Analysis Overview
SHA256
d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6f
Threat Level: Shows suspicious behavior
The file d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 13:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 13:42
Reported
2024-10-27 13:44
Platform
win7-20241010-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\Files3A\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCM\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3A\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files3A\devdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe
"C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\Files3A\devdobec.exe
C:\Files3A\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 5357bd6ba6277aa3d201d5f7fe977b6e |
| SHA1 | 003f9829451655c65b86455d4afd064eccd22f7d |
| SHA256 | 5067ff1238dc57e6e4ae7f35fe7d1fd3bf9ee72f1d5bf854ffda72e23fdb6401 |
| SHA512 | 2fd1cb00e5f9f3440db47b2cbecd9f02582597b7ef7d82ac932a4fa3e2450659b4412ecf41df04c631db0776012fa8b45bcbd57643951b614f157b61a6775e05 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4cce80bfcc1fe2ab9d79303c65add7ac |
| SHA1 | ee9b32cd99da14fbe7be335f949d87a2af0215a5 |
| SHA256 | be7cdfe78a14872f47b3ccc7f4732d30d37c6cb36f4c58bae3de8ed4009103e4 |
| SHA512 | 17b4454bcf6291ca27a6bc97c85ac0583ac4150e7f1c5ef05a42e4ac861f48c4fd0a1a77e15b95eb644cd293b253f878e34311e33dd4e9f246561e8a148cae5c |
C:\Files3A\devdobec.exe
| MD5 | 50429627fe5e9cac5cd3dacf0c421642 |
| SHA1 | 8e8b462a7c9e644ef1f0dafad8ba24413f7f8289 |
| SHA256 | fd8500a4d103f2f1d2b390b9f8b6df5cc809598076c3111bb658dd53a0bb801c |
| SHA512 | 4fc425f1f24adf972487dd9f4b308705c19c97919df096b9ead43e818c343ebe1579b2214e2b91f449c871eeba3449c85eb6b7278dccb49b4a091acdac6837dd |
C:\GalaxCM\optidevsys.exe
| MD5 | 04b8d1eb5687c7615ceb21c31b070b23 |
| SHA1 | b9f51f8545eb0812c6b771ed8d4e5c2663f81a34 |
| SHA256 | 35f9d868472ad44b4adbe38ad84f6da6e173335e0d31d7b3b8adef267e449d1f |
| SHA512 | a84af33f29ec41948cb246d6f75232883ebdc7ebe6890e3baa0ef5580d8bbb91b41361976508271e76c7266c15ed03b25db84005df4812056a40e8353d810bd0 |
C:\Files3A\devdobec.exe
| MD5 | 1f731d5b3496e1f103a564c09a30e745 |
| SHA1 | d813ce1f18d8fd5123b13c9fddb49a48b9ca8a52 |
| SHA256 | c46ea19ba226706b5a20226525bc48fbab557e96ec894984a5891d639e4ef8c3 |
| SHA512 | 575fbb0d3a897b18ae2eea26f9ba985dadaf5c7f4ff6bc5b503a39e47846d6b701aa49c815f866aee577d5d2b2dea2872a32f5cbce5a425516d0c3bb21150696 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9a62ab969349a8f1147b53cc72fd2def |
| SHA1 | 421039643248fc1f7160aabaa2fe431dc67c62a6 |
| SHA256 | b076921c4f85f812ddd80fe7f6e6a1674cb3972305db546bbe9e1a7301372b9f |
| SHA512 | 5ed21910d12c1e02d30a267821ffdb366e6d07c4bf0506bad43d00075fc66a19cb7185e4669bf263e092c1f80088a863255119f5c530f0743ed8f9e9ab1e1d5b |
C:\GalaxCM\optidevsys.exe
| MD5 | d1eb0c596fabffff1a30dcd8d43721c9 |
| SHA1 | 362c7c791879f5cee2679727123e2f4e5939729f |
