Analysis Overview
SHA256
ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c
Threat Level: Shows suspicious behavior
The file ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:16
Reported
2024-06-03 05:19
Platform
win7-20240221-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesIF\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1R\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1612 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\FilesIF\abodec.exe |
| PID 1612 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\FilesIF\abodec.exe |
| PID 1612 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\FilesIF\abodec.exe |
| PID 1612 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\FilesIF\abodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe
"C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe"
C:\FilesIF\abodec.exe
C:\FilesIF\abodec.exe
Network
Files
\FilesIF\abodec.exe
| MD5 | d9908e7297b6fdbe3b185ebc5989b633 |
| SHA1 | 19b5c10f72562e0a85eadd23881f906d10db75bb |
| SHA256 | 0edbfa79b42a9e4ba42da44fd5889802c1d424748bfa59a81b727f2e0048a2f1 |
| SHA512 | ee4486c7fdcad8eaff4c0fffab7f05f98a8f8ca2871c155681dd093d7f65bfa00b7681ebdf379912d33d0a1915b16780ce9b6a6b06affca998265ae526ab6afd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14d071223a443c976b187fa5a0be80db |
| SHA1 | dbf7e653aaf9057aa76fcee339490f6a7936c624 |
| SHA256 | 0a594a605a45cbf5361c941a0418902dd1cccfa57e65bc293041b71ddfdfaa4b |
| SHA512 | 94d74c2625545d3af1cf6fce1759af9afdb3161d83821690407bc4dc055ea4187c3a7b125635004b9bd920a710808ea0383693c691456cabe7a2c32b9e2a72da |
C:\Galax1R\dobdevsys.exe
| MD5 | 0e9a73630321b5bb977e27cb12449946 |
| SHA1 | 2ec6d328925b11d4e6d864d6dd5672c65e6adde4 |
| SHA256 | 7b042361ca70eb4e70bdfbf4c0f93d1339869e80352a953fcdb23190771f3488 |
| SHA512 | 596d70564ec86551f9cc83df320deecfae9df770cdff12d5da58e05c1e56e2b409f84813ade953c44abe6700e5da395a7e57739874d12cfc8f73a6749c5328f5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:16
Reported
2024-06-03 05:19
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotMG\xdobec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintET\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMG\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4460 wrote to memory of 432 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\UserDotMG\xdobec.exe |
| PID 4460 wrote to memory of 432 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\UserDotMG\xdobec.exe |
| PID 4460 wrote to memory of 432 | N/A | C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe | C:\UserDotMG\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe
"C:\Users\Admin\AppData\Local\Temp\ee0b74e883f1da1544e9a675dd277300aa9ba8060e919efa4ad9dfb8d07b385c.exe"
C:\UserDotMG\xdobec.exe
C:\UserDotMG\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\UserDotMG\xdobec.exe
| MD5 | 709edd40c63e57231072947dfe5c0602 |
| SHA1 | 8360d414506a2f3f3a4cf7e6e9190cf5609b465a |
| SHA256 | 1b2ffa6ddc83ec7e5b90588e58ae9f4b3a7a5f42073b9e2486fc092c17d63648 |
| SHA512 | e1d7918a2742f75a5ce95a20384454016691933b25a191717a0d9bef897e45d63108d3ead76561e3d49b2678fe3126ea1c51cd95d8255a5b659b2e7a81ddc436 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 60692412b201a1699058fdb803778fd8 |
| SHA1 | 092ce0c1845a1db799161f537cd851146f74dc8a |
| SHA256 | 11fb008b4e8b3d4123a2cd3a1a6e28fda98ad91e38a6dd91f6662928c2fa07a3 |
| SHA512 | 0b6a7a45e048dc9705c5e125898cc41ce92494f44049a7cb68ef8d4a7684b26d2c63be20d9fac3fcf26939431b04a0fea850f4f55a8dcfb446920aaa2733dd71 |
C:\MintET\bodxloc.exe
| MD5 | aa4d9dfba06da3fa0abcf5324a49ad3c |
| SHA1 | 663d1647a76faf4961bc3d090ae36bd423b20af0 |
| SHA256 | 07b1a5caef397e65066b85c9fcc64f435dfd688a1a2f3eff52cb0d823468c605 |
| SHA512 | 3a7a6cf585838c18bb74dc2880d2ecac9280754a5a8c80bda58ab89f62b563e90802453a3f0f7da3df4b67d28edb313c0f7235f2dd61b2ff10973bac888c5748 |