Analysis Overview
SHA256
3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2
Threat Level: Shows suspicious behavior
The file 3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:42
Reported
2024-11-13 18:44
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotAV\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAV\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKH\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotAV\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe
"C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotAV\xdobsys.exe
C:\UserDotAV\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 37579eeb733a5ed7b931cebe423454d7 |
| SHA1 | bc60ce7f93a2d538f0e847bb8a1e1ed82a7f4ff3 |
| SHA256 | 5e814a1329795df654360d9a0fe9c00a6dc005b9d69f730a1b9d7f4bb6524e7a |
| SHA512 | 0209c6e3e4715778240937b15a27fe8062514fb907dee8bd93d7aaa203543076b4c784e0aa91a1011a6c96a595d095e2ee7b9b147b614f1ea26ede494d74fb29 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 91e76139b1f42e250748ecce2e7bf0c4 |
| SHA1 | 6cdc15501efd6035dd08a0ba7899a7c6fcda9036 |
| SHA256 | 71bfcbfeddb0c33607f33ab8a8f5a3b83d90c1e8d1dab8a6e5077b9022288552 |
| SHA512 | 25698e1e2e9362c5e11aff31a3e18d327efeac30fa466a1f6c34df4696ba6a43efc32a8fa98bffb6828d795018b738cbc9138ae53c51eeff6f23d862756518b6 |
C:\UserDotAV\xdobsys.exe
| MD5 | 67dcb643d7150daa6275ca0016efdf0d |
| SHA1 | b1c2ebe5f1c8f3e554b6c8a9e16f95b46855e67d |
| SHA256 | 78d9f588689a664575e13958e6a373030ff9627a1ea7248cdecc5d80bb1f3b05 |
| SHA512 | 674b1b68b3344fbc5941683e59c9d05589b52c2725abfa05046e31e7458e22719ccd54d772bbb43a279544076e7c895ee710f1d3d9c7ad054ad1ebd870add317 |
C:\GalaxKH\bodxec.exe
| MD5 | 75ff66a2cbc5b6aba8f57b89c65c9bd0 |
| SHA1 | c8ab47bb6928c2180065a65a83d45de1a3331c7c |
| SHA256 | 476813858ac27f1e1935361607f3d9dd1c71a8126e6ff5f6deedc25ed443c206 |
| SHA512 | 4ad80abf9b91db86b9777be7eb70a705e66fc1b90ef5ccae6c731e108550b64094c2061fcdb55bda8ee3030888924d1457accef93a12ac09b25c2dd0c76bed4c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fe30686136b0fd0c6e77c51aa8465603 |
| SHA1 | bf4c4ca5ea4315252700b0e440417ede51cf0c6b |
| SHA256 | 1b4a05d25b06e99a19254de10d565f86d10454f5acb1fe159bcc644c1a7b1b62 |
| SHA512 | 66b3c7453edce9ec0948542be29d74fa674b51b157694b06193d240076dbec4939e987f0eb026ea414873a9e86c9092e0d10aa304755c20364fccfe7b7712586 |
C:\GalaxKH\bodxec.exe
| MD5 | 0cfa41f34fbdaed7e5f02bb3a1d17dfd |
| SHA1 | 0d70db017c300d843d7b9c30a0b5def004598c4f |
| SHA256 | 3a0f9646efb35206e60fc69b8d624348e9da89552a5dc065d91e36c1a90345df |
| SHA512 | 5a12f6a4c9c808e76795f54093946adcff8b68f517e28d0e12bb54d6469634b54e5d2c6a08d6666baa145b64ab0e899d67635ebd46d1c00aec6979608c63172c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:42
Reported
2024-11-13 18:44
