Analysis Overview
SHA256
5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a
Threat Level: Shows suspicious behavior
The file 5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:13
Reported
2024-06-03 22:15
Platform
win7-20240215-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotS9\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotS9\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP6\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\UserDotS9\xdobloc.exe |
| PID 2352 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\UserDotS9\xdobloc.exe |
| PID 2352 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\UserDotS9\xdobloc.exe |
| PID 2352 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\UserDotS9\xdobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe
"C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe"
C:\UserDotS9\xdobloc.exe
C:\UserDotS9\xdobloc.exe
Network
Files
\UserDotS9\xdobloc.exe
| MD5 | 8392c308381c5ac276f3006ba7f3dd63 |
| SHA1 | 2534fe16e8eb8e39806d8066b9aa9fe3e88b7849 |
| SHA256 | 13e30a92115df964b1de2110d5d2525715d8905ee8bdfb5736f941b108ab5a04 |
| SHA512 | 80a6750f526331cb3174997d6b59ea53b4f7953154b3b108eff39cd166abd9857ab73172f29be0960ddf95210ff7e06bdcf794be61cc1be971c5de269b9f0479 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5c0e6bafda659ac74a0e1a0cd5c1a10e |
| SHA1 | cfc2af8eea06d68de98da895f77dade3bb02f63e |
| SHA256 | 3003bc718e573a3a6576444d7eb44d8634c3b5ca3061a223f898e0ebdd3b6b59 |
| SHA512 | d35f1864e6ab200f4f63f05558e6a2abc8f7f9fda3a184150dc578bce43c2b06e1f4282081f6ba9a233b426ffecea1c5bed05f9db4f3ce55a4b758126bbf9ae2 |
C:\MintP6\boddevsys.exe
| MD5 | f6dd1a574e5774f1e1c35d1d3d7366e9 |
| SHA1 | b168d8451423c252356a7d0f90f6a631d85e7c4a |
| SHA256 | f42b43c72941045b8a5b41c51217bb3368b25eed88468b9c841a6b8f72e1bc59 |
| SHA512 | 810efb09020922e0a423e8b8a772803838cd5ee5bd67671d1ec5276e54b71709e0a1d1e326e46f0d235769f1478cbd77cca33536fe43c0bcd5c7b43217d34070 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:13
Reported
2024-06-03 22:16
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrv1F\xbodloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1F\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFZ\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\SysDrv1F\xbodloc.exe |
| PID 1184 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\SysDrv1F\xbodloc.exe |
| PID 1184 wrote to memory of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe | C:\SysDrv1F\xbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe
"C:\Users\Admin\AppData\Local\Temp\5fe0fdfde32e324892bff48db871cf54c6a429a23a7445ccb72defe82ed0284a.exe"
C:\SysDrv1F\xbodloc.exe
C:\SysDrv1F\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\SysDrv1F\xbodloc.exe
| MD5 | 89ab5fe38d8ff3aa3f6bd14778288850 |
| SHA1 | 111d1fb8921d35ab1227c7d64cb90f91b00fc229 |
| SHA256 | dcb9ea9b8a74868321c4ec9f4f46ae1fb824fa9541f872fbf40e9ebe72e2fbd0 |
| SHA512 | 6e49e375487c6b1eada6fc0947ac836ec0b295d6168ddf4da46ced101a889d208e3158c38a57c46c05c0e8c02b6e9241d216bf24afcd1f7b2d2664248b725597 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | db8e8bdbd644aeacfc750d0dbc9b9143 |
| SHA1 | 3bf0a39954c6e2f34b1758f33799f474b835c6f0 |
| SHA256 | 814d54cd6070dbef95c938f1ba9cb7f95eec6b4276ddd0c7a9e744282f30de35 |
| SHA512 | 72a1bed8c4b86a6de8f75bf4a36acc36c3516b56c67dee03a0851000867a176198ed9a6f2f29682518be41fb1af3e81fb90d4062ac31735701823e39a1e5938b |
C:\MintFZ\bodaec.exe
| MD5 | 287eb9f7797d186bdc9d114bf93cae98 |
| SHA1 | 78fcfdb68cdbfc68a0ad809109a604f166faf015 |
| SHA256 | 24586113668ba65d5f5c820a4ff6c54e7f3bf7358144f4f04f304de81f97c766 |
| SHA512 | 03cc76a15dc43dd7a94690c1f17680b50cf47c5fc54085fef823fe0b971fbfe600f157b7192247bf949375da512d55fd35c74146adaabb3ac1d896bc440e00e2 |
C:\MintFZ\bodaec.exe
| MD5 | 6affc87a865383c0b1bb63c6a2602785 |
| SHA1 | b08372b19068581037459c347f57c6c7f09645c7 |
| SHA256 | b8b074b1fce9f8884daaa838bed195d47ad22d05cf3cdff6ac938989dc619d16 |
| SHA512 | 60480ed45cec284819559c1573d7a3c7fdf4a0909388a92d52d479504e2dc7365ad8a3697f34c13a42d1c61c59e0f25a3279ad073dd5950d4514fc7451d3a3b8 |