Analysis Overview
SHA256
bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4
Threat Level: Shows suspicious behavior
The file bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 18:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 18:19
Reported
2024-11-12 18:21
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Files2H\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2H\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMU\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files2H\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
"C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Files2H\aoptiloc.exe
C:\Files2H\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | a1a53fac4810271dfbd7f096006bf81e |
| SHA1 | 38ea8873f0eaeec8a91af58ff2ade27a78a8b140 |
| SHA256 | 4bfba03a5e182b962bd1e76450c9e0cf4a3ba7b914714bae63221fbefe628cb7 |
| SHA512 | bd6d63207ab527f895bccf15b772b857bceee9e1ccc4045af29d8aabfcfded39ae63a7c5b4f36eed66743c9133e498cb20cf230e0db78e21751b61b9a2673d7e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f6cd40a5ab3fae93f0b666d54f9b0b62 |
| SHA1 | bad908badc075a7186b5c3e364064de397ab8061 |
| SHA256 | 394103ea339335d3bee9ba41f3aa41cbd6a7c29cb8fface2723bc22b226d2648 |
| SHA512 | 3f7fa8c22ef9b7a2f244463bc677d3a7399b06edc551e6c42847a834e57d30da54891556ea3d6c6ec31d6b57d6d5c514204d64c178c3c3b4deea5d823ff7d68c |
C:\Files2H\aoptiloc.exe
| MD5 | a2ff3513095e90a722628a399bc52de7 |
| SHA1 | 15fa36f3992927dede566d1082d9432138c0f77f |
| SHA256 | 0ef2278eb794378a7112af79195449a78f6687ab07b66bc05b36d6ac203ad12a |
| SHA512 | f9b60a18c3c8d08e303b77c7a46f1cd28d0a96b98be894e52b45fe5cc19be6088b93ea2670ae9edbade3f02b318c65d90e03cfdb4d8b208e63a80753fc7ea912 |
C:\GalaxMU\dobxloc.exe
| MD5 | 2873fb57ea06e0913c9b5dde7bd73c2d |
| SHA1 | c2794b886d0f3c44e805ffe343756fd81b5c87ec |
| SHA256 | 08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587 |
| SHA512 | 9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4f4d6572ed5b7523fe8c21082320b3e4 |
| SHA1 | 16351888e919e6162c388c8c4a1eadf2e3cdf761 |
| SHA256 | fc0de4d840172dead85e46c9036ca470c7861cef2f7d8da4fb1693aa550d7e79 |
| SHA512 | 9261eed7769ee27fad6096695349e0b4dc04baa06bbf045cbd7c657bc226d887cc6c524119dcab7b2915fd109d138e441a71687db2e0ade814e19269762f261a |
C:\GalaxMU\dobxloc.exe
| MD5 | ab3e71f138bc1692523acd44f8e1e5a9 |
| SHA1 | 990b6c583bfd9e549318cca927d97b4be808225b |
| SHA256 | 486bc68473880756a8b8df4f256378dffb93f82408aed0d60bacf4551f2950ef |
| SHA512 | 06f534d086e3d4891e3c00fada936b9f5b6715a4e414ab14c5965dd35752a4f1d62d08e1bcf7819f4fcd91b0b406e23f559b01caab537891d440d9947f0427c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 18:19
Reported
2024-11-12 18:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\Adobe7G\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7G\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVH\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe7G\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe
"C:\Users\Admin\AppData\Local\Temp\bd6cf6eb526ab4f81787d92926d428bd8e795b183ed5df8642cd7dbc836402a4N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\Adobe7G\devdobsys.exe
C:\Adobe7G\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 0e4559b8c8e55deb37f05a71719f7b40 |
| SHA1 | 21850bc6ba7eb27a84305103a4a652ec76aac449 |
| SHA256 | e3691b6934697982c292767dc0f0c024b3453e3e50c35d70a07eec5256063d97 |
| SHA512 | 20edd8e76549946c43dafe62bc9d4f49fe19b8c8084a1a6ea27adae5580d0ccc20ca10d845cc728ef4cb8b48a0abe7616e350c06c089149a29bd3a2cb25ad34b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8f32c01a56039f80ce803f6ac3b6c804 |
| SHA1 | 357625cdafe915a8a0ad884eb494ebc64b2cc1a5 |
| SHA256 | 814b01fdf5127b45d0e2d52cd916c1d02f0615869237a097df9e104e9ba7aeba |
| SHA512 | 4d1a4d19a586999169978978b61a943f52e80f3c259ecfc7590cdd512556390f9cfc769b38faf1b7a642987a7b5a2b5950b0da7502bcd7cf975333ae4faf94c0 |
C:\Adobe7G\devdobsys.exe
| MD5 | 3713bffa5fd98c4044cf947d6ea41029 |
| SHA1 | 1bcf0dfdaf95d3d5fdedf9d83c81e1984519c387 |
| SHA256 | 7a6f52d189add57264b2b6ed797c1c411445add1dcbcdeb6cb672330ecaa3d3f |
| SHA512 | eeb689fb321438b1482093b3d8235d09ffde4ad10190a8fa6f8fb51a9854390329dfcf87e766795d199b3e656fdb7b4999a6336ee03f3166deeff630729e41cb |
C:\LabZVH\dobxec.exe
| MD5 | 604afa17fbdb1791b36b5f50f23482f5 |
| SHA1 | 79b50e4033617b081255477607dbd71ac59d0ac2 |
| SHA256 | 60a0ead0a8d2602ce473c97125df06f5de6e1af700a1308e6180df9a5c93fd4a |
| SHA512 | 9bff8c91100116b2870f9bc2497cd9407ddffdd7e52dcf437f8647ad6912bf758d1bab7f7a1b3c89d4407529171351ff88fa338757f8cffde8fc6aeeb7edcd2c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 277baa1dd248cce4f5eadc90221b0546 |
| SHA1 | 3e2511de4fc1785cc4bee5daeeda927305d3e6a5 |
| SHA256 | 2c3721f8917018cf51eabbfc6a33ce90beae7a986e432cdccaa1b7ce736be456 |
| SHA512 | 3f406d0baa68379fc2b2e195a0df2008cde9de13a2f3f3440600caf2e690a282344a7362d9f37dd1e5914492cb8ec38aab1423c7dd13e13f9c6f512a3d3a84f3 |
C:\LabZVH\dobxec.exe
| MD5 | f6f72808aacc8d085b0a0849252fc00c |
| SHA1 | 5a879941c47e0b12187deda0ea66c150a5290259 |
| SHA256 | 98247ede96b73a498f5484dd43bd638c6ac7cd7ebe23056b23ec0c23090ca6fe |
| SHA512 | 9ac127f20fb7e83e1f28f37355192cc9925c5ab2742ac7c406ce86f88162203d02b00355a8475e889df696f8ee0ccd8a411d2aa75d94fad4eed2484bde07da2c |