| SHA256 | 13da4751c109bf82669094380add4e78a6d009c6b9c881668166d87bf6fd8c90 |
| SHA512 | ac4a0980eb061c39d7af8c3ffeff6020040228dd33a22963d4642d593614710a2e0f6e9f8ec0d41675cbd8ee9fa4db9ecfcdf13e8adf228c2f88a8b717d6ae12 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 13:42
Reported
2024-10-27 13:44
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
104s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDotWI\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWI\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6J\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotWI\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe
"C:\Users\Admin\AppData\Local\Temp\d6cf2469446fe94ca50af65547a3a83637242ee198ea8ab67806937f056e6c6fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDotWI\xdobloc.exe
C:\UserDotWI\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 622b10c6ee64fd013fb03fcefac49d70 |
| SHA1 | ea09256fa71b75631d2217132fd53e6514ff3716 |
| SHA256 | 937e9d8e6e47cdd31086410d5bb16002ca4ab8b54f7b13cd2bc7c7938f17d9a9 |
| SHA512 | 18440693dfd18c353a5383385a87c9b85b4b95749fbdb6702629e7f1d96a1e5f2b9c7706760fa2f9344af45634edebef43d8034fe8bce223d07d4b7207de2365 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 06a5463f9e2cabfe6fd5d7d94a4efb23 |
| SHA1 | ebf99f9bca150f0ccae028f03c8f83a4f410d7d0 |
| SHA256 | 8f6e018e64cc0975bf2fb4c703553f86f0ba84f0a702d8167b2cd49db21dce5b |
| SHA512 | 0a1a1f148ddbcec4810dd41256ab75d0555c7825096270478d55c054724922f6881b5f674694ba2e11246a9cfae2f3be543446fdc318f1fc6c773d356b495958 |
C:\UserDotWI\xdobloc.exe
| MD5 | 41efd718fa4445ac0fe8cc11a57b0af8 |
| SHA1 | 0baa6907ec3014979f1fd54b29d7e876cd748038 |
| SHA256 | b8cfd37a4cb5b2d291e083707f0ef305e03d2d078bd67e17f656e8387743af98 |
| SHA512 | 9500ce1715fade2b5a55186c339cbb7e83362b4f2dbe71de7e207b98977780d230d31e397d1cb4f31feb1c4f8ff4eb7903a2c296610ad8be750de42993bcd47b |
C:\Galax6J\bodasys.exe
| MD5 | 3c8daeed46de984068f9289ad11b3799 |
| SHA1 | 96c9c808883acb5fde8c8098b0bca2cd2cade89d |
| SHA256 | 2e2607c40536e09e9aee0033698ab7600e384af13e3cdd9c359200efc7206c0f |
| SHA512 | ebffeb6cfe516efc579abcd514bc2ad9f71b995687d9885b21067d847f0f31a1276349c40fca4e042121a53eac04fa94df0315d3af615620223c6c1f2f6f2cb1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 643ef6457d9878008d51e8d73ce97333 |
| SHA1 | 2e6586c220f72f0467af8aaad89d5afccb9e8e41 |
| SHA256 | 98cac3a484a46636a24707240b1d10e3054a431c97aca46720e959bff03f5ddb |
| SHA512 | 8d211a6c4d2c001d4aebcf8c75df8b81d74cc12812d9c8eddbda1a7d224d422c6e5ec8408cea5832fb0fac20390b2f42284ca14319ab35edd802a24b00ca9fa6 |
C:\Galax6J\bodasys.exe
| MD5 | 919a21645980f9ceb3e39e9200fc86c3 |
| SHA1 | 558927af0183ddcc7bf27041bc3b261bfadc552c |
| SHA256 | 19929221b122d88aa6619a8d9b026fcb6717943b02a11c9e57402dde6f56e757 |
| SHA512 | 0cb9a45e354bf987d927b9f3124cfa2f8afa5ea7eb33aac5aa80c688148a84403e96b266c741e27aa0457814fd97f7de465a2d19ac015aad06d427e85dcde5f4 |