Analysis Overview
SHA256
9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0e
Threat Level: Shows suspicious behavior
The file 9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:19
Reported
2024-11-13 19:21
Platform
win7-20241023-en
Max time kernel
119s
Max time network
111s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe | N/A |
| N/A | N/A | C:\FilesWN\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWN\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxM8\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesWN\xdobsys.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe
"C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe"
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe
C:\FilesWN\xdobsys.exe
C:\FilesWN\xdobsys.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
Files
\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe
| MD5 | c3c85b05c3f3822a6532c039af2f08f9 |
| SHA1 | def669da36baef95762e5b06ee38e30699c40801 |
| SHA256 | a0790a514adc2ce75b3deb3a32b7ecaa63a46cb36991ca2f460cbf36f47c4160 |
| SHA512 | 00cdc1522f2e3b8a008c7d6458595a097ba21766d3272617d2566ec64a02a1967f7ca5e077e415ae4c3d925e2c2a3f7cb0b7bd518121fcbf9e6987b64b374889 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e3d9c7527cbe1ec3d2d69c2d3b474d38 |
| SHA1 | 830602fc6dcd997529074ebd66a2aa7c0f1f4af8 |
| SHA256 | 86385bf3938dd6f2be3e2a4a9d34e359b33d1944030dfeb115c32ae8544f1540 |
| SHA512 | a888d006377a1386cb6f46ef17ddaa6a81d38b914677197a6288c15bd7b3715c6f0f15ccc5884453cc936d16f04375eca52974faf9eaab279f4f6a4c33a3781e |
C:\FilesWN\xdobsys.exe
| MD5 | bf3ac98431a540ec72301b47b6d3349d |
| SHA1 | f3bfdb9c800f5718924fb12aeaa0ff2d1ea9ddde |
| SHA256 | 46eb5b331b3d0012e64f2f6657f1141aaa1ae952f2f360800ee3f8c8ba7779ab |
| SHA512 | c773d4892dfcee21d0a1e1bc8c720c14cd28bc56e034dc7d76919598d2ddea3b80618976c876612aee5f6cb40757504961f10931b9f0740111aa6d3222dd3a0b |
C:\GalaxM8\bodxloc.exe
| MD5 | e085e017eb8cb3be54196ad9788f5f1e |
| SHA1 | 1cf74e46e1fdd9ac2e5f89c5bb2608b724b85228 |
| SHA256 | d08fcedae87d1d9279978f9c79d760be854a3feed5c160347c8e40acde520703 |
| SHA512 | 150d0eab4d5aa33253dba7277c126e233e258e1affbf5b1cb094c143e827b0fa373d9d2da236ab33c7197ade152894ff002a6a368b246e8db084d06acbe39ad6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8db50674f4009e8b2e09a08ae426f5cb |
| SHA1 | 38a6b12342063b186b1d218087e21edc67edf9cf |
| SHA256 | a45ec31ef109e110c97b9a4d3eb1e1c8b775000403db375ed18e5f4042767b96 |
| SHA512 | 1a4ebb44fb8e97310327e45399f1d1a55da97dc9c4cd33cbd6f3634b2f2102b581937650903070ebe12e01979f30d924ed052f8ce537f5720e29e8a846db18e3 |
C:\GalaxM8\bodxloc.exe
| MD5 | ac8996fce5fbcf730678980b1f572ca5 |
| SHA1 | 1bb5caa9d9251af34e7d3105fad2a70939995321 |
| SHA256 | 8c11466fe71772cfc433faf4ab28f2a28a017c55cb8be6ac667b9b0c08ab3b34 |
| SHA512 | 302fe235f2c92163c8760ee56fc50a3fcdd2c931e98ec63df97c643dc7adcc577c4be15cb22ccf66f786e6617acadbe52cf86a6f58708737ec255602d699c16d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:19
Reported
2024-11-13 19:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
114s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe | N/A |
