Analysis Overview
SHA256
1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9f
Threat Level: Shows suspicious behavior
The file 1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:04
Reported
2024-11-13 15:06
Platform
win7-20241010-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesGX\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxN1\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGX\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesGX\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe
"C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesGX\devoptisys.exe
C:\FilesGX\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 58364620dc9a80f6407a65d17cca4626 |
| SHA1 | 6d016e08ef4cf45853a4fae7536fe87a2ac01194 |
| SHA256 | fa2f4bbc99d3e2db3c883200409de78d24c39f5af171de963a80f36d7992b264 |
| SHA512 | 1fab7ce443b7c2cb803cd2b585122000773c9f8375c81c5ea9d49e3af5aca93224ad7a19415a68d16714f363cecefb976a297512b5a516b98eb0c2e393a5695e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7cd65244bf1e4926abb0f1f46f8f17ac |
| SHA1 | 32d6e4fad70c003798cb318036c0719e152d0578 |
| SHA256 | d77f0c91b61f0f3ffc8a992a0e44d3459c73cfccc587ada1b5963ecc07850656 |
| SHA512 | 1c96e773db09eb8956957b99eb0c4da9e7d8808956c7f92dae5b4fed70128e9931f8e617ae7f396ca6d81756cea34aa31772f518355fc454bc930d0dd308fb5a |
C:\FilesGX\devoptisys.exe
| MD5 | 4ff048dfee790782659fa5a6dfd29d28 |
| SHA1 | 7d678ded4619741f9f6703cc8285dfd8e2db8961 |
| SHA256 | 993e93dfcc0b7290559e3f08ee8150354370cabcaed03184c6ac1d13c8eab9cc |
| SHA512 | c25763185dd8ccfba918378139d71ce406daf30f9e77a0afd39b2fc5728f1e50360308eb5766ec769540316242cb86ac6fb1d3adc6a3f8613c1956d48db125d4 |
C:\GalaxN1\dobaec.exe
| MD5 | 77a0fc3698b1a43b9330cff38ae0b2fd |
| SHA1 | 44747e1e28b84f28ee4425c354a17ac0b071959e |
| SHA256 | 2a10f398ee201cd64d2a7865c4205a8bf9414a573270a77b96ec2b465c648977 |
| SHA512 | fd042d45ae3fcc0c761696ed4b008edf44ce280cfba33d8b3111ed2bb1f545161873a39574e570b7f8841a269960f005bee18bb063a405eb2563ca9fe143785d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f9c01da66cac730375cb1aa3df59c5ec |
| SHA1 | 8e884ffc226712be27d6fe4e1b23657efa527c6b |
| SHA256 | b8941a45f2a65223c24161861efa1ebbc34d77315dc3823f9e2d406adea036a2 |
| SHA512 | 8e81621c87ab07f786e8e71c781d0849ae4494c65424b9bab6590061ef2b0aa04bb022bc1172fe2d40739144b31f33b86fe4ea4b9445ada31d792c7e63a687ea |
C:\GalaxN1\dobaec.exe
| MD5 | 5698518b4ed567bb93312a43ec9de1f6 |
| SHA1 | f192077f19e2d890990b18c6b6094af6d2df786e |
| SHA256 | c7667e022fc5c0d42fc22e947242eb8d5d742c884804411cbe9cb0f5f99c0fd3 |
| SHA512 | 2018fbf50e1f8112d48fe4d942a873aba05526536eacde69834eb74bed1d3d289ad6e66ed7dd6df21652fe5b89faca3f623080d0fbff2e7443d90cb48d4fc891 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:04
Reported
2024-11-13 15:06
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\AdobeN4\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN4\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJ1\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeN4\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe
"C:\Users\Admin\AppData\Local\Temp\1b23c648951714822f3923017953e08459e3aa10c1300060881e866348731c9fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\AdobeN4\devbodec.exe
C:\AdobeN4\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 1c96b3b18d160a52534f0012ad40379b |
| SHA1 | ac687a05aa69c30cbcca68ad148db1e63983af8a |
| SHA256 | e17245a96b01c90d4dc7450aaa19c39207dcd06c27a2dd8ce7b4c86b9a84919f |
| SHA512 | fdbee9d3474973a041e59b4ffac8c338bef6cf36e41ff985526d15dcecbbd5d348c062277377a4244436b5e200ea36524070dd59a7a4ab001feddf319955e03a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a0efee3db7c37eb5ceed15eeb97de0c1 |
| SHA1 | bc8e3839cacdd87a32fc745844687dca3b6a3224 |
| SHA256 | 569b3775f8ab653e7ac34cee145ce14fe07ca5c25c6b204d66b8780e56c8cff5 |
| SHA512 | 0b943ef418642f5cecba381c3ddf8ef677c817ff8605a69497e039a78d454d127583f3eb493e4b008ae483732acfe90e098bdb682fe286c9f650eee385b8a657 |
C:\AdobeN4\devbodec.exe
| MD5 | 0e510e971faa864ea00f5c7b2e2a9f49 |
| SHA1 | 1a029fea1f9cf35197c7e0b32964b8c01bf89d7f |
| SHA256 | 7e331ba47f07db82f0fb2ff6942d7705438d0b23fa5cd3b278774484f0912ce6 |
| SHA512 | 03af34bfeaa01067d1ed575dc5c11f2125621b06c859359dd24ecb5e4c2507bb0434af03f68f0790f1d99f007eecc95f551a5bb3ed7f8d842f69ac39497e2c8d |
C:\KaVBJ1\bodaec.exe
| MD5 | 1daa4f1c4bae89eda18fec5c24b06b32 |
| SHA1 | c022f10628072488aab802d9210429ad33c5a0c4 |
| SHA256 | 6369eef6abc790f0bc2ee3ff4a57fdae0ecf109c43168333fa083728103ea39c |
| SHA512 | 403e1f22de8da60ddc576e89a384843c9bbfa4731af14b6a17267c518e130a9e5999f7b768c79c0070314eed0957f265f0a5d0acca66c53aa619b0e98ed5d2ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f1ac34fd7810c6d1d7d12307b24a187e |
| SHA1 | a11abbf2357eb960ba3acd0ef84a5dbe800afdde |
| SHA256 | 2fc9a9b3878b473a085ac794fa4150a9c76f90c9c476b1dd3d18232413b8a452 |
| SHA512 | 081d6b484ad5d178b68836ee3df6d4c1c41de2347a6db5796b50acfbfca53100e112b17eac8ef7aeccf4c7e27e1efef72ce2f8e46cd94e1fcb787e758131513d |
C:\KaVBJ1\bodaec.exe
| MD5 | 0f1dd959d43971bf7f79671305e25a3e |
| SHA1 | 6d8e0a16be92cc3f8829972a8f7c88ea3b37ed55 |
| SHA256 | e2062ac20c5890c0dbf890e43b316cea0da64e2c7e801a4c803faf7642f715ca |
| SHA512 | 04077a2a74d996c32ac387c8b5e877f1dbc8c0222ec32d484cee13b8913e5651839cc5c68091c96037c6a765cc4488e9bf08f5316ab9256cdbcb3fa5c7307623 |