Analysis Overview
SHA256
5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681
Threat Level: Shows suspicious behavior
The file 5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:29
Reported
2024-11-13 15:31
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\UserDotJH\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJH\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxOA\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotJH\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe
"C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\UserDotJH\aoptiec.exe
C:\UserDotJH\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | e99ff02bd218db3d48dd41108f5f0029 |
| SHA1 | 1bf9377d15a0d76777412793c5c906c533e253eb |
| SHA256 | 05ec0e7afe1f04567d76ca3bdd96ab7604215aae51169c907c74fd2e33550a3c |
| SHA512 | 7ee8c7280898cbc80e9028f11e5c42ab602193accded29e8d97e38069634560445d913cca3047b6293a32006391e4fd4478917fdd6929569957c27a6eb42e132 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a74f48d814525cc5f7258e13a7cdd963 |
| SHA1 | e5d015e4c1f8acebc2e4fd4028daa576b409a601 |
| SHA256 | d07c6226fc7bdc0d48be90b6c4c59cb2fa2b94fb84bc53bc2189687e7d85cf9a |
| SHA512 | c589acbc9bd937c55f054c47474a37ad53869201247c737190feabfc5affc68821d9492d4600b210a0a7f3bc10376582fc3a09b254999af0408de39f7883a18c |
C:\UserDotJH\aoptiec.exe
| MD5 | fcd2d9b3a0c404ce6dd63cc705e6de3c |
| SHA1 | a83c3817a7a449448eac2dc2bada0437fd3b3277 |
| SHA256 | 78a8471fca66fb0ec512563fcab9d181a8cc63307e229c8f59e729330ee3a36a |
| SHA512 | 2419ae958159a12e792c1dd21c0d3cf0a3f85952effcb7c7c1f885b86a7af8bcfb2c3e8c0d9220e83809e3a95cb8cfaa92404547b3c741108dc698e033259850 |
C:\UserDotJH\aoptiec.exe
| MD5 | 662498a303621f11f40934a523c42ea6 |
| SHA1 | d68fd9a3e6709ce03a86d5f462773845b1373627 |
| SHA256 | 170521d28d19bdcf319de25c2dcb8e9f7e0194e70c2cbe8a3497cc61d78be29f |
| SHA512 | 06f3d256e93615ecc0753123eab1998ce0d6a3509fbb90cc5861ded2094142c3ce69cb5154b2a3e66c637006af72160cffbd74582f3f79d475b737b14a168c59 |
C:\GalaxOA\bodaloc.exe
| MD5 | fa7d3252649cf865fb838903cfd0df18 |
| SHA1 | 13315f325c97936ba30f18a6a1ce557a1c8b6b43 |
| SHA256 | db7448b57c1878ad0708a7169264131cdc652262baec901f58c61e09a2c411ab |
| SHA512 | e77f2bf7605671741c102c50f0fbf55b3b91b6cd227d9e0917dc73df2cb7e59b30085b1564fabb3a4e604610017244714a20fc2c432fa69867c6823a6b530336 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 783deb39cef793751f3fd456c0336e0d |
| SHA1 | 2a9fec6208c3ebe250ab9cc97680f9fa14ced1a3 |
| SHA256 | bea43228ffae418d652710950a80b0274abe3cd9a43866eb4b2d3cee15a3a71f |
| SHA512 | 2557404b4a4d95bd26851df5b45d68bda801bd075d627d2aac6a4a42098c554966e72352a40193f461629b451954c396ce88610ad27dea8af3f9a3f0976879d5 |
C:\GalaxOA\bodaloc.exe
| MD5 | d7e778a90814f94979620c549229e561 |
| SHA1 | 2d7b0796fa9a4981d8b3532f608c3c6b1abd3dc5 |
| SHA256 | 241defe805497ad77d469169ebfc87411b01c9a2886a6cd9d4934a69b8eebcc5 |
| SHA512 | d5d81a6b407d651ad3a5bdba73ee3c65718f5b6fe8d01c1ef58a17634a791ad1bf32cfb2b2b033cd4e54e0fd9d47736d63a0da605d2488664768856e65d087d0 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:29
Reported
2024-11-13 15:31
Platform
win7-20240729-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\UserDot2Q\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2Q\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUW\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot2Q\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe
"C:\Users\Admin\AppData\Local\Temp\5ec0d69534e4f0fd920862013d1518306b064fcd50f65667fcdc9167b136f681.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\UserDot2Q\adobsys.exe
C:\UserDot2Q\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 209d5f2a5db94658f24b5ec19aa95368 |
| SHA1 | f37443f503a68a8e0af9a6268121334cdd8711c6 |
| SHA256 | bd4d53ac91edc50167dc4e76cca2d1198eb85cede4760c434b8073e1e8815c2c |
| SHA512 | 21ad285607cf8392e556416b121d9dccbc053d404c5563e940bc3174894ab403b7498b106234bf5ed425410c129a8c41bce074681e6e50bcd3c7ec676318d48c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 335deb643243e91c01755ccc022d34ae |
| SHA1 | b904d91440fa206400cd3d24ec1a19943072b591 |
| SHA256 | 324ec1a67d60745ea3cd75f37ae26e114b282261200cc275997f5d8a87d01076 |
| SHA512 | d0d5c7ba987613d4d5d5bdd1c55947a229b4820a7017982805185d6045284c98413369644cca4be480cf755b0b41991072280246082e456cb057f30a4cef390b |
C:\UserDot2Q\adobsys.exe
| MD5 | 25c4fccf928a354f86431f0d647b3b2c |
| SHA1 | 8229e03b9db85127b0ea7ff39d5486ca4a1c7fc8 |
| SHA256 | 4958ebd58353de8f01ac490b5aa778e0b04870db0260c7f564186efdf351a741 |
| SHA512 | 742d2884879401428c09995abf229b3f4e8e0668fe67f9796b1dfa11ac39676ba2aa7289902f172ff33d925a296294b80298c1baebf3a9a3268d9ce047e3f9fb |
C:\MintUW\bodaloc.exe
| MD5 | a23f73456cf57f6942ff1fe1441b4cae |
| SHA1 | 2dc6db7f1898ce8fe16042906a0cca3004bcc464 |
| SHA256 | 46a4a60f35788c824b4899fe1e178c160bc9f309a484bca43fa7273c2806a411 |
| SHA512 | 862f33ca57f221b0f66a5fe456eff7a2deab22c377d53af64984166a25ef631f136997e8e3f4ab64cd0c55a335e2ea69edcce5dbf987c795617883b972d8bbb4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 78a116a36233705df42c7c70dd8ac541 |
| SHA1 | 0095debf3bc480039decd22c2de1edd91e554dd5 |
| SHA256 | c7ed6986263f3f57e1b650d4c8ff8f18b805f7fca59cce91cb96d19b4a4230c5 |
| SHA512 | aac668345057544f2658673a15f0ad0530755482d70538d027dc144b533a0e78171702b038290c72ff464955fa157631213fc3643438108566dc45aaa019fbb1 |
C:\MintUW\bodaloc.exe
| MD5 | 2f2b13b93ab4e519f4d1dcb4ca4484ba |
| SHA1 | 3d96f2975a91cabdb9d852687dcc2aba1e3b3b42 |
| SHA256 | c8cdc47716d0e337fc4ba1ae7517c67f3914b955faec621951ca490123cd4aee |
| SHA512 | 27a75883491d6440bf4409135b7f6dfceee26295a2fb7ceb10e84a5d2c5666d43b917b92d0c445af9c6bbb0a5aacffd7a1cace91f4a8286f97ca508e2006f59f |