Analysis Overview
SHA256
eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17
Threat Level: Shows suspicious behavior
The file eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:38
Reported
2024-11-12 16:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesWN\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWN\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxM8\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesWN\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
"C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesWN\xdobsys.exe
C:\FilesWN\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 8d978cfa0c7e6d1d2fd391c7315acb47 |
| SHA1 | c45bd78adab3febe44b41a6d2d792669289661ed |
| SHA256 | 286c333d619bccfdb98416927d45accee3b95d9bd3a1e776e1ec610182aa69cd |
| SHA512 | 431dfdd8d95992d1b2c60060a67ba3e7a2295dcb14f416ca4c715df8f25261928b1a0679e16546197dbb3b2f5227023088bcf838378dcd01d2320b939bb674d3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 234a8452369ad3b3d23faff84b116e36 |
| SHA1 | 1677bd47a29c984fd1f10696eb85658b60c35a07 |
| SHA256 | 6424dfa0781e2366f6c4a2356cbf5c276272c8c5a5183e9567bd80cdfe83645c |
| SHA512 | df9680ef3dbbab90c174cebedd178bf7c6ae1f71b02cb46ebed7b7625c063df52a3a2ee2f6c6288959f1f06af41474d309d42161f3ab5cbe2de3b1fbf62f8469 |
C:\FilesWN\xdobsys.exe
| MD5 | 61b773990ee27e9e908970e63b267f79 |
| SHA1 | 522f4b8bd8207fe759634142fdb72607b71380f4 |
| SHA256 | 8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d |
| SHA512 | 6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e |
C:\GalaxM8\bodxloc.exe
| MD5 | 4b15a8dc60fb28ba194308947f8d0bdf |
| SHA1 | addcf6f0cc5dc9577f5354dd3efdf91843caddb2 |
| SHA256 | eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152 |
| SHA512 | 35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e |
\FilesWN\xdobsys.exe
| MD5 | c12a9f08c88022efb2ccd48ef903fd60 |
| SHA1 | 3617e3d1a20f3fa4693ed8d29923ded594c2b341 |
| SHA256 | dd977b120a28d78334365a90f86644005df38cbe3a4467a4c5dbed3080971ea7 |
| SHA512 | bd1a3bb5e45b460071b556df1569997eb4376b5d386dbff5ea163b6d8f04691e39c05ffcedfd654a9a34758f34982cda497e6aed8917f7104f3b8de7b441690a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cc143e566c36996b0cac15316edf3241 |
| SHA1 | ceda6ebac3992199a9e42c850287c49381536643 |
| SHA256 | 1a438862dbf2fe975191d3bbb3d129f9308fc465f53960c768671dcb7b81eac4 |
| SHA512 | 4b5e2fe0b752392984d41846216d89dfeb4f7d3806555ad3d56c645444b97db3f0f51879d39e96330a2982fac407d63ee5ecc1ec6576cdd9e1ac3f1b2320b24f |
C:\GalaxM8\bodxloc.exe
| MD5 | 27dbcfde0d4705bc70943febd554ef43 |
| SHA1 | 1c2c2293fd608bcadf8c20e45222fe822ca7d757 |
| SHA256 | a1c99f033e3441a83209accd7575df428f73c1d783ee9a6f4007a1cd8667addf |
| SHA512 | 47204c06cb8e8d7979717a543c2a2576ef90f987064b65bb202554d0f87e915c7c3a4b6d7e04a40ba833449d0ddbf0f5629d50829c2d3e322d4ddf1139c261b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:38
Reported
2024-11-12 16:41
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\SysDrvH2\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH2\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1Y\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvH2\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe
"C:\Users\Admin\AppData\Local\Temp\eabeed11a1a14116f878a7c95f408bac6bcd2b293d2242d0cb228555e4e1ec17N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\SysDrvH2\aoptiec.exe
C:\SysDrvH2\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | cfddba53f639db007007cf895687c640 |
| SHA1 | fe8dfbffe2ad99c7e2de9898fee56cf332542307 |
| SHA256 | 6daf0d368f1bde57c5ede9d998837d1bcb35504a15bab953980c57cf13fe4e5e |
| SHA512 | 5d9abe8b978169fe0ea49613b3e140519a5a57e0ca45ab7eee207e3462a0073cde1114179665ed1a7002023d73f0ff9d21ffc931727592e88c5cdcf77973d52a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f1ac41a33e426b02e4b9e4db7572f27d |
| SHA1 | 5916a71cb527373840d4157d91f1f0bef9812866 |
| SHA256 | aa0d6bb777f7ac5347a8f34274bc846bbd2f047e218c380ee42aefa83c202d99 |
| SHA512 | 010bd2fe9409772b5956f94817847b64080e9ea435d8888060df34a0c6c819fef50a520bae4ebcdd5aba36969b9ba32dd08c64bf0245d256f148f50323b92439 |
C:\SysDrvH2\aoptiec.exe
| MD5 | 311484c157ed889ca934da045471137f |
| SHA1 | f68b4121402c1e46020948ac0e352bc6e4638ab0 |
| SHA256 | 3660c1bf4c111840f73669f916d786f2ff4889b49f45de3660ecac7d046dc5ce |
| SHA512 | 3c9dd5a8d977537edc0081c934f97ea85f7f4d49e23424d6fd27624845b51cebb96e3d07a9b53cd76f9b2d3b34516f13ed42f05b7ff2d21d5f93cbc83a098306 |
C:\KaVB1Y\dobdevloc.exe
| MD5 | bf18616e104829efff1d8e2c35b3a4bd |
| SHA1 | 4d829b6b2b80c19067b17df0caa3fdecac1c9c3d |
| SHA256 | af92f097675856db675954f7bcbb1906b2da8164292990b50c5f36880da6882c |
| SHA512 | 452b6a2c217087af6ee2b270f724b9d5252742327f2b258135bd93ab7e4499685139f7c4f6c423deba4a5d651b144375dc60fe9d2d71f38ba0868ac7051626d1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 497a50ef7c562d5e05c154111e96c622 |
| SHA1 | 2d901cf395c5b286324a45b3ab779f4abcd1e7f4 |
| SHA256 | c569f8031dfb23d334c7b8b4aca6c219e667205bd635ec0582d13d964501326e |
| SHA512 | b26d1adbb9388518ae9c4bcb9b110cf26b0cd544b7dde6d1e8e5ec6097b40fbb8a4e41608fda426173e988ce91e4fa0ab9132613ca399949546c16afae658cc4 |
C:\KaVB1Y\dobdevloc.exe
| MD5 | 00208e88d6955d91d17f6e97df488e43 |
| SHA1 | 548faa67fb60c2067db784fd418b3e136758e109 |
| SHA256 | 64eaf30d08b4d0342db0c13ca79045a00c8224ecea1a66e89223265b36876420 |
| SHA512 | 36b70e0de7fa6e51feb060d5f5313e42b119193f21f76d9443a6ac5945c7c60596d7254eee48dc7395918de3c4e90e2d3a1a6bf1b78058047e09956329d35686 |