Analysis Overview
SHA256
9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8
Threat Level: Shows suspicious behavior
The file 9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:56
Reported
2024-11-13 13:59
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\Files3X\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3X\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEI\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files3X\devdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
"C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\Files3X\devdobloc.exe
C:\Files3X\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 0c09ab6fb84a8a427f5f6dfd76291201 |
| SHA1 | 555cc8e5edfc2b73b28edc83fed57f0cb5e714cf |
| SHA256 | 835a59d0dbef262051721a1e70ec343a8bcf8747ff7fbeb55c3b2d0f9fcbb2d7 |
| SHA512 | 9cdfa66a13f2e6869638921357f6089f2048408eebe5fd446622c78b5a43c424285ec58014d9542086a7ce798e0a0c3b11561ee83a2d7889f5263555ec33d913 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fd18659289fa188a33b2c00821b73614 |
| SHA1 | ce425aae5ac7a10e9f967740ca4f5a4c8581786a |
| SHA256 | fa7e0362559c7ac7e8f24df15b66714f46b0a0d6c6dc01bb7429b5926ccc5eb4 |
| SHA512 | 51dfbeeac84cb591d38319266b1fd5d9bf6206d5e166bce1e22b3746c63ff570e3de7d7d58eb40c6fc6d5a36a8d4950787b03203668517a54252b7b6720b2fb3 |
C:\Files3X\devdobloc.exe
| MD5 | 2e225a2d8fbb510df0e9d10ed08a2948 |
| SHA1 | 0b352fc966668cf0af9975bfe452bb2862402d3e |
| SHA256 | 5912d778da8b2fc811d020c96395df1ec95af34f0d3800d8e4524ac00f0e8345 |
| SHA512 | 29b390a80b3b70e36a4034d1395811884a280b6bcab29a7079b926b64b45b36330959d09e74a27cf3cc8af4382b4930d81a7306fd2b3e4687026157a81d785ba |
C:\Files3X\devdobloc.exe
| MD5 | f6b59d19aa0cc1b02bb58fdcd8f35da0 |
| SHA1 | 75bdc3e85eeebe5599339f6d233393e3ed6483bb |
| SHA256 | 3fdcab2c02242bddce8bed8e662742cf3539c05a2ef5d3df9f1ec067ce96af92 |
| SHA512 | a19af520c9d44d20a92a1d4cedeb0e323beff7b4a97f71dae0628a743e86be4eded4e933e78fa71552eec90bc04e447c2545dbfc31b726e911c30bd22425c513 |
C:\VidEI\bodxsys.exe
| MD5 | 39357249f5df366bd27fe914673ad862 |
| SHA1 | be31c9d00df76115eabc3bee4dcfe80aa20526dc |
| SHA256 | 9cf0e114a36f299dd71c04ed93d7e17dafe457f9321c274e99eb1d225c9dcf3c |
| SHA512 | 360a66ba8c915a13d95d92a402c8e81e5023eff1e686c35919362c85813b71d94401dcbf0305663298b50a7714e90738f5c8127130b18dd176b4936813c192be |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 553732abc93bee21a254326f8af6f514 |
| SHA1 | 340daed6819acf752c6b4802499fe1fccc944d05 |
| SHA256 | 912ffca1f4fc604b337d487ec66ef29e0ddfa11bc02365a87b71f6c8141885e4 |
| SHA512 | 719d4d75272be1f402db8ca9e0542aa099593c18ed2e0c5429135f288039e70272707f2b40fbc8cf90b11a8cb46f417b0b7a7f749ac5af47053c767451a3ed3c |
C:\VidEI\bodxsys.exe
| MD5 | 1177281cc37eac897548f09c5a2bb0be |
| SHA1 | 7fcbdfa586162ecf10a4e814cebde49a9e7c9ff2 |
| SHA256 | e0e8199ff31a78de783de78bcf4ae417736be14f8f3aed4edbd1b7408ff8e9cb |
