Analysis Overview
SHA256
eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6
Threat Level: Shows suspicious behavior
The file eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:07
Reported
2024-06-03 05:10
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvL5\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL5\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxC7\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvL5\xdobec.exe |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvL5\xdobec.exe |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvL5\xdobec.exe |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvL5\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe
"C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe"
C:\SysDrvL5\xdobec.exe
C:\SysDrvL5\xdobec.exe
Network
Files
\SysDrvL5\xdobec.exe
| MD5 | 4d8b4f713a0d79165498db26233be154 |
| SHA1 | d66caa76fe61bc954d72b441cd5bebbd7569e29a |
| SHA256 | c63242ba8b5ecba516fe968cda5faf53f6daf2e5e74c494e9801ae42c289ae1b |
| SHA512 | 4ae6004e03a62536743c7d6a468f6fa48eb64eecddfc5c7adcf65b54178991e85b39d8e5e084aa18978531995b83a756e4b80094d17d6b43b97dd7ffff2f8831 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e3c6cf5977364e82306083c36d1cd41d |
| SHA1 | bb76116f94958e612753ca04701fa0fefc6e31a7 |
| SHA256 | c615e4303f3c009ab1c829a245ba4683c077ca418a753b4ef6ce44e1165e179c |
| SHA512 | 8208bf09d0760ba4c97c36781d5773c079d3ecd117436ac3bb166e6988d0db84341c938cc9cfa9bc755f64e24005481463f831a0554ce1108ad730ef2eaecbb3 |
C:\GalaxC7\optixloc.exe
| MD5 | a34da82c81a67873de95678ed4e5e66d |
| SHA1 | 81354378f573cb25ea72599fe503fd501c6c5dc0 |
| SHA256 | 9a3b4486e46b19d14b8126667cb245c163c1236b3e3188ad4a0c90de3d936c5e |
| SHA512 | d4aa9836c394c646a798339e120872e0cb09ed75d4198c756d2a010b4dce603fb4ea2d6e018c54e7a6369a9be19293181656a9ad611e69427d64ddd8846c14dc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:07
Reported
2024-06-03 05:10
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvO6\xbodloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvO6\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0H\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvO6\xbodloc.exe |
| PID 2284 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvO6\xbodloc.exe |
| PID 2284 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe | C:\SysDrvO6\xbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe
"C:\Users\Admin\AppData\Local\Temp\eaf61d95ac62fec0bb3923fd92f449442fac8cbb00c922793cfef7813a1e22a6.exe"
C:\SysDrvO6\xbodloc.exe
C:\SysDrvO6\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\SysDrvO6\xbodloc.exe
| MD5 | 94ef11005cfa5d02b338df0aee6be356 |
| SHA1 | 8563867aa40c92b72039cac30ee5abe92f250c9f |
| SHA256 | 2a3a329f666e421c0db731354eb20b2bb81aa61df9edc230f83591ec646fdd7f |
| SHA512 | aef82353c46986d2446e6371c7c04fcc558c0cc233b28ef185f1d93f73be1a274a761d1367d4be10046932c0fa07a21b0186b5e6493b44606c432ee1e78dd442 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9faee3977a6196e4841f6ce85929fd16 |
| SHA1 | b567b588a17c580f3c69a05ca0be5eb4e676042f |
| SHA256 | ab2bd698b544e17f7613c6db60eb3cde83d0f2565f06ac1e6f4c79f42fd16eda |
| SHA512 | 7aa37d600ee110b7fd7d833d065b83dc4965f069c60c1c8729ed707b2e76caceefb53e0ef6315f6ad3692222083659b6768f51f7c5b1df43b469eaa22596b0ba |
C:\Galax0H\dobxec.exe
| MD5 | 10221354190c139f5f2950d770b1cf45 |
| SHA1 | 4a2fda41f07174e0647aa6e046e9854248c4367c |
| SHA256 | 355ec8cd3e5dca21d653cd2ae31c0d40a42f9ab2810a99da055f84e3337d46fd |
| SHA512 | e0a8f617f144145711c63a735e033f3db1dc25b931be067301a398b2de48a388cebfc5097272043f4a533d616da8c063ba020e4b9f45a1aededa7738afec15a9 |