Analysis Overview
SHA256
3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130
Threat Level: Shows suspicious behavior
The file 3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:16
Reported
2024-11-13 14:18
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\UserDot6R\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6R\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIN\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot6R\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
"C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\UserDot6R\devbodloc.exe
C:\UserDot6R\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 7d9750054f64e1f72f58aea970b712b0 |
| SHA1 | 1174d5c52e457834a6cad1522a714bcab1245d5f |
| SHA256 | 5af8e7af584d36c4a7b841f32428e83539008140aad0e5af10c2311cbcd758f5 |
| SHA512 | d089e014c20d8ed1edc615854cfd1475131059e1508d5a508dbc23d335363d222c7a7e9cccc9ec01417e6c838954989aade712a9675c7736caf2b7272ffa0906 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 62f3c5d569b3d35a5dad1c79887165a4 |
| SHA1 | b5b95e8f64794d6b19dc3260adf6f0aad05aedbc |
| SHA256 | d7d50f02b8d873e56b25af5ed21ff198c107c3167d4c85712b7f5916a46a72cd |
| SHA512 | 142702403a175a65a674413f7c3263f699d67fd2f37d1575b4914e7ea7e68a5a7ca0ff9a8542f6bd0a53a1a6a711d9ab2843db150c560c351dad3c04409e5c0b |
C:\UserDot6R\devbodloc.exe
| MD5 | c443e1f50796bf14b7888622b1266cf9 |
| SHA1 | 2f473d989f134edf868c9b660e6687bc71cf3a54 |
| SHA256 | 0f4d59d4ce749c923bfcc83ceadfc7f14d9eb74f4665834e5adc596c406f1393 |
| SHA512 | 7a2c295bfa8a8d31f2ba8c510cccc9f88fbc8b634c9f5d6b4da2b04f2840a98924c3a48c2f90cdfd05405ea1ba5c3f6d7ea4f304726d3880a4a3ff343d36b1dd |
C:\GalaxIN\optixloc.exe
| MD5 | 461735ec337ef851d251acd66cf9098a |
| SHA1 | 2028ed86cc9ac77dc4d70636f56138a50cf3cab3 |
| SHA256 | faa4d3aa5d00b32f9b3c36d0e5b298fccd52b464d3402ade1c90e527b9c0cc45 |
| SHA512 | 034d4179fd475cd43d71613d780bb55a1fb169a203cc26fb715f7d930c7628beb7e68ab32a1c80d8deda12f65285def623240120427a7b5f96b92ac619762fe8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e30433dc3e02c459bf4ea83f545b46ad |
| SHA1 | bd80a5c9d507d114760d128b03766897b1c6be40 |
| SHA256 | 9a86ae7ac5b712d915e2903b74bc48854f37691b425184faa4a25bd9585cf74b |
| SHA512 | 44da8e4d6ce0616680d2d5840d240180f4ee856d488d16134b7634069346e6b95d8fb2d1341dcffbdb2245a7c557b73790db3b58679ce8310d0e93b0dd2f6864 |
C:\GalaxIN\optixloc.exe
| MD5 | a03ec0745cbbf87b4b1c84d0d3384a5c |
| SHA1 | 5c230b4983a27b6c5ddbfe993dfec24a14a9d7ae |
| SHA256 | 19911e8025e3ab466c27a76521992e79a0f28ac56ff0089bcb31da397b748c7c |
| SHA512 | 3e3ba0e4f25e040df3b58871a30c9db170a8ea87bd600d68c226401fe8bc664896a3ddeda52fc04473c805f16a4a108d2af2de2a05965a9f2f99a7a769b85e0f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:16
Reported
2024-11-13 14:18
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\SysDrvZ9\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ9\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQ9\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZ9\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe
"C:\Users\Admin\AppData\Local\Temp\3585578ac64e22033aea905353cdf469cdd8cd25f47e9c2085084d136ec55130.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\SysDrvZ9\xbodloc.exe
C:\SysDrvZ9\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | dd99effe4f763bebf5a402d2f3ca3d65 |
| SHA1 | 4bd47b638a9848d80b659794adeb9173afcafc47 |
| SHA256 | 5dba993c81a00f6220274ec8e61152a885bd322609387b75a1b6aa93bb17b383 |
| SHA512 | 678bf8d66a1baf9c10bafd858f5df864fce7d7e79ce0ff3dd96b28550273e28bdf1c398e94dc3222335434cb0fad141eb0f92ac2fe234cc9089b3336605e1ef5 |
C:\SysDrvZ9\xbodloc.exe
| MD5 | fab7e8ba1518ad553c00708f73275d08 |
| SHA1 | db79cde3d7365db375a65286b79a16654ec7efd1 |
| SHA256 | f88a0b4ba1b20b675e41d68866eaa93b240d87203d2ae29c98e8fb5d6e409e5d |
| SHA512 | d602365b1f6967975e75ec19243a6677e6171d582efdf86a46d203b7c742b19bcc2810a82b6738a07413e655762409f07c9ab036f89f5043b21ec713b1ba7039 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e9f556a7ab853d509f05cdc1263eb710 |
| SHA1 | 2f7319899ec343b6727d383e942750713978a842 |
| SHA256 | ad19bff9c0a53d6f657196ba5d2800bf425690a9e4320940bf416cb23604cdc3 |
| SHA512 | 29e950cc33fdf6fea3d2d7e49e3e08af63fe1ae7b7777ce651d0f85a19c9d5249e55f8101ae54e2b6550aa7ba002aa334dfab4eeecfa1bf12607b2f1d8cb6bac |
C:\MintQ9\dobasys.exe
| MD5 | 3107458fd031850370404c1d8bab33d1 |
| SHA1 | ce4d7f86f61c51e7219462f8845be862cda5f6a5 |
| SHA256 | b8d0c770647faac8a65dcb5198895cbea0c3e813ab98894850bc061d9b271f91 |
| SHA512 | 30d13268328564753ebb63dbfe0ec16e927231cd688cf8152c7c0b7ec72caf4ccd9f539f2b481a733b2414c5eda2b6786c37a7b39ade66c2a4f13e7973d58de6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 696c17df5ba6348d3ddd91b557d35f89 |
| SHA1 | 76eacbc5123f2009e5fc44a29513a80eb3f7d2e7 |
| SHA256 | bd2ddb42c9e51f52be6bbe7eceae0daf73175fd64c64e837f810d6adb1b33bb3 |
| SHA512 | 0c9de3cd1cd0b4c6a60e5548d018a0953b16202c6fb6f79dfd1c1333e9795e7de7b4bd76aabfdc7ff6cbb8676b1f36e481e15cd5a6f5a8e7aea9d7ce5ca8b1da |
C:\MintQ9\dobasys.exe
| MD5 | e68cebea682a898bfea701f6679dda96 |
| SHA1 | 7502a4fb2b83511185d0e36c4a1430aae6572365 |
| SHA256 | d1e0b2b21d28561491691d1cd318774c6bb989352de98e90ca4166e296f08626 |
| SHA512 | 64d05fe2c73085c5c9e2989c0b89996c7cb032232b4f5db95e42a33b98d93e78dac76bcdff21a1360c66977d2a69f26f32ff536bd03127f8fe8f6fba2081a4d9 |