Analysis Overview
SHA256
3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2
Threat Level: Shows suspicious behavior
The file 3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 20:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 20:04
Reported
2024-06-01 20:07
Platform
win7-20240221-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Files7C\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7C\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6M\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\Files7C\xdobec.exe |
| PID 1968 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\Files7C\xdobec.exe |
| PID 1968 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\Files7C\xdobec.exe |
| PID 1968 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\Files7C\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe
"C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe"
C:\Files7C\xdobec.exe
C:\Files7C\xdobec.exe
Network
Files
\Files7C\xdobec.exe
| MD5 | de4ebf75add1a563796a0bfda7a95503 |
| SHA1 | 6d7ed1aec906a441f57bc632055b66d1323bf7c1 |
| SHA256 | db34d83dbcb66d9c202e7bdbdc8a6d58ede954313517d8daab2a808343a006e0 |
| SHA512 | d94a2dc012193dd7edff3a21b9cb7da6ec756f25fee9b96f5c619111ed01e80868d8a34cc8b9c669c5f49f1652a1872f99ccd2f431a32ad01eebfb88c048cc3b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 47bc572958782ccb9979d7ad76cf9bad |
| SHA1 | 6b375bec75185fbc43aa352342c3ed449a2e8902 |
| SHA256 | c366451f3adb2753774967f07d9b2c801286c1b155c7a9c7af5ec85cdf8a2fb6 |
| SHA512 | 9e2df2bd4272e7f6801dff0c167336236302d2a950629e3960594e840abfe352b7ab0b80649c720edbc32c388f23a90d9a2781c0d17b1a8e1ebfc64e464351ba |
C:\Vid6M\dobxsys.exe
| MD5 | a055f170ea033e816e9a46040cd2fa9d |
| SHA1 | 10994bd460a76dd131195e9b2253cb9500060743 |
| SHA256 | ce44bcbb2d98b17ff3e106e2a0d7a0cc35dd87128e9a127ee207772a2b8d178a |
| SHA512 | 9c817dec06bc664880f7fd0bb0cb65a729e259fc5ac842ca9c091d95f9c0e7ddfa75c68c0207b5a32b76f26de5fef35cb8be3ce8169a501e4c91154eb45e0afa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 20:04
Reported
2024-06-01 20:07
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesFD\xbodloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFD\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4D\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4044 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\FilesFD\xbodloc.exe |
| PID 4044 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\FilesFD\xbodloc.exe |
| PID 4044 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe | C:\FilesFD\xbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe
"C:\Users\Admin\AppData\Local\Temp\3323e29080a682b8e2cd2f3cbef3a89f54b32cdb1f6fa0e14fc4cebf7dd22cc2.exe"
C:\FilesFD\xbodloc.exe
C:\FilesFD\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\FilesFD\xbodloc.exe
| MD5 | 72e6ee6b88241d137540b68ae43b1b58 |
| SHA1 | 2660c8322f710cb2d1d9e60ffd02f9b2b8a96322 |
| SHA256 | 6367b10756cdb77ca78171e00c79a0fb1bda7cb9b012a18357f840da7abdb4d0 |
| SHA512 | 4f1f70aaaff162f5fa677236f0232072f09046e08e754b01aabb2d98ff1afc720ce793b87e8227f92014ead36389a7dc6731b3fa29c92d0e41a007b163176730 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 88f600249e32e442152f6fc726b82253 |
| SHA1 | a8e8e57b7367d1fbee095cbcd169481c85f3a0f3 |
| SHA256 | 2840f477c8128d3329fd411f47b5567d943203a4b7a23ba9dcf2b6fa19e6ddfe |
| SHA512 | 3bb8368ae96e4737793ad3d31ecaaff18e2d4590eb8f9cd9cfcd8d5d97230e8f4bfd618403a8b6af87c5fc003e5686f3b7e1c6ae4c24c1d023fb16b1964040e6 |
C:\LabZ4D\bodasys.exe
| MD5 | cc51b3b7d209610f7a21f92f3b22e1e3 |
| SHA1 | d340f9fa1dce87346279c88d1951a44ae8a2a3ce |
| SHA256 | 6ae2d32ade74ce7d12c65077d60081010e1011e8a3aff6f70b42144fbb283a2b |
| SHA512 | ee53bfc3287b9521ed72436ef4f8f763ec3d288c178bdedb22629440b3472ab7431c47027b83dc1dadb9c434f80a356aab24a536824210f7f94672b2946cd921 |