Analysis Overview
SHA256
3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945
Threat Level: Shows suspicious behavior
The file 3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:11
Reported
2024-11-13 14:14
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\FilesYW\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQK\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYW\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesYW\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe
"C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\FilesYW\devbodec.exe
C:\FilesYW\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | df7ea60151ffb997804aafa2d4cd5dbd |
| SHA1 | fe1ed8cbf7649f15adc7bdd4f7ea70c6a59eb569 |
| SHA256 | 1d92d03ed553156e530edee2930507da91a4e94c98e8a80eef5e7d81e91e56c3 |
| SHA512 | a548a33a79c1300cd5a10d73a9fabffdceeab5df07f7119108dfe664a2ceb7e9e1d875e703003bf5ad458dfb2edfddc56c761dd61c73bb2d1666a11941439526 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 053c7eb006e637de7ca7e1812a81490f |
| SHA1 | af01e4525d0acbe5bcc0be6a10fc3c7e02695469 |
| SHA256 | 1f3a19f4de5bbf1cb484b74a317705409d86a7ff35e268628beff421f173c210 |
| SHA512 | 49037b4fb93c308ba930c6e8229b8bdc407183e2ab4f53501fa794b809a48b7d9557dabd2ce9b62be4e652245fbdfcffa2f3443e54113cbc0610b08b01eebcd1 |
C:\FilesYW\devbodec.exe
| MD5 | 417515ae5894076425ceaf50b7926217 |
| SHA1 | 5e2313e562b94e9786455cc596277651962d8f83 |
| SHA256 | 33c21577607be746ed73bfaac2ebc0bb644d85584730c09d67d079de2a126f5f |
| SHA512 | e1f387a62d5307b0d067e3f5185977f6829312151ee76b3da54f6697743eb5f412f578d2d2ea5c85291ecc2e5136ddd46f216447b503c56b0a0f01d8e047f6ae |
C:\GalaxQK\bodaloc.exe
| MD5 | 1f87289cd012904c6d1455580af41cd1 |
| SHA1 | e6d2b6b6a5e1f844277d961ec2f4c3966d59c6f6 |
| SHA256 | 22cec9ae6870d9a4d516b726b486825b6e5267e245cd919657a5b3c358e4a758 |
| SHA512 | b349d21a48e289d7ae272f992ec8115c761b4f426efce8c854f2a390ffd469398ffbc3a0cf696be40c4223dfe09d21f26a5e052c08d0e4d08c89b9ef5a9e3159 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 35850a19561a67cbc2c21fb681222323 |
| SHA1 | 55a32c6ca3defb8232e6693990df501a2f7bfd3e |
| SHA256 | b7cc7aa0dfa8909d122098a0f57e4a1cb1cb280a28e8c6c089c8fcfdfe970f95 |
| SHA512 | 6f22b70fd8177dc7bb9169599ddbfb4c7025354300e75fbda81b3e359417ddbeffb33b62500dd7de2e0ccadab7ddc14b36050d7e6528fcae0ccc79ec20656665 |
C:\GalaxQK\bodaloc.exe
| MD5 | fb05ad35baacd24ff2c69af6bcdd205b |
| SHA1 | 4c43407152bd8b2b20dff1de1139c456a2af7158 |
| SHA256 | 7030d9f75461b52f8cdb8a9079a8dd7fd2d62451495d784f30adc999bfcb9383 |
| SHA512 | c02eb2fa5400dc1390b98459b7ebcf6a5005952aa9f2cab50fc5f51350072964ae067051aed998cc715150102f93c0e5f04938c25e6c9dc543f742bbdf5ab002 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:11
Reported
2024-11-13 14:14
