Analysis Overview
SHA256
b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82
Threat Level: Shows suspicious behavior
The file b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:01
Reported
2024-11-13 14:03
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocRD\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRD\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIR\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocRD\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
"C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocRD\xdobsys.exe
C:\IntelprocRD\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 88685b262a5780558f3fb6ee6e8f6f47 |
| SHA1 | 57ca49dc1c15765c80ffe43be4e3da2362db92c8 |
| SHA256 | 186476bbe9bf38cf4605c16a100760d2351eebdcc6c3661c39ece056304c2c54 |
| SHA512 | 93f1417f70afd7c8fe3f36fd7c496a32798aae4b323f663b8c316b575f3d07d6f2975a330113bb4f5b709b1ce929dc6a4f71c37548d42742b4471dc571ecad1c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3d91fa2c74ddb8c0de7ee8274d1686b9 |
| SHA1 | b2ddc2c36a1c6f06736d250d5daef112e8c05027 |
| SHA256 | 87891a03b79fe92640a8ca90f88647391b686fe616e1558b0bcf789da3a80b50 |
| SHA512 | 6c38ea2a4c784879acbdb7275f3689af1453f33faac05fc2e1d0de718b01d980d0a50ae761a3456124161d5b5899e27fb756e124e8741e1541aeff34b998dfc3 |
C:\IntelprocRD\xdobsys.exe
| MD5 | 95e5ab406dd96730838f0cc849018587 |
| SHA1 | 7e022e553e25e3e3701bae8c867c67c0445b0eb5 |
| SHA256 | 8d61bebc12695dfdfe584478d375c6f20b7695baa5aa1ac14b5a9f5aab8d555c |
| SHA512 | ad284e0e2edef304ba7da9c20b1f713908c77bf8f53c63731b0836fca8293086c6fa3932cc98c4a9755e324cdb76c4a10619477b69bbb06e2a2ab7290c4f43d1 |
C:\GalaxIR\boddevloc.exe
| MD5 | da8bcc6ebcbdacba8fe89ebd44e85bac |
| SHA1 | 7c369e2f2be0b6bc4a64de460e54e9e9a186f1ef |
| SHA256 | ca2389213049d67f68da9ffacdd6c3704849acfe3ee1512413d0db54dbb9394e |
| SHA512 | 5c53bec4875ed32828d3a3bc9b48865484504253d712aad9498dd62d6db716ea3efd7ac9513f86b127007d168e2b9c6c77e5b9ba6ca6e43a99f7478b1241f638 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a36b973a46c9503a9f84964da9baa1ce |
| SHA1 | a78a6010d4b1fb95558026302ba2a0aa3b95ac6d |
| SHA256 | 381ea41fb22beb9450de04cf7743a219485fd42369bfe052360ec0df5fabdba0 |
| SHA512 | 6897c12deeddff7479f144d262d748d1c4a552af2880c7b2ae15f7f06556dd47a97e5ad2120bcfb7aa905d428df70aeaa1e0733219dd825203efe8dc21de05df |
C:\GalaxIR\boddevloc.exe
| MD5 | dac147a8c3d9fe57b952ef158f23fdb8 |
| SHA1 | b31bc539f2555ad8b895f7f85980efbd1d68c151 |
| SHA256 | 3779d3148bc855d4bb404ae14248b22c6e54f6dd006382c1c2473fb39a396887 |
| SHA512 | d5da2d77ed048ca3879ebafcf5e7dce2558f64001c3d89034094df79bce469ebb9d21675bb54dcac35abbc5a70d0373a28559f930fa77e623914cedca6f49853 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:01
Reported
2024-11-13 14:03
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
53s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\Adobe47\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe47\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDO\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe47\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe
"C:\Users\Admin\AppData\Local\Temp\b289c33f3a3a6116fe4da215f8d609df7b0db0958a3522ab13e10b7a2a875c82N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\Adobe47\xbodsys.exe
C:\Adobe47\xbodsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 5c7361fb1a33a640588fd3a611ed1638 |
| SHA1 | 20996988ec57bc588ea055015a9c56e000626787 |
| SHA256 | d6914638af78194b21251965d910e98a6f3bc212bbaf6802a0a2f8fd2a934b18 |
| SHA512 | 7b805fddb81a2f93881e3377bdbbf938290d8319cf50f145efef052d5511ceb9ac7d4a251724a4d4a3cc7db84aa793560c5f37c62a9b77eebb1a453ba419bef4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5d974e0d192f5044c626ddb6ca9be3ff |
| SHA1 | fc1e3e525309136a75dd5ee6689740d0704c9a83 |
| SHA256 | 3eca18f942dc345c76388f469964af097bf6470c47fe391b62cb8fd995fbf575 |
| SHA512 | 8b58b47b682d37b288f075b7d07de722427899f694483a76a51c7cc983166366a7c719e073179cacf2a585da382e9ce6c0d15c12649b02d5be7004d5843558ce |
C:\Adobe47\xbodsys.exe
| MD5 | 60ceba79d69ac964383983a1c796c46e |
| SHA1 | 655f32f8766944928611dfa3ca01cadcfc744712 |
| SHA256 | 8ac4cc9453d85c06c4ead65c07a3f61c1148d6c8b54b31dac7769704cf3b2c48 |
| SHA512 | 848b2d6ddb28491fafbcce7db48b07a843eca866f6835c80e7b1e5da14b87c130eda7989ca31d4f68f3eed7761ae712158bb5398399a55266d27f025b45e3613 |
C:\GalaxDO\optialoc.exe
| MD5 | 039d3fab34ed62c8c001a02ddd8c2a26 |
| SHA1 | 30ee4cbb8888ccc89e767285e1e310051bbdf3b1 |
| SHA256 | 19e905f5a464f191728015ac56dde9f9bdb0103b3ad369ea0e31a85cfa3236b4 |
| SHA512 | 8e10f5f1a5ed47b78a7ac7fbeba625f27c8a86396a90fc17cadd2ef511194ad87cfe17b92868a99c6891511ba8bae210230be0dc7b32fa8d63f6970fb116626e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 819dfa4b8981ac1ba0f66aa2fbecab0a |
| SHA1 | 5430bef53f9f87755400e40d34fce9d0794cc997 |
| SHA256 | c21e6e67115d6e6ad86f42695fc838bebeecc0d579cf21e5215b10ff0c44dd74 |
| SHA512 | 464ebe4ed0d451fc2946d39dfa547d0b4712b77664e3a10377db28cd81fae8645379145bf25dae43a11f810ab8ea15c23c99560e0d9928e04dda984df8b47621 |
C:\GalaxDO\optialoc.exe
| MD5 | 153ced5118521513e7eec00f7a1b74ff |
| SHA1 | ddf23f712b8177756236cbb00a334db930a103e2 |
| SHA256 | 39cb7d40df2124fd76a0c3d8604233ba63ee964fa44c88746709a730aa5f3310 |
| SHA512 | c0fb2f6c471d63f561172d8d067f05746e22a40542e1e2e392b5bb2b4300fc103a637bb5fc1951b2e0727c67d1b918c2b6e3a8f6e9e803c2237a62659db7cce5 |