| SHA512 | 5e4d15369b7aec23f96f22231c6ee0b91538eae06a29fa0055980dc85e8629ecc8e12f11fca65c6354421b31f098422dcc6de380edbbfb853a90ecfab155e1ad |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:56
Reported
2024-11-13 13:59
Platform
win7-20241010-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocA0\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax39\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocA0\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocA0\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe
"C:\Users\Admin\AppData\Local\Temp\9df49e6d824c1fe6200195efba03b8a2a3abbd0a7efce75e270887c31f78fcd8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocA0\xoptiec.exe
C:\IntelprocA0\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | b0373fca7645b2518b7f232fb0087941 |
| SHA1 | 51b399d3ed0e443dba011357a4e4c2a3d2fd352f |
| SHA256 | 872163631dd1691553d5b73e1cec1e24828b9471a78f3d7a6821ff992ce77405 |
| SHA512 | f348e9e31a3752cc5b4d7b48882e410bb6368588c4b300a46581c96a84b866f3e37d341f6e762f33c5a1a7e8451cd996565818f1f873e9370423ce9feb9076dc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dc64137f77b2bf4d1514e4db35bb7119 |
| SHA1 | 9a3ebff89528e3d96a5272a6b361b3866b859051 |
| SHA256 | 4cc862a8c0ef22c21a4693d0107b2bb7d40dbc2b4f77f6a4fe14922a0ba43d2d |
| SHA512 | 27a36f3b8a4d96f6526c4f8c7f35b394f437ff5cf8ec95a281d1f95c010b5d7c98acbd3a0b7f5b03f8d60a1dbadc765727f5f15132399f96237e40ea0f11ba2c |
C:\IntelprocA0\xoptiec.exe
| MD5 | dbfc8b6bc1d2ef5d9682c1298a6ddc5a |
| SHA1 | 179ac341738826804bf49af8f39cb6d05e3e6521 |
| SHA256 | c13e97829739171aae3332d841bb725aef88adf7df434f6706f26dcd433ac552 |
| SHA512 | 408bab3afd32fdddca2956da94a61f8671fce2afdfc60b3f28bcb67c49471898af2ef1a95fe4d2a7f7d12d795399caaf296d80aa8588333fd74b6a4f0d5070e5 |
C:\Galax39\bodaec.exe
| MD5 | 3819d1e68adb1e364e0293464ecc63fb |
| SHA1 | 1593fa658080cdbdbbdd30e4747e3e218ee89410 |
| SHA256 | f1d2602b66e4ef00f2d3f4ff9cc6d29e6b59b6e92c467cc1807d93b5318ac621 |
| SHA512 | d92767fa3bcdcce5a1b3cddbb5ad87dc8a059777bcfa3a82853755f426d98e6e7b29feb0b4a5a4f44cfc31830ddaa1e1843a8ea617f6c64316a624a25ef6e7a8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 20e83274b1cc4cf664af79cdce20c028 |
| SHA1 | 0f22631c5eb6aeb25b20d18e55c6dc322fae2f0d |
| SHA256 | 566fe8a824d15110563fe33bdb22b6d059abb55136911a95d802216f1ebca7f4 |
| SHA512 | f9e0100a1c11fbbbb87dcc806eece16068b57130bcbb8705fc3d001b6e0651a2d39242dd8c3ddc564b32e49079ec85c35faa6370d15b4add209b153ca58f0326 |
C:\Galax39\bodaec.exe
| MD5 | 680222dcaf692802bc1aa0ae1bf5e7db |
| SHA1 | 01876aa75d4748d92b16f64acece7ae1dcd7e758 |
| SHA256 | be0b46505250e30c63431d44460df8eb54734af7aacdbe3442b553463ed93997 |
| SHA512 | 57e8d4f6ebb6598a51d4d8be7723e12dcf2843cba39a78700a239a22313bc3fd76428c2148f26f57d173240b6bc1af8fcc6f54914c55fb36214b857fd072344d |