d53b9cf |
| SHA1 | c32e018378172cf4fccbffb7c68847447abf9407 |
| SHA256 | 451a3028339e0f7967af5b3d97329e41634c928d9c85661b63f848c548bd024d |
| SHA512 | b04447116a8270f84dffb864fca855e253abc525e3e3dc761e4d19ee6eebd6a0e32c5ca1a8ae6dc41d9db85e45cf667ec7f7d7df8aefe96ecd7598e7655babd6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:33
Reported
2024-10-27 21:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\Intelproc8J\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8J\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOY\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc8J\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe
"C:\Users\Admin\AppData\Local\Temp\314fa4e6409723eca6b4878d6ba94918065956769c80106435b80686bcb043cf.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\Intelproc8J\adobloc.exe
C:\Intelproc8J\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 9cbcfc0366bdb24fbd4f06b701cb6700 |
| SHA1 | ea2c1f7f2b60e7c020d4783420173ce71693ecfb |
| SHA256 | 0299281712f4dbabb36b9b91fa13664f00ee3439f465e8fbcb0c462aad11435b |
| SHA512 | fbcd999674e3be114fa719ceba6a58c0eb1f08a3327db985326bada013ad98f0b8ace496fa1f1589e87dafd9d495fa6e5b4e7883583def2e8b75de5f7b39e083 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7f4fa45109c5ed517e2d2f7917b8ec9c |
| SHA1 | e9bba0d9809303722d8a5e24e98ad1c4d92bdc73 |
| SHA256 | 5101622dcd33d2ecfb3dc185e8b64f262db48d265d700a93557b912db5687264 |
| SHA512 | 7dfe2d3c6e2a91a03db91ccf56912fcfd316e68dd6babe40978a5fbdc5b51e1d652c050349e181cefed4cdb6b5a473c4b5dd52ae814a5917efb4f5d9f5135ed5 |
C:\Intelproc8J\adobloc.exe
| MD5 | 93c65b6bef3f98a8a1ba71d9a0f7c317 |
| SHA1 | 2c119573fadb8b3d93da49aa26ed5a141b5357a7 |
| SHA256 | ae246b58830b540333c4be4d19fe69f3bac63988cbef36bfec03df1e328d4c93 |
| SHA512 | 658086684b13885017e8f5796e33a8abb26999c28bb6d268fb75730128b5e7db407eb901dff7d20aabec05f8a152b7da23ca097b2fdffd730bd50d5a60b185de |
C:\GalaxOY\optidevec.exe
| MD5 | 42954e8ee6d0656a8cc49de3a1e2e2da |
| SHA1 | 3424c9aff3811471a9d38f070bb9e0e2f91f1112 |
| SHA256 | 66c65cdb1a47b639a6bceeb4f5f8be7c530b62d4366f711de0c984b8b050429c |
| SHA512 | afa9776e5a4d1444c1164bacc256ae16e14a93e27359ddf42fafad145f7a5136de7c8c07b8060fbe98b2fa81352a17c8965cfa3246bf8c388ca8f43b663e095d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 026e97d0078312426f1aca4bb3c161fa |
| SHA1 | dd99f0d859b023be672c89ffd53a2d3b5d283f0e |
| SHA256 | 5cc0ee095365d48a1528169ddbcb9044d6e0926b01a9bcd7a413139a4ef848ef |
| SHA512 | 653768492911e34e4e7920d17a098d26b72ea5fef12f31572755da48591cb8a5ea5dc56f2a2e409182cd358ee2758060d80775b07bc24f6177f1c64416414999 |
C:\GalaxOY\optidevec.exe
| MD5 | 0d993be4631e3ac8f4283035ac37c7be |
| SHA1 | 7abf65724cad32b0eb931e2c9411867d73744d61 |
| SHA256 | 3a7e958d3c6d22144e250355daf9245a958323d57942da9efc2e7544055bd9fd |
| SHA512 | 3f3f95afa56747a33e88ca284eb88f5fb5023260af16e8bae7f4e16b38ce14b483645e780075dd113aa038339e7017242018f5ce862306799612ac795c9b174d |