Analysis Overview
SHA256
e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4c
Threat Level: Shows suspicious behavior
The file e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:30
Reported
2024-11-09 22:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\UserDotPR\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPR\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNH\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPR\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe
"C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\UserDotPR\xbodec.exe
C:\UserDotPR\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 943ca681c9ad1a398c7c05a0bf21d807 |
| SHA1 | b87fbafea1f18711a90ff618b1c8a35fef190d99 |
| SHA256 | dd5e07c49a7e91dde46b6aae63077a7dcb1239fc9de5c1253bbbbf686e7ab894 |
| SHA512 | a5986134a904445a1472d96b09f792d1efa8f1793ebc85d6bfc9ea89f6ff682d94bbee3fd2874d8388bda8c1a335227ea40e4ce25a4e20f20db9472d8f6c8d0c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6ad53dc10b9505d448db0d79c8c16d91 |
| SHA1 | 24654f6f5c53589d04f807e212362fea8fc07e7c |
| SHA256 | ba95283170b40e9a8ad6d63aead9d2ce6f019c16731c49cd43498f1917bc61e9 |
| SHA512 | e86d27b0602cd0f3c21ab6500ee9fb21e8186781c007c6b8b77abf7a38435d4ca585b372cbfa9ec8589671d08cd5e014ce63f25af472eadf6e124d98cf78330f |
C:\UserDotPR\xbodec.exe
| MD5 | 09b614686f256471c7b36380ae0c7e3c |
| SHA1 | 8766ecb5e75abc48e0cc6a958703bc4b7836ebbc |
| SHA256 | e61c2e24a33e3fc3fa45bc27a02a33eafa83ed0b6f023a325a9d2831a76b43d1 |
| SHA512 | 0ea945c51d36ff6f6c4228841a3696608e91bef5d4c3028056582ea8d3bc2f51b0aa16718c6186ff5cde26597d20d51ba9cd9f0639e13fd1e09f093a3f5b1624 |
C:\GalaxNH\dobaloc.exe
| MD5 | 61b013756117288eb26d262287574961 |
| SHA1 | c319fd4d38ed240a0ad1002326b209376c7a491f |
| SHA256 | 6e4c1b1040d0df9f65adf3f36c9411d00625197984841a70bea15f4e45c4a3f1 |
| SHA512 | d82adc3d0e2c6ebf65720800219694b5bfc7198491ee9e1d0d967deead397c6f5557b7bf171ae11c99a43f1c58f7f4e8493db42be1fdf8bf0dce1ce70c7ac1a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 814dd6128aca22748cd6a43f8d374560 |
| SHA1 | ae3c1ef1e6c3d4ccd854fedbbfbca57fd5b42b21 |
| SHA256 | c597a2c31edf11f838c7fdd913c842013151da7876e721d2aaaa3b865dd8cdda |
| SHA512 | 1e4695aee42715e7081c994ac82553e252d0d46e11b4c3b251724ca87be907087430a2f7277142353e8fb738cbb522e6d92781676086f57549d6ef4402b3f8f8 |
C:\GalaxNH\dobaloc.exe
| MD5 | 25cb0bffa59027cda96bf79493c885eb |
| SHA1 | 874bc1ac539dda470d424100552795e968ccce96 |
| SHA256 | fe5a3fcf1e85904aa5afd953f692b3ebb793fa774e2b836731e2b9c4dd321172 |
| SHA512 | a9594d0bd3436770ea9bf6071ddce77c7e041fdf1e6b3b87f60f4509b2ccf66d13e9f90c2b7fcb8459eb9015f39167abe8a20193c282e89abf70d9c302eb2e78 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:30
Reported
2024-11-09 22:33
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDot4V\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4V\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPW\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4V\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe
"C:\Users\Admin\AppData\Local\Temp\e66802df648a842467c9f6e5268c66a09cc0c006b59eb8f63346f07d9d2ddc4cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDot4V\devoptisys.exe
C:\UserDot4V\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 2e0f99a58ed5c78dd96a2e1a52d38458 |
| SHA1 | 2d2be2bdfb32f7884799628f6189db40807fe75f |
| SHA256 | 40c9a60a1f388a5a8ce88def5c203dad6f5d692cc70c86231e1e01a1eab8880e |
| SHA512 | a2d35d909f60386b13172024876fb08adef6a3dadf4e313f5bc581719d03ab84ee6fb3203f6ce6c0bd48cfd7c7f7430416a35c6efe9253c19b80bb19df7826d1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e0feadccc398fedc13ef5aed0d16cf64 |
| SHA1 | 1e96dee723d0f7aff93ff692ffbad50f5f1a778d |
| SHA256 | da4a6056099c3b19c91ce32ef49b2df87c8f3ba892acf6f98ec61cf77c11cd93 |
| SHA512 | ffd5d6fe57f21bfc8db819a3117df605da7c246ca01033d6a8a32e0d50c7a57502b92bfa266533fc9d6501d0b379e995d865521bd44a61a1bdd8efbd593c4356 |
C:\UserDot4V\devoptisys.exe
| MD5 | 56a49b496da6c6c4cc278d2c2b004675 |
| SHA1 | aca0a7ddbf0d113a2ba4a2da7ebb67b4c59b0041 |
| SHA256 | a6c4f5058a80c6a470f9d83bf05af1c92ef962e4071c4d7f7e463adc613fe69a |
| SHA512 | 4943c0a913be52a7c71c7ca361cc8d54dc1036d1cf2ad6322392da69bd40eaf8939d88b002e0483f6c513100d0a9c948d23e03206089275ab3dd3f55dbfac29b |
C:\GalaxPW\optixsys.exe
| MD5 | 44184877d8f4f4bd69fc66c5b1b5a40f |
| SHA1 | 64d4c5179e391fd8fe76971609438352826ef7b5 |
| SHA256 | f9fc92c851582b3c3826beb3ebf03278702e9dcccf7f81980b29656a3177eaf5 |
| SHA512 | 1a065935e95789c6c3e24d08b07b4a51649f79e78e7417dc076dbbf6abe024b24a4065a9419baee8949e338c82411d3fff62f334a74fdc3a69f8609dde825394 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 28ba45e942beddae3a5d612d366c2f0d |
| SHA1 | 1d742cc155bbf95204574c2d17909cb7ac8de141 |
| SHA256 | 9042f2509dc565878fef83fe5496f7a1bacbff333190c3516d3e79177df10c25 |
| SHA512 | bf0124de8075341a4a8cee912377f3233a04565004f3d64d608306f93af97d68eb82dd29d00dab77efb883343df730f10b8d9d91c96fc7d0e1ed8a6d11da84e4 |
C:\GalaxPW\optixsys.exe
| MD5 | 3915f7d69b0ba972b5568fb165b5d09d |
| SHA1 | 1ffd4779c35b28f585efb61f1dbbb0ee6c0d2405 |
| SHA256 | 8e60bca18638d9a90636ffa76bf5fcc17881f01d97b5393d756393c868ee02dc |
| SHA512 | ffb54165a1e2bb4383802254fce662cd87bce943de7641479d77b9a8a501bd26774cc154d5b5c6dfaf7e28748ef6ae6ed26cd1980e64f630c77fe7539ef5c267 |