Analysis Overview
SHA256
b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81
Threat Level: Shows suspicious behavior
The file b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:34
Reported
2024-11-08 14:36
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\Files0W\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0W\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7V\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0W\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
"C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\Files0W\aoptiloc.exe
C:\Files0W\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | a0783ffe2820ed0262a17028ec9af3d8 |
| SHA1 | c119e61399b07484f5ca1a2a721311dd618a7dae |
| SHA256 | 4c2747247f35e07d38b17a50a1f529b9ee5fe1087de079f678a2e7f42b2bb291 |
| SHA512 | 73fbfae1bab7f02fa65aa876df84f50c19e720f9b094b88bf52e6ec3fc58276b65b5676176624527f517dbbbea0ea11f5e71b66f6e2a10fa22b1afdcef7ce402 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 903be4fc99a1444568451b93307d29fb |
| SHA1 | 72aad8a3e0e63a2221876a5b057301486f05c385 |
| SHA256 | 4f77de82be5762fde55b0e741acc7175f3b79bb6fb13a5b49cd3d3f245bac639 |
| SHA512 | 5318446cc3b955649808e6b6e7c89296493c447e0b2520943dcdbdbbcf731b66f6332acc24af6b2f8c850e6060697f27ccd916f3bd9c48b91fe3ad34fa341c8f |
C:\Files0W\aoptiloc.exe
| MD5 | 98d1ca7bd82b728e2d51fc7691159edf |
| SHA1 | e587c122c63f7c2da4e2fce902a3eb348f100cb9 |
| SHA256 | d4a904bf30aa5aa6c9d6769ef7555ea4a61b14a53aaaa376ab67c4345bc003d0 |
| SHA512 | f823dcf982b64769214ede8efe9e83fd39c02ee01f184202cf401c96dfbf5af50399ca03411fda1762c2d72fe048848dc09e6241711b44631a3e43992c4be6e7 |
C:\Galax7V\bodxec.exe
| MD5 | a6d9fd51643f775d5f02301c5f90553a |
| SHA1 | fda4f2e6c235a4e2f4274efd781e775d226e8865 |
| SHA256 | 08d478aaa815843e0dc1a7b35d37e9790e1e84d183c770ae6907d324f4a74fd4 |
| SHA512 | 992796719f70cf65573ff576e4cc79d64bcdfba9d7fe9bde5e6efe9534fe05d9e1127b8ee6ac781d75eb54c188699f7515f10e96f43e96f633a3a33f7aaf5935 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | df9606d0686235bb050219cbc80bb5f3 |
| SHA1 | cf88e5bfa8e8e20c04aa28a2ba06a3d0e5446a36 |
| SHA256 | f99d900e55669864b5e2f2ef9f009cace875b04e95b2ee5e7c3429da7b89ed75 |
| SHA512 | c040080da21505ff1184a53dc968b93cb3f78022c5ba9744b5dd266a25473a620dc39e9d625c2a1abbf83f86ac7ebfa9aace0e9ea654d340c99e80a312ec5c36 |
C:\Galax7V\bodxec.exe
| MD5 | c679009ad8c59858c8937025094ad9f8 |
| SHA1 | 483459a17ff5de7d34b83feaeec02ef2c860e001 |
| SHA256 | 6d8b0dedb800f829ae95e04580ddea922396de6d440a4625b1da5dd2c04d0321 |
| SHA512 | 2ee5ffe895d96327c9040b12fea176bb9a773e9041affb3ec8ef69822b9419d50866045ec9ac2c6521928ac17b75f2ac0165ec59b63a406d594aa5c75f89feff |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:34
Reported
2024-11-08 14:36
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvWJ\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWJ\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAZ\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvWJ\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe
"C:\Users\Admin\AppData\Local\Temp\b240abba3624bcbc8f63e0c9b4d16cc4f571ce7c04d9bbc135e67fc25da4fa81N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvWJ\devoptiloc.exe
C:\SysDrvWJ\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 14eb18cf9d76ed990b80dc1b817c0a0c |
| SHA1 | 1f98653d8c4e053d044873368e6cd0170f4cf799 |
| SHA256 | e3c97a32126c69417825de96248d04d93cc1e93bd079a7497eda83c0492e518e |
| SHA512 | 033b8439c4d7899a3d260635839f3752c27ba9b6ed857aa888bbde9d3e42a798483226941234f67c3cd0a1afdb2d5c7ac45d3a951827801b3471802b54e67f2e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b8814a2b791633755cd8555d168e31cb |
| SHA1 | 91938bfa4c9410f69678bbb92ba22039e399573b |
| SHA256 | 3d38c0629f42977c76c5754baf4f6c589a71a2a3b1ad6e59f544f5916c2edf7d |
| SHA512 | 5bb44331756eace25a7079494b1b03f29a3605c7b8e6c2a3f05e25bdee3de14c26975f3fe40d3ddcab36f5821ddf6797c19bca59dff722605ba913c67f953dd2 |
C:\SysDrvWJ\devoptiloc.exe
| MD5 | 60da257db580d2d6f7a6ac56d1ed892d |
| SHA1 | a2764674e7dca1003b48a4d57acf2cdb18bb9443 |
| SHA256 | feaa1e0cd43a61c39646aeff63950b01546f466bd1d77187383aea8de37c1715 |
| SHA512 | d93455330728dea792754fad1dd001aee32e743823b37a470f00d435911be3e6b61d6186c7cbf864167de350461c059b3f8d12314c9f317bef36717ac65831c9 |
C:\GalaxAZ\dobxsys.exe
| MD5 | 5240b4188a25398ef9b2e86db2bf7e2e |
| SHA1 | efbd6b8ed10d2dbed28819f2683ccfd542b06bb0 |
| SHA256 | 391a35718f08e046d910fc0d37b8801932108a619b46b52589f8ed0b5d6859d2 |
| SHA512 | e11c5512679f417058a0d2e0b5f0b4d7d934b30230d69591a823309c8f98fe404a3660bd356b93031d6faecad8dddc0b568258063d13d236aed23977c8879523 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 620ac2d3b36478b698ec8ec4e6417b8b |
| SHA1 | 2ace3018cf070ece97bd38d7098051f57a87f563 |
| SHA256 | 8b6fdedf1509fe338c7ef0989eea2f3f67174137d11b150965a4099df7dadf6d |
| SHA512 | f63901186e58f65132535eb4034844ff6d5e0c4ff78dad5b7fcd4ef442c1245a32023515b9fe6592859bef17b3e507ce751e8b4095a4db425e84036674e2b64d |
C:\GalaxAZ\dobxsys.exe
| MD5 | 48ab32d98e52a7628838322e365268a0 |
| SHA1 | 254cfb57bb07ecad700b9bba22e08bc06f8c24a8 |
| SHA256 | 898b85fa8a5225d2f989527e207e2f33f4bb6522597229d3fd0148e8acad448e |
| SHA512 | f1f7c3ad1746f300b4d6ee6591fc30a1fc6b73f8a10014814df7cafffa69a5e182c4aa5a92074e60fb7aeaefbb36d3144074d9df3c6b03ee6f95ffd1ead9b8b4 |