Analysis Overview
SHA256
161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05a
Threat Level: Shows suspicious behavior
The file 161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:52
Reported
2024-11-13 15:54
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvNR\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNR\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxY0\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvNR\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe
"C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\SysDrvNR\devoptiec.exe
C:\SysDrvNR\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | d6360ad2dbeecf748877ed13c61126d8 |
| SHA1 | 32a1bd1e1f2c088be356d8f0f675a2cb363219e5 |
| SHA256 | 1b623efb023ad50867822ac9ad273d4411b7819ecf6ee48bb73f2a97ff97d481 |
| SHA512 | 8e8242b984c1c8a72868cdf6e60ec31774512910d5e95e57545ceeaf9275d61e69c051d7e5c1afd7783533d9d1ec2d4dc0f30bd1658b4f89447c0398c9c3916d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9b9e01ed726fc898202b8d00c805e7bb |
| SHA1 | 083b48d92329dee12b06dab713047ebeb2986b82 |
| SHA256 | 353812d8ffa782d3992ef852e771811d140bb683ef91c98326bd99737eec9a66 |
| SHA512 | 90a3df8786c57c602676676433aeca6ce8f1295ff4c87e6541f387cbcd04fec31a380a808554adee095a11c4d30582c720a1747768f91ec28f46d38e13a14b48 |
C:\SysDrvNR\devoptiec.exe
| MD5 | dda60a2050ec4778bf36010b69f7800e |
| SHA1 | 681dccbc6e0a299236e3c422e21aa318eb192275 |
| SHA256 | 98e6c63dbd90696743aab1f62476fc11c974ddd6b9401e7a2fc32904f912e181 |
| SHA512 | 18c482c5447a51400c08fcb6c79f78428fd7dec48e33de130642df6a8e78ce8bdfc0d92250df0563616112f14999c832ba7af8e14b6f1e37a38d1f90412f5702 |
C:\GalaxY0\bodxec.exe
| MD5 | 7b41954bee8856da62ef57345adc3522 |
| SHA1 | 11b72bcd158990287c7502b2d89a500dd528be97 |
| SHA256 | 53500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2 |
| SHA512 | 6ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b13d3a4eb37a0b5690191b186f86183c |
| SHA1 | e17ad49c63063a801bcfadfceba2e4cde0a5def2 |
| SHA256 | ba5c09fa577f469cab5855a1c038a3629d7d1ba3bd892d7694307569e0042bce |
| SHA512 | 93a7e26a56d1363ba44c66a5e084d1811c6f38e197ea1e19bb6eb90d34c95b260dd82b95a97f8eac250145abf1d1ab94be309ec9233b68b75a0035d0726a7c63 |
C:\GalaxY0\bodxec.exe
| MD5 | a609672490f2505fd37c41d82cd7c81a |
| SHA1 | 7ffe2c059c301a521ac4baf487416b423b193992 |
| SHA256 | 2eac90dbfea02d7d473d0589142b48396e2180defddc895d962bd6a1662ab865 |
| SHA512 | 3e26787e1893220bd3a7fa0cf16a3153603cf26310e011381b23bbef154a7920a4a4d255a3a98b2bb2039a9ea8fa0f3aeb1ce7378decbb52ae30a74c76ef91f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:52
Reported
2024-11-13 15:54
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotIP\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIP\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2K\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotIP\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe
"C:\Users\Admin\AppData\Local\Temp\161234b93aa4e7d05c17f6c2d92dcecd16564d7af8011c02d7fb2df17fbef05aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotIP\aoptiloc.exe
C:\UserDotIP\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | dadfbab157075655df93a7260be88f5d |
| SHA1 | 0be615a1bfc7f19f5dd55af8af4ab85e0289b825 |
| SHA256 | d8ae2578a59d3fa5e6c8b392a383556b9908fac637fdf948a4ccb72ec670154a |
| SHA512 | b2746be192127492af8bb327a7515c2e71b7e60593f5bbd2a41cac6d711b7c119eaf10c12835d10c0f4807db63e99f73cbd405cd7cbddb565b593e253dcd8c3a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 69a183cff34416725afbc7d921438a47 |
| SHA1 | f9d1ef1277f79192dd16fb501ecde4a27f39f29d |
| SHA256 | 39151a714e0e211945e7915c76f29399d378472fae6bfd6daee304915ac63519 |
| SHA512 | 25bebb3b3adf2274379ed0d0ea1390e6506de25160e5091129691b168b4bf65602f3faaa0016cf2eb32e686c61b7882c2c0fae57386fe2485df5fa3f68c0dc4c |
C:\UserDotIP\aoptiloc.exe
| MD5 | a86336805b3d53c18600c251ef3cfa32 |
| SHA1 | 69594cfc6347aa438b9319dfca41704cf4607aa6 |
| SHA256 | 8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5 |
| SHA512 | 2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93 |
C:\UserDotIP\aoptiloc.exe
| MD5 | 142aa92fe8c6c66972e832c95ccf3157 |
| SHA1 | e102f578e6e0d9f085aa5d70afc30eace7537358 |
| SHA256 | b88811e3c55bad771db07908b083c1eef148ce888f8d3740b3822c49f86d74d7 |
| SHA512 | daddcbafd7f49711c43a20664661bff877aa62b66f020bdc9702dd451238182a4560c997508682c8515ea524e5e655f1e35fb278e20427a4ff7ab5e5a7ef3172 |
C:\KaVB2K\bodasys.exe
| MD5 | 5d6fec17221ea7bb138d4977b1d09cf5 |
| SHA1 | 8ab21eda6a47139730993e524b856f2089649a19 |
| SHA256 | 11fafd1314b20424c1cec333acc4d5556c427c0575ad73badf632e7ecdcdea00 |
| SHA512 | af3d0df131c90aac2dfc08556f78959a079f8f02d584bbfe7086e36f60213d1d10cf9c7d5c6f3c3596b45ed68ec6a921cfaa22262405c98cf58503926ac849e4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 04feaa1d4f81483c9a2f5482753019af |
| SHA1 | e1c3a09f0480eeeb31de4ed99ffffc742431227c |
| SHA256 | 1382d4d1bf168cdff0146fc604ac88135c8014d3f41caa2aa4a6feca19a902a1 |
| SHA512 | 554815da60b126a8784ad2d042d5a9aab7e9678d5e2f6b79e0abfba213d2b465ea424c7bf7da1d53af004e0ed14d5a990cd851472dbbdf2d5eee38f2ae0870e6 |
C:\KaVB2K\bodasys.exe
| MD5 | 8ac3eb21594b1e6fe23599e072c80c31 |
| SHA1 | 78a80d40204bd361ea397effbb631fcdd124057a |
| SHA256 | beb361a3dc1bef137d8951ff39baa757f5fa3065fe99d66da4e5655a3d328c45 |
| SHA512 | 3757b56c940bf42c7f5cc699c350da1370ed21aac02eb367b0529424c079a67f18113b3bd3c35a3bc81f605fd81da53e05785152bc6b0143b1314ad7c4954d95 |