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesV0\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesV0\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT2\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesV0\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe
"C:\Users\Admin\AppData\Local\Temp\3672e1afc8da9e13038d7732a0fa08c68f8f25d81a60bb2181986917ca621945.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesV0\xdobloc.exe
C:\FilesV0\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 5c2f5ab41697429f7f63681733921f9b |
| SHA1 | b529728d5b83f9dd98f936fb522734c85dd490eb |
| SHA256 | c0ca190a4d806f640db3541ab2a31287decdc8a1c6e4c6b30d7f987d0dbbcaf5 |
| SHA512 | 63f1d91101b6b9b259df0f434dc682f65e0e3432d376dc17e9dea6a506b82971d69d15686828604b8854ea2cbbcecc5ab77dafcf3c97d1c4660b13358dce3ae9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3fdd0ff3e00b6bb9bb37037ab17aaf84 |
| SHA1 | 0b4319f55959c57807234babbe497002010e3d02 |
| SHA256 | feb2b24d14a7eac2fc37d8a23343ba67f2a3ac25548e06b01687177ea70d358d |
| SHA512 | 56e2ddc428c841525ca9196f171f2df055b558439a8a7cfc6037dcc89ebb6a19d97244f11d0518982db3cdc5eff1e727a0d0952bc63eb05457ca405cd6baa760 |
C:\FilesV0\xdobloc.exe
| MD5 | 24743b623d803028ebfa9a7db33f55b9 |
| SHA1 | b0a85b0efee5a967bed2eeda097fede4ac8887b1 |
| SHA256 | 2c68ca126c426b002ead74fe0a4d61a0d07a4e17e0e4863efa0490c250db3c51 |
| SHA512 | 5a3cf2d0d652c0968922ccb764b454bca7c7cabd0e14428072d0d053d73380c56c1e2788b1aedf27c11f5ae0bdeaff7084572d2cd26667004a201f8283e607e5 |
C:\FilesV0\xdobloc.exe
| MD5 | 5c23441c2676864f4dd066e447853b88 |
| SHA1 | 324b0e81e76c43efcba2ff9b287337477f4554db |
| SHA256 | bbc774d62ce9bb680097adf723738e9a2cbf8cf511bc9fa4024c006b7b400d6d |
| SHA512 | 53dc4d50bb8d11a0795e190f3a82cfbc7ef1cc9eb888b33e3debc8f9dba6574aff841cf4258e7ba1a1e12bcfa679c6ddc24ca45882752a4e1848b19a6d7ab6f3 |
C:\VidT2\optixec.exe
| MD5 | 8eefa0e13411448f98c8fab793b0ac24 |
| SHA1 | 90c4f14cf2797412d59176f3c0a3739efe4b2670 |
| SHA256 | a9fa0e1a3168a59a6873baa9d421b2a34b6880f33950da003fee95291b38f5ec |
| SHA512 | 86676a5210ffd86f318aa2d84d9891ed369b2ac33c5524eac5e3cc7ead92cdb9d15e5f32c632d7a647618c5c9894ec275a4f03820f9e3dd7a11f36ba2c1ed35d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a8f166addde916b26053c38cd3971528 |
| SHA1 | 6236d91a145d52260ce6fe984923e45fc75d490c |
| SHA256 | 0922849722a060b2715916d4452b4c13a26c0ba457461635cceb51fa8eb033a8 |
| SHA512 | 3704b8a8856f1cda0f71ce99ee9664748331dea7915e7491918e7458c5e99fe6f92bb7cb0f0a3365ff8e9b9d920d35f2ad7c74c692df41775ec335f507254af6 |
C:\VidT2\optixec.exe
| MD5 | eb2c88a88106054717f4ca7714d1d1a6 |
| SHA1 | d966b53c1c3405f0064a963380548af1f6ff4b10 |
| SHA256 | a45804ed5ab85df12b20e083fb915d8088099cf81e6bf03c571571a68df1d3bc |
| SHA512 | f3ac637c12ec7870540e88eb7d85297de70eaa220b8e4c208980600fd20db55ccabbf2cb7d463c33f15824b80d2eae9fd3f092ddf9b94f1360d515c5622fdc3f |