| N/A | N/A | C:\AdobeDO\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDO\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSM\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeDO\devbodec.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe
"C:\Users\Admin\AppData\Local\Temp\9f94d0caadfe16cb5453b297a9083499800f6c995d2ab614753579ba1c376d0eN.exe"
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe
C:\AdobeDO\devbodec.exe
C:\AdobeDO\devbodec.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig > C:\Users\Admin\ipconfig.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netstat -a > C:\Users\Admin\netstat.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir C:\*.txt /b /s >> C:\Users\Admin\grubb.list
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin_DssGdwd_Urdplqj_Plfurvriw_Zlqgrzv_Vwduw#Phqx_Surjudpv_Vwduwxs_locadob.exe
| MD5 | 6f8906798843559531d401cbcb49fa70 |
| SHA1 | c1b25704dda871ef85ae5856f43173c5fe330d2e |
| SHA256 | 44b33a1ca97ca480a9bffc659a4580e9358a8c8ca24f6818c76bba703728db24 |
| SHA512 | fc5a551fe2042ce19db64a32b9d042e4e928e6f5ab8c62df025376ce8b56914079091c045fefbed1ed6135acb4ffb6e843112ded1922c0a583e31ba6fcf0cd83 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 20e181b8f6f6857b63acc61c8b733959 |
| SHA1 | 7b1eb2600cf094d347ce67861e6fe500137dd021 |
| SHA256 | d24ff4d690f3bf6faed84fcf4d1132ebf105e12c411979d8e760471431d4e857 |
| SHA512 | 79b30e1fcb9d4565db1b8c210c07e1aec76beb548d3975588eb1e5ebb1d526f3d5be0d09eb4a7eb243ea51f81dadb8a5f471a73a3bffb6e8e4f181d80bb7dd0f |
C:\AdobeDO\devbodec.exe
| MD5 | 0475df982a0869a367202f5f770a1e54 |
| SHA1 | b01828d9d319494b2abdc34dd7a4c41812a81e3e |
| SHA256 | e2819c480960fed89d80c69cbeb06b9c0a31cebeef3016843cc3386b3c71d161 |
| SHA512 | 70f61dbeeda55a92b28a0833f35fe089375129e936e50b3f646420e4851911c1d1f2d6c332b6938de5f66f950c04190aad5060064ed72c734d0d941806b7f5ae |
C:\AdobeDO\devbodec.exe
| MD5 | f103cbeffdb251f29194162c2f66df4e |
| SHA1 | 25ec7198e1ce4f1b518af5336781c3f0638ea525 |
| SHA256 | 0c17a98620aa515c9f7679e26e6ea251e78cc2e5fd4f043f16348fa9f2373d31 |
| SHA512 | 7bbeb20d0fa36cd69f6d49b303c917e12d830554a67ae35a3c671516270ecfa274a7c832a3ee0f9471f7d31bd03e1c8b5a79feab0d438fec8bd6017a32052be7 |
C:\GalaxSM\optidevloc.exe
| MD5 | 3d53883b80eb86095a7f793bd4a1d06d |
| SHA1 | 27e81162fab832ac98c4ec1a520f27fb3472cd43 |
| SHA256 | 07b7af1a43b3e02b3c948dfd70e07a09729b72694a024e727caf54f23e32dc69 |
| SHA512 | 861a35c12bff65dd3376900612bde5b7b31fe0f92e5ae58b58f3407f201b284f9584f53a131aabffb6df091809e519e44cbf21c4108f9e67de05c54979036ff0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 725f5845c0bb62b7e08e46488a4b0c2a |
| SHA1 | 050edf37e1977a50df88b5e2f6ce5e5b83ec0274 |
| SHA256 | dc33ff3044e4df684977a48b31b3fce613654ae2e86009b222ba219e8bb67056 |
| SHA512 | 814bb28f82d43abc87258acb936c6b8cf1a27d465601747429d8378676502eb25ebb45647e07a61603422d2bb800a6c161408b6523be15a72eb5fa7a9e59f1b8 |
C:\GalaxSM\optidevloc.exe
| MD5 | acb7e39b256044496d6e866cea34563b |
| SHA1 | bf4de5cb1acdaf2f1bf58a995da1cd1244367d09 |
| SHA256 | 1fd93cc951542c809c2d8ecc1af07e1944290956f806b1aed4e250a1927bd739 |
| SHA512 | c7eb70c3d8b69a8dd570604bad7244add572f1f2c4b5311ee8a624afc628b382c77d306d22f42f4932a60b725261a5be26be432f7533218a49b0de9a0edec194 |