Analysis Overview
SHA256
95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44
Threat Level: Shows suspicious behavior
The file 95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 01:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 01:18
Reported
2024-11-09 01:21
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\UserDot68\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot68\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxES\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot68\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
"C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\UserDot68\xoptisys.exe
C:\UserDot68\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | d9245070145e6b9bef2051362f7ec7e1 |
| SHA1 | 967d89e46717de5d2636bdf33fca76518f5071af |
| SHA256 | 5027010129cd490ec576a5ed049ed13d951f463500788d6170c8aaae86c549c6 |
| SHA512 | 3b25cdba46cd781e6eab152946f9096c17aafe74332d5871d8bd35cfdf4a5a3498f0a602997e34de64c61360456066162974a187102c884f2c8dc78918fd063b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 61a4e943e276350e545472f356346ec6 |
| SHA1 | c2372693a7a18974b818b6a3f478f3573d766e3e |
| SHA256 | 039a88244cd4c0b30cd3d701a96c9f7139194e08ca58407158533f06ad4866f8 |
| SHA512 | 27b0d726ed9b8319b664615064bb1aefda5430cd978572e0d2e6c2c5fef878e795789fd7de0c3a5ba69065d58bf6db4c1e6371e959da5da48d141dc1cd4d7455 |
C:\UserDot68\xoptisys.exe
| MD5 | 161250e1362ef11bfd3e438648bf4e4d |
| SHA1 | d9578c45ce6738d9e2702f2679baadb09b633080 |
| SHA256 | 4ceb7e47ba3eebe7536d747ff0fba4c523cad3b517c3f170ec47955ac8613134 |
| SHA512 | 4edf8b020292b77b8af1b7d8b9bc28a48c4c55bb4f9e0ae30367620d604445493355fd43d45fc558d431fa75b55c3989d5d37462c765988b1f5f0fbbb439d953 |
C:\GalaxES\bodaec.exe
| MD5 | e3c26f88b14df08468774142942efd79 |
| SHA1 | 3c68474d943567be9a949aeb7e84596060ff2039 |
| SHA256 | f323527e6dd64a5705c54fed7af93a3f6b4eccbba8c4e7a547aae005be1767c6 |
| SHA512 | bc7c9de747fc0a58bda64369869aa6362c0f54266b6f1a0ecad18469808494c9352d024ab97445a7957a554632a5dfcd0490d44acd199e3e3287de9cb34341eb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b68f5cc85a7ff2ea0eeb772160bc1574 |
| SHA1 | 22fccb8b7b1df7ba732d707fe476561a82b6e263 |
| SHA256 | 4a07c9e9dfe835c6df1e8c8c7b55a0c0b3a9bfa3f948893743916ae284326763 |
| SHA512 | 3f0ababfa58fe400dc0e02cf512f189cf8f81a144a23543810a0dde99a3b91cb5af8215d6c6b3e9c0d12c36167a18da1610a0588d4ad3d2252a1ef3757bd3498 |
C:\GalaxES\bodaec.exe
| MD5 | fb338a55370167b7e886f48e20bf12ef |
| SHA1 | d4d98dec886f2e89d2460c28bb75c670dea30870 |
| SHA256 | 289a0488d65b14038e6e35755cc3ca09ba1d37e2533bd909b8f899267157c7ae |
| SHA512 | 60b657d7cecad71f4c606c0c314883aaf8b2632e0181b64189a1b3abff0d40d31a9d3d76567549320ac43552b4942da6e22a9dedac5bf97ecc42302e66cafb82 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 01:18
Reported
2024-11-09 01:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\SysDrvBI\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBI\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1J\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvBI\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe
"C:\Users\Admin\AppData\Local\Temp\95dcc5e3a6bf530a899db61f3470e9fa3c91272fba8c1145b73c5af0fbc5fd44N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\SysDrvBI\aoptisys.exe
C:\SysDrvBI\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 0c8a0688f878fcaad50f65aa0b711f0d |
| SHA1 | 3e6662bd0dccca83ff896310feea526299391092 |
| SHA256 | d35815cb148eca996b1e2643747ecd02ac65825d1872f84500b659f7056e49cd |
| SHA512 | a706ef08bc6df4f705fe67fa4f3ce5a6bf596300bbbf3191ca29ba3110f6d63a68551ccb1df946aea3bcbe6815913299e3d9758f442bdc9ca4a115eba9c713d4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 637629d9916ed7bedf650296d38e405d |
| SHA1 | 73f532a070ff0adcbf3255d26b15844ee2745504 |
| SHA256 | e7d808dce14ca9e815a09fc56b1bd965f0fdb0dc9a284d2167243f2d4191dd14 |
| SHA512 | 94ebce95843673fc2c8017ca446f573efc967cf375a88f869935a613bc95ce0b5892814c87ca93426c42380c4148c56c47315cab200c1fa319e5c9bb7d73b122 |
C:\SysDrvBI\aoptisys.exe
| MD5 | 61e4951a16d686bf9a8cec7c03af7864 |
| SHA1 | 25638802cb84d3018e444dc8b9605007fb2c0211 |
| SHA256 | 25c765a42754444ce6edf29060ea95a29492bf9f113b10b959eeabc41708782b |
| SHA512 | 0280de787dc0cedddd65f9eb7bd3bc0488b2138e3e900d0e41e8bfa525b6e8e0313340e82642341e008db4999773d42292224b85a230bc8de18912de7a30bc78 |
C:\Vid1J\bodaloc.exe
| MD5 | 416928fa85ef9d1ceb1dbc79b3978a68 |
| SHA1 | b69cd2842b6ecca0eb41d84b46ab623e0300b541 |
| SHA256 | c2bb4431e228e3fe144e347ebdca2c97bf5817cf9c670bbcdff6ce5e4ca3e52a |
| SHA512 | dd14010960b9be521799b222d3c3bda43a413aee939534d18601afd1eb96840163ad6de4e6912ba5e295b6f6521a38602f01a8a8d11c5bb6da0cca9d3d453333 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9df79012a85345a7d0474fae3f250e79 |
| SHA1 | abe820af610f7f8c88d1e2af8d09a88e8475adfe |
| SHA256 | f29fe5caff6bbc4ab481822e45c82e520cadd91e836b103135d146cada962c68 |
| SHA512 | eb658dcb8d4a800393c6f64c82e998872f11ff6da5699945dc541f82ac5aa1b90ecc892f149275a2b8bd49f359d149f6a06d2f7f192370a70c7158d14bc458ab |
C:\Vid1J\bodaloc.exe
| MD5 | 2fecb840201439bae032905f19e829ff |
| SHA1 | db450f8d3f7bf34c690d3020b38507d5565f026a |
| SHA256 | 84c16653b8f40f45502e5c70c58465eb23959ccac01e070935ead6e52b8dc8c5 |
| SHA512 | 4c4d4da7fff9b05f28e39262a69975a3c1976b4f2230cd47f142c393670158220ced18fd2d3e86cb7cf6dff2866c1298c1e90c0f10e9861cfb53cbf12a13d5fc |