Analysis Overview
SHA256
fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8
Threat Level: Shows suspicious behavior
The file fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:53
Reported
2024-06-03 05:55
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Files7C\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7C\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6M\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\Files7C\xdobec.exe |
| PID 2872 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\Files7C\xdobec.exe |
| PID 2872 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\Files7C\xdobec.exe |
| PID 2872 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\Files7C\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe
"C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe"
C:\Files7C\xdobec.exe
C:\Files7C\xdobec.exe
Network
Files
\Files7C\xdobec.exe
| MD5 | 9b85b9ec0d61be80e3e062fd83ff3b8b |
| SHA1 | d16a159aa62c24cc141fd05e26dab1650febff11 |
| SHA256 | 7135cd30071babe6b96c5bf15bb39afa7064620c4b11bb85e32bdd07d85c1425 |
| SHA512 | d536aa27efeda9a41c5709f5445f7e33130c1c9185de6d59d8118f727061f57ba17ee9ed282895a09b8f65b46ad60e5af3f9ad59a7741f34e638584e195a0c90 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eeefa34b1fc284a2dca21892bc1486bf |
| SHA1 | 3347cbfde9020ee7a4a459831abfbbfc25a65f2c |
| SHA256 | a3b68ff582a757f8a7865fcf80fcb396b2667f67e3a84367c06b3dffdbdb57d7 |
| SHA512 | 9045fd5f24682639e8d2bd889dc9b36a6d7414660c7c1947680a0724110a6b164ec457d167c51b0cd0013aa78ead0a9ef1d205b6306f9db59e8a53a44060a9ad |
C:\Vid6M\dobxsys.exe
| MD5 | 03ccfac637f9f7e80941992bd2a853a1 |
| SHA1 | 5c3c8756b4212c1b747aaf5da509610960ed6dbb |
| SHA256 | f149e6dd9b1caa3d922957c8c0c1e039327a686594ea04104824f7cc62ab21c3 |
| SHA512 | 2f5aeef460562f1af028969ee4ec0059700d84383fbdc1fbc319e464910625f6ec7b1e082ebcb2b2a088d73f4f3f463f7acd98a5cf219e066587ccd8ac0822a1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:53
Reported
2024-06-03 05:55
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocPB\abodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPB\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1M\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2800 wrote to memory of 1984 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\IntelprocPB\abodsys.exe |
| PID 2800 wrote to memory of 1984 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\IntelprocPB\abodsys.exe |
| PID 2800 wrote to memory of 1984 | N/A | C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe | C:\IntelprocPB\abodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe
"C:\Users\Admin\AppData\Local\Temp\fe388b8ec0da93396683b05fa0388a1b95b5f2517da8d9094a378d5b1e79b0d8.exe"
C:\IntelprocPB\abodsys.exe
C:\IntelprocPB\abodsys.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\IntelprocPB\abodsys.exe
| MD5 | 9a7c323c060319c1fd33ceacddcf34c0 |
| SHA1 | 41a2d84e1851961b803ff5c6897136710fb92558 |
| SHA256 | 0470c9f0ea2fdb62fde119a3ca953c80ee75e455f17818345d87af7143ad0130 |
| SHA512 | e2a4265fda901496d420de981968085c2a1a2d017f4f631ab676308370f1102d2e2e715155724de781c01cfe1eef28d951558c9defcddbdb2c69a12ee62635ee |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 886bdc60567c6c6310ae8c9ec6251d31 |
| SHA1 | aacedef5a487e75a5f0f17da833a901d0c7a30b8 |
| SHA256 | abbe6b35f9d85b57087504be8acb666688664033ac603eb6e36ba39742e2b074 |
| SHA512 | 4f663ee86b5da16c7aea8d1f93f4ffe201ca95d7176864187012235ad0368c41e8f3c530da67ac72bc53668ba9a9f8930c1222ca94e4cf3c3244c78311dad762 |
C:\Mint1M\bodxloc.exe
| MD5 | d660fcde4c62c4985072f6a73bf7e029 |
| SHA1 | 036e9f8a71a860f98075ed4a1fd77cd969bdbfef |
| SHA256 | 80fefc6b2d7a2570f55286797b7b0a089eed085e047431920dc88e45cddbf071 |
| SHA512 | eca7c8a633a40f3b50bd6f66ca80e488fcea4be36da37f4c7b2374e66f074c926a8f4658955b6da63f26df98c706f17709a9479a5f346a6429c9a67dc5f6f321 |