Analysis Overview
SHA256
4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631da
Threat Level: Shows suspicious behavior
The file 4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 00:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 00:02
Reported
2024-11-09 00:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\SysDrvBA\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBA\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1Q\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvBA\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
"C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\SysDrvBA\adobec.exe
C:\SysDrvBA\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 6013daee45ca2bb82e3dd133e72909a0 |
| SHA1 | d773cfe9ebbe80abaa2f434156ba90f9342e4147 |
| SHA256 | 292594c89640ccf15bf3673d1790532ac1e4b82a75d763ab9d953866c781c7cf |
| SHA512 | 50d8d7f96e6e3a954811523368aa451ceffdc2cec4c73d9a1113caec9447725d6f883f612af6ecf42a55aa783109592ccdf80a3c9a635848a2afff3c41ae9b00 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d852bf295898904f0af68998c841d445 |
| SHA1 | 43b876e910e1838e252693a62bac80897dfbb99d |
| SHA256 | 1b1c23f5f45407adae9c06408f1cffe0c3051403e951070a1092bd7c2286ab8f |
| SHA512 | 1050878cb4c8bbe23a2bb2eb318a5807ba365a0f2237e803f1b5f3274f510d6674870bf5db1f80a2b19f07407ed23dcf0caa6f7c50d12392e2920ef714248fcc |
C:\SysDrvBA\adobec.exe
| MD5 | 2581ec6f6d6f368c9a2a7597fafff1ef |
| SHA1 | ea14efb976ced02d4bfca3d8819b82ad9f8c4ac6 |
| SHA256 | 6339c0cfb2dca3d86cd3d5496a589f305f50acb6ddc44a16acd3f538caf4b77f |
| SHA512 | 1021640cd221f003c5b337887fb961c656d53e53295d12c6e638fe49a2013ea5413f3416ef0efd7ee4ad523bca4f743d8c67f645785d1c96aa845c00e6fef7b8 |
C:\KaVB1Q\optialoc.exe
| MD5 | 03e353ec64c3130c89a25f4f0b487dee |
| SHA1 | 0896d457e466e7ebbcd8a4250233a1fbabe446ba |
| SHA256 | 11df3bca421d7bf2284c15f952bed50f227ee8f1eee7b436571163474ed25388 |
| SHA512 | dd6e51697deee61491d4a01e28451eca7e5696b2eec6be9e90c7281fb38e4b6bc0d8fc568daa6caf65e1c6d5357f7eab026fe7b2755b1dc6f8109ff6c46a341c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ea9f64b5856d26ea5da399834efea6f1 |
| SHA1 | 2abcc65b45e086e93a4b8f4e005440319aca7b8b |
| SHA256 | cfadb2cc052f93c42b757425c13fdd1610b0e9d608a10c436e35687f5bad5edf |
| SHA512 | ea42fec9c8f6abd4cf507d8d017bf576ce18715bd3d34deca4d50a04516d6e12255a550ad1f52d8c538b8e81a969112355613386973d0689d7cfbfa87448f7b4 |
C:\KaVB1Q\optialoc.exe
| MD5 | c0e959c32f555f9fd61499193a13b100 |
| SHA1 | 168baef557e6cdd9bcd9d177daf208112cf61768 |
| SHA256 | c07d5726ee2a3910bd31623b72b375152d0b85df1e89506a9a11959ea461c690 |
| SHA512 | 4b76236dfdc725931fa31da8b63d60c41e21006a88bb242043e50a008245037bb66b683fa2054b0f56addbb561cf28e0dfcd77acfa78db8e146b0a310e576e57 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 00:02
Reported
2024-11-09 00:04
Platform
win7-20241010-en
Max time kernel
118s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDotMW\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMW\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGE\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMW\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe
"C:\Users\Admin\AppData\Local\Temp\4e1bac6697f6fe7dbdf81b029b335343196dfdf1a45b0bc4736daad5fb0631daN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDotMW\adobsys.exe
C:\UserDotMW\adobsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 0046cbbea71c79d6860359d808025a8e |
| SHA1 | c6ebc350aa55fe4c74c3e23704c2acfe810d8258 |
| SHA256 | 003d688df6f427a38e5bf1602f3ee98fb8521f4cbe5823c40d89627472fcb3d9 |
| SHA512 | 24db24cc0ff81810caff87b3a19c37314ef10f954d2375144ada70e3423761df961d2627c9a34e9afe2687a5e99d35caf0f467517c15d8986a7ffa8b32f63086 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2916f0739a13a424ed4c9adeea18b2ce |
| SHA1 | 81056ac9d2d6ccf34f6deec0a9a5367b72d3ab65 |
| SHA256 | 4457197ac2143635e6719911f72d5623287b2e96e3fd202eda0e09a8348427b3 |
| SHA512 | 11d19ded905529798795a8efea5153fcfcc713b0e2b7129070d0a55ea5e523bc4b178b041aaf68ffdce16b39de78837edf7ebaa981a4534f504cb1200c14a050 |
C:\UserDotMW\adobsys.exe
| MD5 | e0a6663c0d9371dd7be312577e2ff353 |
| SHA1 | 2170c77afa97037771538f48e99c108b1e1d1191 |
| SHA256 | a505c7f4ed4adaa662b259fa3ee3e7b5cff549fa8cea1992454802712bf509da |
| SHA512 | 4af56bf7761c34aa5cb7ab863e2c41a40f1b370fadfe25882b0ed59d7fe2694500fc4d918b688b1ba29fcf5334e4f60d5bfc55f3435e1a13bad00be752ccedf5 |
C:\GalaxGE\bodxec.exe
| MD5 | d9d9e2f72d0f4839ee6feb448bbecaeb |
| SHA1 | 6d16ae3bc56596a4f332eac963cf3765e97312eb |
| SHA256 | 6b6b4fff12b975220cd3f79e19a59b54276a06351fcf392d1a0abb9669ea6e22 |
| SHA512 | a615e3c2772498055cc0ad873f7b6bbe16c0eff58f14ff5fdcffaf2c6aa07790205066b0ed59eb2a4ce0598e2380b9558a09730e538f3a0a4f3677b9f4d02918 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 55fb4b9fa9c17a71147fd203eb2988b4 |
| SHA1 | 548024c3f48ccd5f8f902b3656081eab34771c5d |
| SHA256 | 7b3a4df6f5730727e9156da2f09c7c732935710293c75f987e8c800eedd27379 |
| SHA512 | 7d6f776e60828ebabf358da653b3fe971678633e6c7ebdeb3b07d96d258434e368ffd55bf28ec5c891633aba639fbb7bbcf76fdef27ac42a8a67d74cc665664b |
C:\GalaxGE\bodxec.exe
| MD5 | 925ce024e8853225a93d61ec9099f0f7 |
| SHA1 | e2a1929ac93b3a70604c8220e8f3bf2fbb70991f |
| SHA256 | a142b15c368bcebd3c37a0f7ef319ad1638b9222464790622dac723a3a7b21cd |
| SHA512 | c07bdb59e1d4bd2b03a29c5a83efc476e7d20475cda21258b0fe16a15f6d5cb4e9686959f491ac79982e90d0e9754906992fabadb2036990517bb44eb132ccf8 |