Analysis Overview
SHA256
d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8
Threat Level: Shows suspicious behavior
The file d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:00
Reported
2024-11-12 17:02
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvMC\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxB3\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMC\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvMC\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
"C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvMC\aoptiloc.exe
C:\SysDrvMC\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 34247b38d90d6005694747655cd68ace |
| SHA1 | 33bde141ef498d654739ee1030ec2aa06210d0cf |
| SHA256 | 666f7961ee64e64d5a9c4b18bdcee33dfa34d10a5f912851e7c8a4ebe952d239 |
| SHA512 | aee75332b159a7b3fe341b80c214f584d6122b8cb389bd59eed03ad095d0f545151d50b2d611f09ac047d20e200c9aa5739062faf83dffed50ea015e729d5410 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9195629f9811689c115cdd0712af0af4 |
| SHA1 | a6c14fad3da0c7f180312e1385ed2ee3b9ce0a98 |
| SHA256 | 0f212ee88bf9a0e23dcd8bc4aa99a447a366fc649b03702f045c5949297d6a41 |
| SHA512 | c037283437b81c1967e602a8f706cf1ef90146e3f1fe879bad769fb61abccaf333f2af6a92a8df46cb650a8a5b8660304a00887d2c2cda08f6b93d2d20230b8f |
C:\SysDrvMC\aoptiloc.exe
| MD5 | 2cd6540bc31ba951368ba52fe9ccbef9 |
| SHA1 | 8e8f6f32a491abfe0f8899e563096e73a2e81013 |
| SHA256 | e65e93e41401115f18f482b0b8277928d3dc1d53499a4cac50458a63a4c92fbf |
| SHA512 | 7d94c96419f585d1f1646885456969e60f78375e096d2f083ad4051b30975363c8c98b1b574c9cff1bdaea300b335382641490e2ecd4b05ec642e2568bb762e5 |
C:\GalaxB3\boddevsys.exe
| MD5 | 492b4e27b8c2abac678e83ba4efc0633 |
| SHA1 | f0ab8c39ce09760bb41dcd26e4b057f27de0efa4 |
| SHA256 | 62e0768f3c6da3402bdc83148f0c23a6ea5b20dca221136ef75cde0b03e5bed4 |
| SHA512 | 7dcdcedb57d105f204740f6e40a6fb7327f4d4ab7459dcd8b9a562e1c75a9198fd29ca77d7976795c5d686e5b8d44b1033cddcfb2b055f402ce4b90fd41103e8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55d1f78c556f44ea74d924f87dbd624a |
| SHA1 | 56fc3ff1ed19649564b7df3e97354243eb599764 |
| SHA256 | d2e34de3ec093f1946e93856124975eddb2a7afb18618d27f9d1a3244fb23e8f |
| SHA512 | c2fe1972e810e208a07eb0708147ed8ef35bd5b158600d86e0783d079810f20cf758ab9551f30b05de0d010d649bbb569c03d5dead46ba305c6af0d208ea814b |
C:\GalaxB3\boddevsys.exe
| MD5 | 9c3fb6f1464c3b66f26978685a612e1d |
| SHA1 | 63373df0eebc9e09e4bf17d409ae5d55b34d064c |
| SHA256 | 8f7efdca0eedb4934e17c0c75824d173ab3b8d5aaabe6bd98c448a70d36c94c7 |
| SHA512 | a0c88aa14e366bcc840c47081539467c1172bb8218ad4338cc4e39d9cd5c548b6d26b55ec73d070d67aed1f7f99a1d5101be266f57c45b5bbe75ce5303586138 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:00
Reported
2024-11-12 17:02
Platform
win7-20241010-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDot8Q\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Q\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8B\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot8Q\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe
"C:\Users\Admin\AppData\Local\Temp\d5ba65d9870544714303233f4f9e3c5a4a52e9f3a7c5b3771e43087cc3b0b0a8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDot8Q\aoptiloc.exe
C:\UserDot8Q\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 8dd42663e66714d3cf08c1501ce18029 |
| SHA1 | af3ce807bda72cb424153ac6eb0367ea8697ac8f |
| SHA256 | 475f3d8fbca9b480e9830fcf99144dab3d99b0bcab8ea7e18e9304489f3a7abe |
| SHA512 | 14ce5b74f44825ead4a24a8396a4aea826128fee70a7e493deb2b4335b3e02b72a4e6d20a92eda5f55b2867bcc23bef5ad0d811dbadffd5ac818bb1a7fe2b10f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bc0718787be037b59227fad328070f24 |
| SHA1 | 0c2cf1fce9905ff7cd8ff95d4679c091912c060c |
| SHA256 | a094d79b791e03074a91190fc6810d96a4934d1fe16e380289ee4f28ecf799bc |
| SHA512 | a77468912e4d1bc6357b39d92dc0d9ddde5f2a0da2b36e8dad70876f97442f4c28a6f7667e6be34342328b7e1be598e1d49c0cd382d51570025ce841d26790b1 |
C:\UserDot8Q\aoptiloc.exe
| MD5 | c14273ffd7e8b7005e6e145ea032d81a |
| SHA1 | 3ea4e1e6f201485bb343ff5aabbbeb0f2259cd48 |
| SHA256 | 44960a2615abb036c26e768b5da4c85394d356885b085ddebca1be2ba93e05a5 |
| SHA512 | 5e6825e0ad609dd2fcd6bf24ee096ad5cd08baa9faf25c2291cef40a7400b731a35db84d1dc2a8bcc5f8ea229849c6bb3776ea4b00edb719478abf673120427c |
C:\Mint8B\dobaloc.exe
| MD5 | ddbe523fec5896c73ebdfad2a068bbb4 |
| SHA1 | 03d285de7fc20968b3022fe31fbb4998204ce1d5 |
| SHA256 | 2ec30346fe5090f040a01935037a0af1ead048def0e2267b4ea9c59a3b8a1317 |
| SHA512 | 90a2037d71839040824d62d827553b896f2aac933626c9f204142b06c140eeae06b3f2d5eb230b84768911da662f64ba26a33e44aaa33e730c0958ffac588ea6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6a6ada199eec0a132cf8ea43f1f61c11 |
| SHA1 | 9344e3a94a4774324f3e64a315b2930b5b74a10f |
| SHA256 | ba6a175748e6033ab285cd1fcea7e71544a9b3059928e59eca30a310c4d114ce |
| SHA512 | eac427e2e6dc9f526b83c535815fa7ee2bb7bd5c0fa21fc4ebace7e826429cf8ddf27d69f4263f0e4d9a7cfc53cc8cbf6e0305576403d518f6b0d0eebf8d5535 |
C:\Mint8B\dobaloc.exe
| MD5 | 625e64609280230258b1413393a0e659 |
| SHA1 | b5b6065c7b685e8b95d677cc0212edfa236680d7 |
| SHA256 | 8532fdb960eb340b32bad72cf25750eff89eadfa1da9d70f5cd98f10c24e62ae |
| SHA512 | e65dbd9e9b1be1d7103cc1e2ae1027152508a7603256ca47e28658c71cd391b2af8882aa2a1386e211c7ce1c19d90730a998dbe27fd2c24c631ab1fa1acabfe8 |