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\AdobeYI\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYI\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUX\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeYI\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe
"C:\Users\Admin\AppData\Local\Temp\3549b269297fbb1248e635886d4d3928634cc6fe39919683e79c2f5e850136b2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\AdobeYI\adobsys.exe
C:\AdobeYI\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 954912f8e10f372620ff3bed8ab9fd95 |
| SHA1 | df39b989136666ac27d6385202237c3e39b62a1e |
| SHA256 | bdfa6c39c2a49697ed1cbbcf6b8c3c7ca0262d98ee9c5efc308fbc569dd3d35a |
| SHA512 | 9a6dde968794756a6369e5b295c8d5694ba9dbc61304cb0070150fa201b2b4bc437620e949f74ef1279e663dcb8aa3c717682e7823f0c47272f962897d036c1b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ddd2b10a801d372777871bec50651938 |
| SHA1 | 01a53ae378e5598b8597fb7e7cb74de2112139ab |
| SHA256 | cd79ff5dbc003fada298a1945f2ef4ef5f116914d35fbc2a3e176cae7634bf42 |
| SHA512 | 877d5db152870802bc9a73fc6f467f6b7d766828dbec1fc0cddfedde93a5166535bdc6e71993c4a1bcb6eff66c3bd2be44820faa5131b60036f30abf3112dc2b |
C:\AdobeYI\adobsys.exe
| MD5 | 94495246522215eb732aecb6235cbb21 |
| SHA1 | 30e7b8788e43d010946a89183ae5eb4b9fdbc2a1 |
| SHA256 | fc01034b53e797335195aca0f3b5c260bbd324d6dc9afb59d3d42ec0bd50ba27 |
| SHA512 | 71647aa374999a54b687be46ea18f48a8f6ac0374b68e20a73c6aaf4d422ce91147cec4745cf519b3d045de4b0e938ab2caff4b0e7522c10ca033ba3949f2fbd |
C:\AdobeYI\adobsys.exe
| MD5 | c99abffa7d6148a6ed6d0aa67a61ed42 |
| SHA1 | 4d0d5115003b678eab102c1d70687694e64cb41a |
| SHA256 | 94cb006e93f93b79b8a020f538b3d78cc785f61c4eb4badde5da91a990b1e5eb |
| SHA512 | 4381c12dec79f7804e014bdf53199488657a5236596b63101af2b234aee6e9fb3526c26edbc152182d65ec001410522123afadb5a33c0f41c37643c0f3528ec9 |
C:\GalaxUX\boddevsys.exe
| MD5 | 2e3144c95cc804327728fa46bd589aa0 |
| SHA1 | 511e229aa04755264ceb8260dd2163625fb02e06 |
| SHA256 | 34898f02a707de63661fe68dc3e839f661d68dfa04e83e576c0d7bfc6f56707f |
| SHA512 | 397593fa15d8239ee4c03e865aa2843f12dbc2dc050008ecfe27b378c69c79ccbfa05c40973f7b2123dddaca7aef08222a563f3d83027c62bd0b078617253fcd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 35cb595ff132c2620534fe2d0f922403 |
| SHA1 | 92557fe2e37c4f4235950280de0839e24ad5efe5 |
| SHA256 | 8b01800fcd266baf75449dda633816e6394ee492e4169fd0515d80e841a81066 |
| SHA512 | f0a79fddb91f24e6ca71d8c41bd9a97bc2919f06b26c2c3368ad8dcdcdd6d1d50d1427816ff2e0fc2f62c095b2005d1305810edc15dfbc9d9f1182c4eba78bc9 |
C:\GalaxUX\boddevsys.exe
| MD5 | 56518b598864d568ba0ce722a7b19778 |
| SHA1 | 9e9b860df4ccff48c850c44421407dbeb1fc578c |
| SHA256 | 372f3bfd95c188d274ae48281973fa66c21bb906fa48dd890fe59571d84bcfc1 |
| SHA512 | f0acddcd21d0c8ac76c9f2ac55458c112773024585985f4aadfda3ab779ba05d310878537b2a8c83c729ee3bee6a2aa72faf81466611568cd5f6569de987f943 |