Analysis Overview
SHA256
6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1
Threat Level: Shows suspicious behavior
The file 6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:27
Reported
2024-11-11 23:30
Platform
win7-20240729-en
Max time kernel
148s
Max time network
20s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\SysDrvXN\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXN\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDF\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvXN\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
"C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\SysDrvXN\xdobec.exe
C:\SysDrvXN\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | ee28770a7977a03c18682a0c18c1df85 |
| SHA1 | 747ab889d0a3595968329f413bf964c452a19b04 |
| SHA256 | dddd899e44201bb301126afe559ab527eb43269ac534f7073b6df3cc69fa0fb3 |
| SHA512 | 2b785541a63764883a789d1639f589b5e2d55060b18d7bd7341021b44e7d2e769797b70cbec86611ae9f91732d64ff9a8eafca5bbbb5e2043aa0be25e57afdd2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 132cf19b7d4bfd05d0b1857039b8e826 |
| SHA1 | a91dffc216f680bf2a11ebc9c80788099b578832 |
| SHA256 | 497cec8660b9ebf79980cdc04223076b5934cbfc43c25d3f03cd8f4cc7e9bff6 |
| SHA512 | 120895865f179aaa6b82eadb0c35fda2c439baf9834824f9ea97dcecb96d77c3425a80c8f2259833ddae4c21bac4db7a4cdc3860d2f0d507371a829f539ba563 |
C:\SysDrvXN\xdobec.exe
| MD5 | f306ffd1834922e210ba79ad6030d74c |
| SHA1 | b71cdbe8787a7e0c0164e7bc3be27879e00602d5 |
| SHA256 | 04a55b5ce07ddf9f818981a645c15ceed92923364941593fd7c7dd56a9579990 |
| SHA512 | 7c765f473ac2d844f2e9a360cbd1c51f3d9387b5d8ed6019f53dc3e070e351ae6fb1664445fce4403e69f253ebd58e8935a5e16b972796d5bfedeed17676c998 |
C:\GalaxDF\boddevsys.exe
| MD5 | 9cfa03b4de8aaac1eb30cd83e2cb2354 |
| SHA1 | 9a4d031d2a634ffe2ddcc6c068a2b207afa8a803 |
| SHA256 | d06d6eb1a9825353f98d994b4b27740d0539f8c489ac16c147a00aa14462cd4b |
| SHA512 | 51b0b945b90eee2baad642e54448acc22b720152787e075ed05ccd7c63b1244fb24a2281fa7606283236d056c6822e4cf04fe570120e9129fad0b58d3be40d22 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4275a56b1731a4baff37b8fad8dad183 |
| SHA1 | cebc5d1b7b9aced5c95ecedcd84762eeaa3c1dff |
| SHA256 | e8cc7303dc66a4bf70091afde1a168e5738cb1af2c2408d396605300276e4665 |
| SHA512 | f9a1c193b46d5b503eb9fe23ee0e83d76118fe545bea1b23a3384d902a6374bfe76f23ffdee15f6499ab327974a23a73f005ecde15e60227b65878630ad491c3 |
C:\GalaxDF\boddevsys.exe
| MD5 | 13500401707c5370492d3577a8a42cea |
| SHA1 | 1a508cd39f0a017beeb952cdc509a604c5dace50 |
| SHA256 | e8a3cc464c099f92a966899a477a3a400f6843717062035092869ec2305ca36f |
| SHA512 | 9f1b6dade81dfb411f7874663d7c715092f443abaaccdcc742218fe9e963dd834e7db1506a82d8b648e70270ec1daf0d1f65aa57e8ef468c4f90cb6f58d940fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:27
Reported
2024-11-11 23:30
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\FilesZ8\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ8\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint21\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesZ8\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe
"C:\Users\Admin\AppData\Local\Temp\6e5d75df178873a8fb7f34da940d2ff7875f726674b7bac830f97e0ed40c02d1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\FilesZ8\xoptisys.exe
C:\FilesZ8\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | dcdbe7d174fd13cbe62cd789322df76c |
| SHA1 | c3343464c06cc3d6b1b5fb58df226520f6c10262 |
| SHA256 | 129bf6b5e706ad8a0cf213a0e312683fff070600ba68159dd49dc9ed3fdaaa2a |
| SHA512 | e17397118592984bc560119fe4f7bef384c84e0aaf62babd5a9ae573f454a719f1a198750faf6a198607abc280ef2b75aeecdec25c137cdba7d902e648d1f27b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e4c7a332abd40fa8a7ed3d3e9df35a1e |
| SHA1 | 8782de0e487034c644bd9a8dbe453f287278f834 |
| SHA256 | 8efe758ab7204bb1edb71dbd6e5bd057669928535400451d68be3401a0076ff7 |
| SHA512 | b20e631f046a9e0a05ff82cb73d8f88107e172b3f87196068c78063d353e523e154059bb5bac12a316c9d3884025e3ea98db1ed0e1bce6f1aa66e2e227b8d56c |
C:\FilesZ8\xoptisys.exe
| MD5 | ae95fad4fb3d05b8aff223d5469361d6 |
| SHA1 | e8139931f3f192d6b860503f6138859d9eed0369 |
| SHA256 | 601cde37eef8a98dd7ac0bb3ad8cc697d5eb72a65e557c8e0e654e509edd7f33 |
| SHA512 | f267c43b59f50b6b605d3ff6b02a567d48122680f4b07a427a7fec62c1c8399de563725582c7d1326b31bee7deb7cb2f76d1aa8965b8ed161bd14762becef09e |
C:\Mint21\optixloc.exe
| MD5 | bb2583d5d65672c0c920009cc0131d97 |
| SHA1 | 15fad637a492850f275e6fe6eb5c9ecf90f19495 |
| SHA256 | 90be6b8ef9515d60ca46443c9119b7c2cb0a07f1aa3a0d9cb5de0f5559378ee3 |
| SHA512 | b66a11930b3c62cc0ce897dae32b0a80376d33f5512b70f9981af2b1f0a2d33d26ccaf5efb92abcf6d2e7d059bc48609b624bf5c5f56fe655ef0bc77792aef71 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1560cada12c7c8047dde7ea7f16c6318 |
| SHA1 | aea2a0cf12cd10c7fe6a56f8a510b95ae8510669 |
| SHA256 | 43b988bd361fd0ab31ff17b045747fa131561e78bb8184e52ab6c9f372f53ce0 |
| SHA512 | b24ef4f36146c76a78e1829f859211576d90755c4d5df699a8e7713c2c921efc0c47a094ef2c8a605aff478bd222fc66852d828503b4d74eec7d0cc7401701f2 |
C:\Mint21\optixloc.exe
| MD5 | 84c3a9ef71c6c32cc10faa7a3122fe8d |
| SHA1 | 44094cadec949c065d4321a4cb7bb4c11cd999f9 |
| SHA256 | de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b |
| SHA512 | f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a |