Analysis Overview
SHA256
60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c
Threat Level: Shows suspicious behavior
The file 60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:15
Reported
2024-06-03 22:18
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvQL\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQL\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBF\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\SysDrvQL\devbodsys.exe |
| PID 2320 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\SysDrvQL\devbodsys.exe |
| PID 2320 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\SysDrvQL\devbodsys.exe |
| PID 2320 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\SysDrvQL\devbodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe
"C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe"
C:\SysDrvQL\devbodsys.exe
C:\SysDrvQL\devbodsys.exe
Network
Files
\SysDrvQL\devbodsys.exe
| MD5 | 79510053c6bc734cbf887a9306a0414b |
| SHA1 | 50255fea85cab7fe18e208ad07d90d10b13dcb4f |
| SHA256 | 243d5ff5f7a11f1594f31eedb270ab1bd3f2011192c7baba518fd36315afee24 |
| SHA512 | 9e74c138bb624cc154a64a2222e90a436fd51de95c63a6c3f63b2f7cbcead231bdf2e1bb11ca6c43893bf575912764bfbd9bee323334eee5304f8d80a0f0041b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9fa23a54da24057d0147ecf2aafbec5d |
| SHA1 | 3fa9c91acd8e047f297fd7dff38897547d334972 |
| SHA256 | 878d2b092e9a88723b01fc10450f7e0e3b4a279f39925835076d0cabfbd285e6 |
| SHA512 | 9bcffa8ab29ebb30af350095a67c1cfb52c0162e0570279d6564764869a50af35778bcd435432f625b83d135681935132857f7132d2ab6787d3a8dc0863cee0d |
C:\VidBF\optixsys.exe
| MD5 | d5c2b5c57160818e69b9fcc0b07a12a7 |
| SHA1 | 0566094ca93ab0eee0187c5b412fa0d3e642d01a |
| SHA256 | 78852a8f57b973f37ec7a91d4b5db7ba54e839e4d620371ddd01c5479f31115f |
| SHA512 | 3bb5ddc896db9958a1a8f2e303623346f7622ee7fceaf3ececa00f0be026256d2b7786050b62adad8385978bfe9ccd97a702200a72c02200ff2cd11cf87f3ee4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:15
Reported
2024-06-03 22:18
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotGY\xdobloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGY\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDA\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\UserDotGY\xdobloc.exe |
| PID 1604 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\UserDotGY\xdobloc.exe |
| PID 1604 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe | C:\UserDotGY\xdobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe
"C:\Users\Admin\AppData\Local\Temp\60bb7351f42d6253211aeb4d60897ac958230366ad58cd6bf9f1040fd026ce7c.exe"
C:\UserDotGY\xdobloc.exe
C:\UserDotGY\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\UserDotGY\xdobloc.exe
| MD5 | c2079ba8bf9adf1a5796db8324c8b5f0 |
| SHA1 | 66119f0d9acc716b340940c0282108956f161d2b |
| SHA256 | e65aef81a30064375dd7e31403d8b18a31c85bfc535f828f144a52acf44a44a7 |
| SHA512 | 28a9504a00cba9387e8d1b81692fe0916f0957891a10f84faecebe14612b892959d57846879fcd78201ca2a25cb7099e5a6daf70a91a5e4cdf29c0446025cefd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9098304474ac01918a35ef073bb06e9b |
| SHA1 | 9f2900fc0555e8770275fca3d1eb97b2f62f3aa0 |
| SHA256 | e34ec99feb457a3bbfb9be899cd96052586195659869ca76c84a3c4b2fd82b3b |
| SHA512 | 5a0256f76ca245f70db55c65d706de09f8e6764229c360f79ba5fb5c5969064cd44c362d1e86ef9554522541efed06f251948e2269ecbf27a37c45b4f5821a35 |
C:\MintDA\dobasys.exe
| MD5 | 738dade3a2ce3c349c8cd6fd33232af7 |
| SHA1 | ac41d13f503e447ec2430ce539077550fa9d7624 |
| SHA256 | 117804b3f298f598c4a396322fabe7469596919c461ad4d726062920e6c6129e |
| SHA512 | f039bc05ea1ed4c46d5ce1571213dce73908f7f5f6b3541f0d1979cc2b4b281747829cfd67484c97a1b226c08ff1c3564db52a570633a3869ea4ce4895d6b544 |