Analysis Overview
SHA256
ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090
Threat Level: Shows suspicious behavior
The file ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:55
Reported
2024-06-03 05:58
Platform
win7-20240221-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDot99\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot99\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFA\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\UserDot99\xdobloc.exe |
| PID 2188 wrote to memory of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\UserDot99\xdobloc.exe |
| PID 2188 wrote to memory of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\UserDot99\xdobloc.exe |
| PID 2188 wrote to memory of 1740 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\UserDot99\xdobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe
"C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe"
C:\UserDot99\xdobloc.exe
C:\UserDot99\xdobloc.exe
Network
Files
\UserDot99\xdobloc.exe
| MD5 | 2c8f8a0c72c3265abdc75be2b5325687 |
| SHA1 | 8fcc2cca041199ffe8220337d79968ef7bbe9437 |
| SHA256 | 709cdbcfb1584162fa48393324ae30ef0df0b6960db4e05eeeb730b2c79adc6a |
| SHA512 | 50e2f416214a8c2d24b26b84b3d2a05cb3a99c6d1c4d617e15da1deb6a60ce80480ae7448e322653a485f946323c479c6816b283a2e00f62f28d00b60d3e4017 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 20c10c6c2fa39a936773b8c4edc782fe |
| SHA1 | e3438ad1dfb554a69ffc51cafb2065d0d77dd54a |
| SHA256 | 393eb030f67935d37841708b4b0560e49cc5e0ca8e7abb3ad8d39c8878e1aec8 |
| SHA512 | 1fe2864f68a5b8db13e9db9118ed4147d76b455b0cdbbaaf5eaed7f531731dac0f85f03dff2637422ba8163624050c3ac542a9a99154cfb76cbb1cf7bf15566a |
C:\LabZFA\bodxec.exe
| MD5 | 844eff828d127f6fb83ce0327edd98d1 |
| SHA1 | 17e3ca9d608d5a4944cf5d4f37da3a62d5e49750 |
| SHA256 | 896c8c67564b4c31df2514bd44692c141efebc612f3159ac43c054a8f6e96936 |
| SHA512 | c1fbb75a6e6a98ad343970975697d35a991f4e285d8be39579fb693a28305912e77516c44f228224dc9e9fdc712738e11acec7f6b6a3c31ac6ef1902803b61f4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:55
Reported
2024-06-03 05:58
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Intelproc62\xoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc62\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5L\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1588 wrote to memory of 184 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\Intelproc62\xoptiloc.exe |
| PID 1588 wrote to memory of 184 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\Intelproc62\xoptiloc.exe |
| PID 1588 wrote to memory of 184 | N/A | C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe | C:\Intelproc62\xoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe
"C:\Users\Admin\AppData\Local\Temp\ff814a1e70a8fc29fe8489a06cbf9af604bb304add1f3d18703b7963502ea090.exe"
C:\Intelproc62\xoptiloc.exe
C:\Intelproc62\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
Files
C:\Intelproc62\xoptiloc.exe
| MD5 | 0ddd81d3b4d1742f9573ee91e1130442 |
| SHA1 | 7b01ecd01fe29f761212312ec4a98036057acd24 |
| SHA256 | 34983836e2899179da750d6c733d7867c891f7d829d9e7a3f51f518cab998c57 |
| SHA512 | 6a7e0bad180cf1f79b67f369fe2961bc0f8a97277b301824797b1217560663e6ec2e04736eac124b6bd3945b7cf3faad4dc5122c1b664c93df0246f1d5961a96 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e78638da28ee0b4d8eae3e94ab67aee6 |
| SHA1 | 48d54bba323dd7cd52d176568c6308490d79e344 |
| SHA256 | 2bac45b8795b80ec3b89d9b8a55130c0e69fc88f4a123aecc5890b8fd57fbc9b |
| SHA512 | 563a5e9d4d3b1a1f629437a83ffeadb894190ca1e36709816d76651f512f23059c7cff8cb1e9d22c187a4f74b521126058743b2dd3748cd2ef113d109a30ab72 |
C:\Mint5L\bodxsys.exe
| MD5 | 21846c413ffc618cea86694d92bb30eb |
| SHA1 | a5bc459858502f0bb14d8280446e0cdecbc0772a |
| SHA256 | 028d380395ee36376a30ccf4e57782a68dfc42b1d191f4574c1d2528be46b6a2 |
| SHA512 | 6c8f3bc2c7e33f923d85fdd2e84ddff86a7c1b25ac1ff2304b044c244033ff27c1ce94846b25ad0f5e0b6d7ba9d26cd970d6ae76b9e86ba09a1e390b27d8ed5a |