Analysis Overview
SHA256
5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6c
Threat Level: Shows suspicious behavior
The file 5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:15
Reported
2024-11-12 17:17
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\FilesIF\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1R\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesIF\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
"C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\FilesIF\abodec.exe
C:\FilesIF\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | c095cb15034b0bff72a9ad336d8d5691 |
| SHA1 | 26804f04ececb7d3126f5cb547f4e9e3b42eca2a |
| SHA256 | ed8a6347eeaf9813a728bbaa8c775bc5d220f2c983c5a74372665d3d97dfeaf2 |
| SHA512 | 7b36952c15698e72adfca704049b2aefdf97d6c61b0f6e69e8cbb8bffbaa3d4b4c8f3ed09ce0f42ad3cd443b43c9c63a43d719ee4a4d4a14c789904976355ffe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7a4afc58c6694671ddc3a6279b13f680 |
| SHA1 | 4373c90b64ebd1a8a87af1e8f3c14f4dca96a71c |
| SHA256 | 775a57a281947009a336778e823aa3eb1dd317843a527f77b18f5aac7df8ee91 |
| SHA512 | d377ab63e02ffb57a70978ecf91c4c640cbfa1e56cf4a0a3244ffeff41386778e15cac97343b3096e7c7147cdd562cbc2295fc648f8a0bd40b8c14effb25e1c7 |
C:\FilesIF\abodec.exe
| MD5 | b38e8aeb17d02c09c52c077b376d5543 |
| SHA1 | 711dcd5eec7052eff5659e0be1de372eacbe06fe |
| SHA256 | c7ac5573fa0da1c15ca73e996940e79c720efeee018fd0615839a16dddcfffae |
| SHA512 | 9a60be4ef86dc91f02f5f729f5fb58d5af0bcf3ba63faaf119b14916638c2b8d62187ee28e20d198e7f3e82c2c6154e82d2569e206e0f8d6fde1f0bd7e9490cb |
C:\Galax1R\dobdevsys.exe
| MD5 | 572f2f89fa83cd0e724756eb089249da |
| SHA1 | cbfdd4e1e893e9f876d46a79247f38ade618a89b |
| SHA256 | cf6be1e16babe319685181c0bc39e48b663392fba1475e11b83d9b9b772a2f54 |
| SHA512 | 16d7748321e538202b878a175d219dd117f409a88d9ea0f79d0f873a9872b9c287f5166a26419d18ca54609ccd763dbef4b000816d7a243b0822fd78adb35950 |
C:\FilesIF\abodec.exe
| MD5 | 28952d2e88351a61aca35b43c0b88e98 |
| SHA1 | 7ea162178700c55aa383ee10fada9e7cb34c324a |
| SHA256 | d3c429a380b76462605a57dc03ee6be60e34a500b44bbf0dca873b2bc32e57bb |
| SHA512 | e4ab61faec08e63bc5c5de21ff7f201692b853e26cfb543d7f4fbc9a62487d331f9b4ba343ca701a0ebc64e953e5cf74c2a7ddcbe9a9d5bae7b48e29916f2dff |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9d835f72e1500ba783fead9f724c5216 |
| SHA1 | 23e37b78fc6624fc0f18e7f5a82231742d32b3ef |
| SHA256 | 8870236ff0cc0120755b9eb54321bbc6d46575e51b642dcac922d4b3fa463259 |
| SHA512 | 8dac395e64520b082e863093db30dda7920a63ca9de672f5d52dd5e5a2c5382d3cdd221ba6257fa421635244a1f4ae021749df9a4743973b9f1a8ab12355357a |
C:\Galax1R\dobdevsys.exe
| MD5 | 328ec8cae72f3d13d97b465c4ecd1062 |
| SHA1 | 3038eed3ddb1f73f38339efa3fd8369f4ca568fb |
| SHA256 | db6937f8594238a0561fb7bb9764be50ce706005fbbe41f47411f2ca38e57ef8 |
| SHA512 | 8fda65fcdf6cae9c8d2d38cab773887261ebdabb21150e882927a4444cc74d7407662b21d7ee08cee2fbe8897174efde01e1d5b4137bc9205043142d92b73a36 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:15
