Analysis Overview
SHA256
bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93
Threat Level: Shows suspicious behavior
The file bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:55
Reported
2024-06-09 07:57
Platform
win7-20240215-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesIF\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3P\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2592 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesIF\xdobec.exe |
| PID 2592 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesIF\xdobec.exe |
| PID 2592 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesIF\xdobec.exe |
| PID 2592 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesIF\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe
"C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe"
C:\FilesIF\xdobec.exe
C:\FilesIF\xdobec.exe
Network
Files
\FilesIF\xdobec.exe
| MD5 | 795e89632055262659f7d12d1c28f580 |
| SHA1 | 940497e35721a0041ea19ccc79a0b85340522492 |
| SHA256 | f79c441f79d1e12781ed411eea1c08974725651d3655bcd986342ece64330cca |
| SHA512 | ed9ac8371fc4c909d98f52d6aee7b542f4ec0fb3ecafb0f0fe9b7540296f24e88afc5b2239069c2a41adb0ba9bc47bdb79a9b850cf3309ee7f90ebb1feefd58a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2ddcb4f2cf54be0b471b7813275ad35e |
| SHA1 | 1e6cb29c5502f946763739edc4d9547cf9402e2c |
| SHA256 | e5ed89fdd064e713e9eba0f94c27bea81f125fd9037e8e003fcc01490d262f9c |
| SHA512 | c98767353681a34684afff702686d64ea3a149a1c4f5832242fd6ebcbb7bf0a0f502cdbb17dcf36a3d45bf04b3afaa26b1898723acea23ab9335c56bb0035930 |
C:\Mint3P\bodxsys.exe
| MD5 | 633643800df8cd88df65d92d6e6a353a |
| SHA1 | 43dd243a3991cc5d7a5e0f5fcf7bcfcc4d5f2821 |
| SHA256 | a75c8ccde430578d430d4b684340b5e1c035d99a28764d9787d884ab390529bf |
| SHA512 | 5af3a300c1c73e29bbb6c59168dbb84bac5cccce46fdc19fef34c75428ce0b8212fd14ec560ad6326a99d735aca82155718f19b0b62ddd815b092769af957d1c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:55
Reported
2024-06-09 07:57
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesXI\xdobec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXI\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT0\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1592 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesXI\xdobec.exe |
| PID 1592 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesXI\xdobec.exe |
| PID 1592 wrote to memory of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe | C:\FilesXI\xdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe
"C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe"
C:\FilesXI\xdobec.exe
C:\FilesXI\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\FilesXI\xdobec.exe
| MD5 | f304e61572c68a754ebe48f975a8907d |
| SHA1 | c2c1ae78581b2ab743bb8e533393359cf104f26f |
| SHA256 | 52eff09c5f511977f6bb05e48463f40883bc2fea19627aa04f2daad5a9841620 |
| SHA512 | 1b5f7a42d9085e40ff4ae9994d58a095315217145d90af591209c081a25f8519b884af9a076498846e50be475a25f57f1daba2bea769914a1522c51245b509bc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 73e7a9f20d3e7d7e4fdd88664da20bb1 |
| SHA1 | 7fb1e4998617cce7a1a4c3756e50e7c4a451a823 |
| SHA256 | 86bd0953898bc314b71b672e0fc3a96ca837f55a529cba81411be6345ee76e21 |
| SHA512 | 00321bd9513525c475e5f068e9b53339090c536172929c7020920bd4e7e725389ae5377eb76a0a1b6ceaa672a01a08e601690461d6b2802ebfa1402037f24f81 |
C:\MintT0\optidevsys.exe
| MD5 | 85ac8e8d98995fc09cc8e14b9d872d90 |
| SHA1 | adaa24efc93ffdc30c0f3eddaed74ed35e28744b |
| SHA256 | 4147383c7efa7821c6cfc8b7a765239587b96326516b35b8a29b5759d56b432d |
| SHA512 | 71b1aead94e4cf1bea92e76c1e652cc34c48ae4aa8a1a8f508276c2025ed5821c7ac8d66d8f165cd451ed36fcf9d03a044f936e5ad0acf3d006044ed8f1b1f3f |