Analysis Overview
SHA256
bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32
Threat Level: Shows suspicious behavior
The file bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:38
Reported
2024-11-13 15:40
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvV1\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCI\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvV1\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvV1\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe
"C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\SysDrvV1\xdobloc.exe
C:\SysDrvV1\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 0ed0390cf87b3a727fef1a3c418abd92 |
| SHA1 | cc7a79ce803a5ca09c5d89edbb57a7928d0b2c47 |
| SHA256 | 5d116245eec2ea8fa47aab739e0e3115af582ead65cf9ed3edc2350b6dce5434 |
| SHA512 | 1e8edcc93c08729f2f9d6807b58f048b174e4d6938c8cf6895aeb7c69256361be775a977dd55e28dd8a09a399bb4437fadbec3fe1e4fcf600a6a9479abd97053 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ffbb5717d8af2571c4ecd612eecaf978 |
| SHA1 | d35b04522fe47e8012b3656d3c6cd41809f1a461 |
| SHA256 | 4a74502d86c4da7799599e113c7f7a25982e2273b9d141e0a61c6e089bf387da |
| SHA512 | 4e46fbf9c7996ac53ac9ddbbf2be5d0531e1ed978857c77c50afcb52768b1d80d279de46e03cc365dd4b13153af5000152473fabcf9b641bf2b14c4926b6c04e |
C:\SysDrvV1\xdobloc.exe
| MD5 | eb9a40dfa7f709fcd7f5edab9d3480e6 |
| SHA1 | c57915f12e3965eae2e0f7cc3d6ba330104f66b2 |
| SHA256 | a5a61c82d17c29259ac00d8a7bb1af177b1a295c3c94dfdaef38b8a29b860085 |
| SHA512 | 8d5247c831112e855ed9df6c132f14e8f817b12cbac22e51c646f1175b9abcdcd01210acd7a91f1b2a25f0f1c6142c109e8fa36a6de9843b8d12884b02618b86 |
C:\GalaxCI\boddevsys.exe
| MD5 | 0b167d9ca982016a86734fb2932f349c |
| SHA1 | 2811b4bbe90fde1ea0ec4f2e31f4793a8a8e8281 |
| SHA256 | 6f70b9c41c90f631fcff09b1878e769dc66766752aa877e05da25155c2daa34c |
| SHA512 | 0312e1dbc24f6e38d7dfa7e41123589de8228df7233619f6f62ab05eb769e4cadc7960198973fa4be31aadd40ae3f75cac586576a015ff86f54d5a5e3e3d8644 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a42f51e0953f1718deec821bbd9f9dbf |
| SHA1 | 171d07c6b6c839a46a1e2bffced1ac102ed3098c |
| SHA256 | 912f03a8550537234e9f0c23246eb9dabc109c7affa898946f3611743a859078 |
| SHA512 | ea4a855fd384da77f78dfda63d04bc425899bdbf4c9fd5d594085da87f2e8ced2aab8e33438755fba76c29e994d6045079e392731964102378b770db685dcc23 |
C:\GalaxCI\boddevsys.exe
| MD5 | 6d79a9b45bcd627caec30cf19979e6ba |
| SHA1 | 2fc0852f98c38bd23c2917e2890148dab9f34f72 |
| SHA256 | 306e01bf30dcb0fe39f6cc414c45355d01c54ec88b04fad70223ef9b2516a370 |
| SHA512 | 458b4ee2fed99357ca5b5dae9a01a0e181022af46c8ed7b3aff1bb89bb752c67b8693a7d02df5c69448b4479e3af2b6e44a178978630a0cab2b0c2c3e52d987d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:38
Reported
2024-11-13 15:40
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocHN\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK3\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHN\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocHN\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe
"C:\Users\Admin\AppData\Local\Temp\bef61ba3aea7b6d81b30fdc7784d3f6f2c5581fbcc2078faec18a2035df94b32.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocHN\xdobec.exe
C:\IntelprocHN\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | ca6b1ea2071df9427e847ce0c53466a0 |
| SHA1 | ae63ed68a8726102454c2ed3c9dd71a99e69b76d |
| SHA256 | 3c705df6b8497ae0d07846ecc3b2c896f3cb1c17819279f8bea78a918e2abcf9 |
| SHA512 | 0925ee2729a7b441017d8d00204bfb4a6e7f6d4d2b86690bfb1bdb7049edf61e0c4d5024a66d9d032835c32298b4a1dbaf221703dcedc736fc01ee010dec7434 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2fd9c169c8a365360bc249e2b0de760d |
| SHA1 | c010f27eecdb55e3654077ca1d5af0e9e9d64923 |
| SHA256 | 766482c6265912319bb329511c229d3225dc0381543449b1827922d8a5cdccf1 |
| SHA512 | 4d0c09493bcecb2b2d5b3c71d102c305fd376e9c3cf7abd9acd86db8dc37f30ccefca94973403bda5e533f560e122ecbabec3c3026d2772a9739a2120935f2d0 |
C:\IntelprocHN\xdobec.exe
| MD5 | 45501990e809d785c4b9da54b6377ac3 |
| SHA1 | 46c57b75beaf39b75c48c1d195a096381c826b02 |
| SHA256 | fa7832a81f23bc88d31881e9e727b50eff10d4183a0caf07b727ad5a41f907cb |
| SHA512 | 601a33f2981af7f363b06759bfd04e9d837e3badd8e10707df1f59487b2dad964211fc237b2a66743d649fb01ec4868c925501750d5316a501e76a917811fdf6 |
C:\GalaxK3\dobxsys.exe
| MD5 | 340bd128c1f66c66b096c2d04e8c026d |
| SHA1 | 65326d53ac59cea11d8da4ac860bdbb31a920943 |
| SHA256 | bfd525a7fec6d2cfcb6da4b9bd70d04ceb191404f709c258f563aa39fc5387a9 |
| SHA512 | 77af25db323282b5ff6574762b4722ba65cf21d695709c0e21427a761202f72d9cec70d1f008d19fec5e00e6a9dfff82f6a78f14abe263d4027a422a6dbfb8fe |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e20027e5aee93049f46a7b8f097e0ea7 |
| SHA1 | 51183607a65a72b179ee9cc9e4fd5d38dd0fb654 |
| SHA256 | 148a33f4bbfd3ed32178467f9a8a4c8f7232ecbdd3e4382d09ab588c3fa9d902 |
| SHA512 | bdf1edea930be67f459a8611f388f6c92777204298bced8c07e9c990840a2d44c9277963ba208f66e41a35891088fb5f54bcd9d5a8c8cef83bb00bc45a61980a |
C:\GalaxK3\dobxsys.exe
| MD5 | 7b23feea2332ad8a1a2fba775ba4fe90 |
| SHA1 | e4b325e65548497dfba40880fb9006966996de95 |
| SHA256 | dce814c36203af6e9dfd97d5656fab33ccb6009d61040e2b5cf5e09b7a2abe2e |
| SHA512 | 4217099cc8a829f0c689582968a461c1a942265961af45d31d17fc5346c47e63c3269781de8233cd082352bbc56b9d3f9ced5419b02a3eaccad20429e8517c5d |