Reported
2024-11-12 17:17
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocR3\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocR3\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax88\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocR3\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe
"C:\Users\Admin\AppData\Local\Temp\5c8c442aa8157a62de82a701a8bf135aa56fa372c538325ae09e6ec0cfdf6e6cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocR3\xbodsys.exe
C:\IntelprocR3\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | dd5e1277518c2506e3013a2c56130122 |
| SHA1 | abef124210cb1359e87977d09ed8f79fb30bef35 |
| SHA256 | 50ed4ab234a8c8362ff712ee96611eca44276d041c6ce51496d45540e8558f25 |
| SHA512 | 169511251e9351d28d0d10608b9794dc184ec99972b5a9fed7e1d2388aa71ca26dc0c6c50d401bc3e63eb7497be09ef037daefc0479e04917fed88afce632bdd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f684046193b294bc3ffe3ee35e836ed4 |
| SHA1 | bb19a4f6bac8e9d3e56c2062b12b669eda7812f0 |
| SHA256 | 7e89b30dcbc83effd13c61cf3263548a239bd3f4723b85f351050f7873ec225f |
| SHA512 | ddb99a2df83dbc5f3ed94ca688c8c442ef09b555e329ee4797bb5b943ddcd278f12110a7a307eef4313b12808a90c8cdcc3739b0a77db3bdbbd912e2d4fb173f |
C:\IntelprocR3\xbodsys.exe
| MD5 | 0294e6ceeeee93c180c029b7954ea242 |
| SHA1 | a06d7fd94adadb1d07c1b5894a5f571fcc7c8803 |
| SHA256 | 0452b24867b18148fb59fee832f300f49740e4fbd7b2b76784f728bd3cc76905 |
| SHA512 | cbbbd4c938287a2b48331487af93a25afac7828689a90853180af2888236041d406b3f07057447c3fa1a9c8e6edd32036c902142ea91a3549fb0affa4a7899a8 |
C:\IntelprocR3\xbodsys.exe
| MD5 | 7cc65550790060baede29d570c3e8564 |
| SHA1 | 2ebe4680e39d6df4520c2027f65c863dd0fea4f3 |
| SHA256 | 1d4eb8d7bf319b2b7f0027c6399c4b5e316a225d36341e38fd4141f3ed244fef |
| SHA512 | 809e3c538bb1753b8da04fecdac1ba575d829f04503351be95e58d00a68aba76ca26f042dca81874e598a9573d261d8e91d5c761e5729974ae87959a8d7ffe17 |
C:\Galax88\dobasys.exe
| MD5 | 5ddeb391ab3ac28373c49a18a9fc5820 |
| SHA1 | e20d2b080bebd9139c84c58416d7c70625c1e9a6 |
| SHA256 | 53702ebe2017c945f2c47a2f890fa8800d9d4580a95231c1647d51b5506d8a21 |
| SHA512 | 915eb3a726b9264b2921ba1dc3dd7b58782f2b3513a4a13d8e08ab3548bf22c95f531cfefe0682c23602c5f94873b3f1b15ff79c4dc946cb35728044e5768597 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e3e790db0abf7eaa62cd41a76c23f3a8 |
| SHA1 | 0f5543fe574cca5cad0997110c3a631768b7dd86 |
| SHA256 | 51d1a8b6eff29cf6b9923cc4cdb279c1d88ddf9186cd9af5df630ae19a2cc582 |
| SHA512 | 63e4c50eb8e32f7824cf3208a4645271a751209cf7a01556eff94cea09b42eb8fc58b2b14885fda19c9367b93102e77bc79803c52bdc0611bc8dcaaab2e3e58d |
C:\Galax88\dobasys.exe
| MD5 | 01b7985dbdabde462880f807a7d6eea3 |
| SHA1 | a3512cb4e11ad51950a66767fcc8a6739490a366 |
| SHA256 | d2fd4575805e6a38e91d64ecb6a8825e094ce5f3b6fc2374c63d72264f4408e0 |
| SHA512 | fb454bebb68bfdc3c53b414ab27c8bc0200aec6e210eb80ff6f5ae9f0fe292426c0b07a100d4a6ae29b32fa9cfce1a9becd59c28c5e9913afa711e34f744202b |