Analysis Overview
SHA256
9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11
Threat Level: Shows suspicious behavior
The file 9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:51
Reported
2024-06-04 00:54
Platform
win7-20240508-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\Adobe55\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe55\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV7\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
"C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\Adobe55\devdobloc.exe
C:\Adobe55\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | d8816d65b578329ebd4f3d03b41fcf87 |
| SHA1 | 914c44b3a1499977eba64a437d74d59abfddb653 |
| SHA256 | e1ac35a94ae95bd3658bbe150001e0cb65d48f776c9266c65172c107dc886f2a |
| SHA512 | cd9496e8f01e5bbbeca7ed0d6859f9788815ac7330c3743c922da51cc5ca47af8fb3daa4c1550671180f03441019062d3e8c95a0c1328e9a2e438425297a155f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ded33f9d92be9dbfc0ac4195e1427e8f |
| SHA1 | f54a48e691b11acd85192fbe2ea628d2fd6baa0f |
| SHA256 | e81d21f20f0b8175a54cf2eaedb0a71ba32dd8a3359bd2a324558d9819405390 |
| SHA512 | a229c6ffb8c6232d4ec6932a2e6eec3283242cc513f53ce83674c0995f6eac18229db589f6d678e2bf444cd4e3c37458404c87c6431c99ad42d3c9fff8165e89 |
C:\Adobe55\devdobloc.exe
| MD5 | b51b92e69bc1f684ecf2913b061e681b |
| SHA1 | 0180359e58bec97ac6e53cde2b519f52815a9e2a |
| SHA256 | d3d7f3400a1bc6ceca384a9ac549bfdfdf4fce0bb132b2113ec7c08ff13fde7a |
| SHA512 | f634a10d6c9b133732eafc61e9fccf7096fd2e8ca219023b32321c4d30d653940cb5ce8deec0a480f7845fcb0f1a76c6802d38311e5819327d15709a79946164 |
C:\GalaxV7\bodxloc.exe
| MD5 | bab260bad5ac54ba397220d425b534e6 |
| SHA1 | fbd74ffb46c4346b9799f23ae75a4ec694299671 |
| SHA256 | fcf5230e8bfe14b22b040b98043f7a32a16280ae9ac6b0a9eac614ca0e3a391b |
| SHA512 | d7ccb9cf720457221d9544d3d2e5c430fc715dbff506dc5feff40d210a8874e9e94235e8b8bf0216c4154b7fded82fa660588ac203e0f5e277dfc37f58c5dc25 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2b428a2bcd935b34adfc3da939f58db2 |
| SHA1 | 50d7c7f33b3e4791d18321b07832c2dbdd1011b8 |
| SHA256 | e6fd6003523f8674495ff0ce251407e49ad1c552c09735fabe39079b0b20ddef |
| SHA512 | 1a97093f639f81d474f3f7d5472932fd360934e97e58197682f50ba6e631d9835ae057fde40f0d7c8a287c34dc54d200321afa88672000966d20a790942cc0f9 |
C:\GalaxV7\bodxloc.exe
| MD5 | 29590491484bb590cf269efed9acf470 |
| SHA1 | cf6f99b6cf78f80ae53c5a2fca632b07a0205c8f |
| SHA256 | 0e1ef66e838b63c39854eb9a7e9ad3c9b68c04460f1ee70d0c72bfa9dd6462bd |
| SHA512 | 04d46aa9422664efab84ac9f05a7c791e406d01309e87377ed191003f5cac4bdb4177c428c108573ed22cd6e2df27f8b688e7914ae44a6e467dbeb76b73b244a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:51
Reported
2024-06-04 00:54
