Analysis Overview
SHA256
70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821
Threat Level: Shows suspicious behavior
The file 70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:20
Reported
2024-11-09 23:22
Platform
win7-20241010-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\Intelproc8N\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8N\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5I\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc8N\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe
"C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\Intelproc8N\abodec.exe
C:\Intelproc8N\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | ebf3dbe99760845da1f3313fd46f3709 |
| SHA1 | 5eefb140420e06e136570209c09c51bb4492dd35 |
| SHA256 | d63d1eadda80468aa9c1f1f1318bad9c62a09ccfeec14ea6d72bc812b1dab47b |
| SHA512 | ca3df0e02a0929baddbe2273d149de8ac9074208711df80a1a829fb40bf1f09aac6c9174d848c4289c2f693568734337bf9c490e3992a112378610599fdd3e34 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dbb3bbd68e7aa5448eed875f4cd91230 |
| SHA1 | 25d9cad939f7336a4c6a8719a38336a0b77d6dff |
| SHA256 | 967b776f7fe8e997fa417c5013e2c705df42485fc375d3dc7a28e7f6ba698c9d |
| SHA512 | 22848e8191eb3d9633fdea6622cadeddc9f9a5ae9e58199fdab82c186b07e71598159c88bf1cd9a1cce1d391e1a5b37f5d41986647c7ee3b07a91fa48d0b0e5f |
C:\Intelproc8N\abodec.exe
| MD5 | e5d0baa7079905da3d8d59fdb71a6799 |
| SHA1 | 940f57cf453c182ff275b08e1373a3c5f86d0bf2 |
| SHA256 | ed1600e22db2b1c4fe7abcd83c8b137122b4c0c1a52b5ca2f9a9863c2f65fdd8 |
| SHA512 | c8a4de697b2513670f6a219bf954641aa33c282f916b2633e3bd4254273feac1492092075b8bd170f12dbee61fb9a5d3fa436ee6b82cc9bdf348195435b98c23 |
C:\Galax5I\boddevloc.exe
| MD5 | 368aaca7189400972ff744f3be47be50 |
| SHA1 | 635c66b9edda10b3aad2975bf18214cbaaa70d7b |
| SHA256 | 369a124c7262af32d2ea67592a45f68c7776f3b02a7af83f8954e1608fa1aa46 |
| SHA512 | 5cf48459719d6bd81617dc8ec99b21baebe34d276c136666a5f99dbbbefe2d96560f49194cb1f6cb95700c759e2c8a58bdc5968b922881b54023e60abfbb6bc1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2a9cf83551204694de424b88b2d6baa1 |
| SHA1 | 675c9f6e2f73f7e3536de71c97fc8b0f5434a46e |
| SHA256 | c67eae24c907df14a713d55db6d3f03dae28daaed1a4c0a64389bd04e8c22a5d |
| SHA512 | 74b5938ad2f31c22be58f829703e19f1ddbdf8b9c41126b211a01b5c47ab9e4fe1c9e78d4364dee4d288df36d147ab70f31f35ff6c10bf25556538b9930ce8e9 |
C:\Galax5I\boddevloc.exe
| MD5 | fb427e917c5412bae8ea7119d09aca43 |
| SHA1 | 9d0e2c27ae7af4fb762f18735e5f47913779dc50 |
| SHA256 | 59ca4f65a18cc2b9d6d5e5aaf6cce84d779e3c6ac01268a2e0a7fce787152320 |
| SHA512 | 60ae56698e5f27ca4e0f45b8ef6df70d02d5808205903cde456aa84ae64d6d1bd03a6312b9b58b82298cee9a3497eda851618ced9ce9c5e2b3b0edef05905760 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:20
Reported
2024-11-09 23:22
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
139s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvMC\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxB3\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMC\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvMC\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe
"C:\Users\Admin\AppData\Local\Temp\70df40d7e8b964b54d367d606864559ca3f3bcb118255c8a6fd41449aeb0e821.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvMC\aoptiloc.exe
C:\SysDrvMC\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 73353f429a35cc359775b06f09d436ce |
| SHA1 | 983039261e72e179877274e523b01c032f8b2086 |
| SHA256 | 3387b9a4a60d77d366c21985259231b10aa3b8a701a0269825f3dcf19b0077e1 |
| SHA512 | 76b35c9cd15d056e274ca63018db88a106a3fb1d78220a5918dc0cfcb2752b0e9f30c394037f01f5d9f2275382252baacd44f54f1a0fa69a61a24e9b5dde1c70 |
C:\SysDrvMC\aoptiloc.exe
| MD5 | b01e0eee29aa253345777d1a0fe97822 |
| SHA1 | 7e44a52292b7034ad8eddecc78e2eec094f4d2bd |
| SHA256 | 0ca1342a39bbcae95df8155489ffa2768bfeda6368d6507231855612c843c401 |
| SHA512 | d7b734575f62891a2a182f4c8cfa672e84a34087a6a20561ef6bdfa03605cfd88df19cf46d69100fcdc59395ba255bf02f02bd3f67d754bcfc847114d1bab800 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9195629f9811689c115cdd0712af0af4 |
| SHA1 | a6c14fad3da0c7f180312e1385ed2ee3b9ce0a98 |
| SHA256 | 0f212ee88bf9a0e23dcd8bc4aa99a447a366fc649b03702f045c5949297d6a41 |
| SHA512 | c037283437b81c1967e602a8f706cf1ef90146e3f1fe879bad769fb61abccaf333f2af6a92a8df46cb650a8a5b8660304a00887d2c2cda08f6b93d2d20230b8f |
C:\GalaxB3\boddevsys.exe
| MD5 | c9697acfb9582639d202f8e158ed8a2f |
| SHA1 | c9e86494ba088b6d918f80e73bd3b7ceaae7e819 |
| SHA256 | 5d47400b18fefdcfc4734f8487eb9e7ce28ffc11890c66a64216db443a7c7ca9 |
| SHA512 | 0e22dac301d9ad5badad4a62906a2c599387550fc4e98a08135b7a28e0ec434b85b3815ad6e80244ecf38d9d9cb7b746d93c28586051f7190e07e91736d2514f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55d1f78c556f44ea74d924f87dbd624a |
| SHA1 | 56fc3ff1ed19649564b7df3e97354243eb599764 |
| SHA256 | d2e34de3ec093f1946e93856124975eddb2a7afb18618d27f9d1a3244fb23e8f |
| SHA512 | c2fe1972e810e208a07eb0708147ed8ef35bd5b158600d86e0783d079810f20cf758ab9551f30b05de0d010d649bbb569c03d5dead46ba305c6af0d208ea814b |
C:\GalaxB3\boddevsys.exe
| MD5 | 61b2b323520cd7355d1cbbcb8b9c73e7 |
| SHA1 | ab4cb33c7cb5ae205635c2f10165de65873eb228 |
| SHA256 | 0b5719e21de5922bae57c3d7a282f0aa49ee11be30eec1c7660c74dc2fef2d0b |
| SHA512 | b32e6d61be005553f3f15a9854ed4d1bca76056ce52b6cf653b6f35add2b456fda82ef0f4162a376b5e0a3dd5cbf35a65afae85e02839b8bee227c6bc73bbcfc |