Analysis Overview
SHA256
a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296
Threat Level: Shows suspicious behavior
The file a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:16
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\FilesUK\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUK\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBB\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesUK\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
"C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\FilesUK\devbodloc.exe
C:\FilesUK\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | e4024362eb652a06070821275d5035aa |
| SHA1 | a4ea65e8e3a806e8c547fb8a1daabe54dc7f406e |
| SHA256 | 9d2d08dce30526fc21caba559bfeceb64bff8d3554975570b384a778ccc8f438 |
| SHA512 | 0b2f4536161294255b1c0cff78060cfd23ddd3af6e2ada322ccbd0f2cd4681ec1efd576a268c8859c83471b354e3c2a246959e3aa30e2401a6a1ef64d7877bd4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4f5fb3557d573fba44907ffaa63a9b20 |
| SHA1 | 0b4f22d841340068fbf14088d41bd47c54cdfa90 |
| SHA256 | b53636fa04581d2ad74f8dc63d3ade1ff0bc0c76eea325eb390d135ff0c15f08 |
| SHA512 | 3d49933cd76431504cf4ca99f70961eeed9738dab7f37ca20f8d6b043c69d98f63e1625aa07ff89c655e7e66354bf7a3e3ac39db2f1ee8d2a721c8d9e51769fa |
C:\FilesUK\devbodloc.exe
| MD5 | 712990f9e312be469474680548f3ad00 |
| SHA1 | 0910efe97a4c8ae73c52197fc4335d45b01100d4 |
| SHA256 | 241edc23f13bb2901598b00d0649acd26b2886fa7cf5a844fde68efe649959d5 |
| SHA512 | 2eb46490979a8faaa4e4b2084d4eb7e5194a1d24de9099b3a5ab610e9e806c0dee55b07af6844577c72c510be5c5c4963b1e3c0c07d1956cff6f92f871f01c03 |
C:\GalaxBB\bodaec.exe
| MD5 | 1ba95bcf7dbe6582b6a7dbd911dd706b |
| SHA1 | 95afa39720af5c8ad93f74921ca5409642a30b80 |
| SHA256 | f995c0ef214915d01dae82794c0327d03331ab0f45a155adafd336a6ccb47b32 |
| SHA512 | 4d629f4a40fef836a983ea93db44a3daac63f44cc903f13db8b75ae055f6f34ad7a46ccc2d4c0dc07319ccc2b80a74c3f2d1f254cfc171945db5825277ecd7b9 |
C:\FilesUK\devbodloc.exe
| MD5 | 58cfccc8b8cb14fa679d4dd71fd69b47 |
| SHA1 | 8f0488c301023ab177ee2e805ea1d5818120701b |
| SHA256 | de96f3684c3525c6a0e67b3ec36a788de31011fc57409466e11137e1d3d33e9c |
| SHA512 | a5a2b53d5edaf78d54b8a253e80b4a7bff6ba94dcc8b932e64527e37d839f576e2a88a2c8e8be84fabb1d44a00481893889f6a12a9a67a6f53f6e7e14c082add |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0a627ad159310e7d7d25089d7effa533 |
| SHA1 | 05d65d04efa4b1922b3bd10d2c11ee043cc340eb |
| SHA256 | 29a0d423eebdccf3297fd35ff934150f66382e432aff201829e1425251663342 |
| SHA512 | b4ef9b6ed048cd364fb9feeb2dfbb750e7d31165c1eee1ba5e5bbca4a886472f835948fc5fdd32992c795af03e37645e4c8830964f7b5c66049cc655103bea0a |
C:\GalaxBB\bodaec.exe
| MD5 | f68d4844821bece741add55e091a1d07 |
| SHA1 | 2cd1edb6fa0a021e2778886647e9b56667466e90 |
| SHA256 | 0d37e87a0871e5ce55f703162b7cb8f7bce06b62e8c82bc6324e56ecd972cfe6 |
| SHA512 | b87d0fb526d3e8cba5ba10e695556ae7b582d8c1958a3bbfedf2ecc03f00362c9b88725c332436b160bf4fbd9c786e07b492dc791b5b21a77126475b049de4cd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:16
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrv00\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv00\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT1\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv00\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe
"C:\Users\Admin\AppData\Local\Temp\a39bb494f11fb3a17541fab567c84638afd537b8e9ca530f64e36033b1270296.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrv00\xoptiec.exe
C:\SysDrv00\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 241f682e557746445054ec1aae95cf80 |
| SHA1 | a772c8affd08be56da03cbd7c8c1f0713bae91a2 |
| SHA256 | 06b60b883755d8b0aecf74a4562e30a1c6731f8cc1bb87e90b72afc049345d5c |
| SHA512 | 57ea8098b55a4fc352c7c5d1c8bbdcd789eb0d99ac87d698f53387e9d5de202c012ae650e5fd122d682a76a5aee982eef59250a08eb4377827900a56e0f32334 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfe262e905918b197fecda1a1a0bde8c |
| SHA1 | 87a2aae98e839911f138cb6ee09afb99bea0417d |
| SHA256 | 7f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff |
| SHA512 | da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6 |
C:\SysDrv00\xoptiec.exe
| MD5 | e7e26dd14c956753857af1762a75ee65 |
| SHA1 | c8aaca694c53fe03cb85ff8d34cbadf5fad9cfdf |
| SHA256 | 5ba698d51881ceb2485d8cdc644af536a581c1f032504ca1163251f296aebe95 |
| SHA512 | d66331cbe76c294b10a0439c8853aeeb75c83462f4420b319dec618fdcc898a4bb1c0bc53b5438c72ec4ff4778c8b603f371ff59d9ede89c3bae4891f198d19c |
C:\MintT1\bodxloc.exe
| MD5 | 129599ba510ea653722910fcbc9253d9 |
| SHA1 | 3cd496d0fca274db75a0b1b76a3585c0a840137e |
| SHA256 | 47f3d908978979ba00ba93d68c1b5efbc172acf08251496a5c7536dc082b2b6f |
| SHA512 | 8528b3a6c6cf2645be128aeafa8d6283302ccf84524cb6cae37a16f4e17d772fcf4dd40b007eab1690834bf8a90549d5343662c5349153f0f5df243bece7dab5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dae381593b55e76e4142be306b410391 |
| SHA1 | 4f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6 |
| SHA256 | 317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4 |
| SHA512 | 1cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f |
C:\MintT1\bodxloc.exe
| MD5 | bc680fc8f9d8d64816d2f12a4c0d1192 |
| SHA1 | 58ae45ea947ab947e976865459de13cb2bd57ec3 |
| SHA256 | 004b8ce25845f53fe25b0fc5c61510b0962c8322708ced0a0100132e5d31a742 |
| SHA512 | 77a4cdc27da2dbe80faa71e00ed083448cec03075267a986e123087f938d635729162071123a81febe3a73c8d4c6e2734d5dc3f7fdaa1931e9210462b7482704 |