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesU4\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesU4\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUR\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe
"C:\Users\Admin\AppData\Local\Temp\9f158aceb284aee62542734a202e350abf2664f24156967c1e67663c2b714a11.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesU4\xdobloc.exe
C:\FilesU4\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 62773fd311d66b5105b4310d7566920e |
| SHA1 | 98bdd5633ea52424099b74353f3082ea495a1d91 |
| SHA256 | aaa2e2888adc895bdf5ac5cd209715e99ff05b4589ec4d008c69e931a7736993 |
| SHA512 | 330c1d99e18ff52da317da25844db2378ff1527f14ec17f595312a0bcd0dd5b175d27e03a95a637c23a857298fb5aab7ad75878e89fcfa3bd26d439fccb3a24e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7dcb7586f0a7d5b3d31868358ff623d8 |
| SHA1 | 1393dfa31c3c3ad43ba01cfbb4461bf128dc27d8 |
| SHA256 | 08b99d4b5b8e81e6fd5b6fa98cf2bb0fdfd0bb598d422e4f79f36af61ccfb760 |
| SHA512 | 7bdd865d541ed67271cccab71c502a319b7254492f2c240fa971889478b2c10cbacd2a3ceff23f9254926b81b6654ff35750922c80126cd8597ab02ddff5a95b |
C:\FilesU4\xdobloc.exe
| MD5 | c8bd6d33faf7f68452dffc3f6fde33cc |
| SHA1 | 510eca8974bc02b8344e1b5becb02d798ad77cbd |
| SHA256 | 6b98263146257b38aad02e2bf5155d30ae4033013db9ca77a526efea76cec6e2 |
| SHA512 | a99f5c5915e5f73adf17d7dbeef963f151edd108e43933d4ee047fe0d57faf291f0a5f2e830a42c1584a422fd930a80897bf670d7fd560cdfc4c72d17f9154c4 |
C:\FilesU4\xdobloc.exe
| MD5 | 0e245105ac0501e80567149253e984fe |
| SHA1 | 31ee67f48a4965f8075daccff9a354f969936d58 |
| SHA256 | cde8aa2a5e0ad12dbe656d1c14c6341bc86282c49e7b38fa89aae29c6934afc4 |
| SHA512 | 2419055a734ef4a1f7e9fb643d5af555e9e24ddf9b680fcae6dd15d1f1b040e8c219ac561050a80384e7475c25a0faa60f9a4da0d8d20b7a3fa0a1816a0e9e9e |
C:\KaVBUR\dobasys.exe
| MD5 | 711a9ed78b1403054c666c46cddda14f |
| SHA1 | 9d9ff8e0a6ded142404eb9a13d40af602e9772b4 |
| SHA256 | a5133ca0e8d0b16f5afe99246273d4bf1b5b4cd1ed1595978cc5244e98368210 |
| SHA512 | da9c958e93bc384cadc271ed624dfbe94223e2c02ba893decbec60a1d3ddc577de605575bd7426210ecdb6ab3bec02aa5f215120ff98a765680555f840a6d6ce |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 956feaa236c588376be57a9bfb7f9b97 |
| SHA1 | b5926b66a708713f7d0c27f64ec1fc1b738a7d86 |
| SHA256 | d4c95d16f886c5e7da4c460cf12dad3a919ef147bdc07fe20311fcea17e7e06d |
| SHA512 | 7240dc6d331fce0eadd94e9c166911a664c3450c39a380bd1a2fd519b6606388e6a07566bad36d0880476d819062267c8ef75f7e124a109a9d4c647080b7c385 |
C:\KaVBUR\dobasys.exe
| MD5 | 165af7408aefd6680877863a8854344e |
| SHA1 | 3d071df64142a7db8e87614445574c6f35d3e680 |
| SHA256 | 5e17fcf0ccfdc324eea924d8d8fbe1dc963a49097de3e6b060691aaee9ec38d6 |
| SHA512 | ffbedccf3589ea0dfec03532f88334cab3dd7a038f5b3271e53e9cd58d89327d3ece721cba8020835d760537f298f31e0cefb1413ec1a9b1f45ef1d5aa07b3d3 |