Analysis Overview
SHA256
b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562
Threat Level: Shows suspicious behavior
The file b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:47
Reported
2024-10-25 21:49
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\Adobe2A\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2A\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY1\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe2A\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
"C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\Adobe2A\xdobloc.exe
C:\Adobe2A\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | e90c83b216c3e3551ff9a3a69e5c6e59 |
| SHA1 | 9aa6b65bd8c7002bbfb737938bb757a035c12c70 |
| SHA256 | f14b7fb4b24ff3717e49bc0bc23c0f0f34ff046b0d794c7cdc2f4018da27ab08 |
| SHA512 | e71a79444aaaeb442091e8a809c8ce43c13cee22fb5f1695980d4951e9c2ca8b7e41878aaa420f06c1a01ec8cdd0719100839e25abbf37e3f4fdccabd0e0ca36 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aa6eb03c99aaf51740ec84051f8d7568 |
| SHA1 | a89fa086d4dfabb803c7b3cd823fa97cd4b820a3 |
| SHA256 | 8b1f8e2ae3d90c0cbf4f6746057c57fe20a9a0a80bdcbabf639f275361d614f8 |
| SHA512 | 2e6740f03f00c95f5f2e41930bffacdb9cdd4080ae879d512d4846d81609c701c0ce70fbbfb58964617c371473f7fe4c65f886419e02dd6527b53e1d806318a6 |
C:\Adobe2A\xdobloc.exe
| MD5 | 90da37076a4a7e67684f0cb9afa651c8 |
| SHA1 | 23d69766ec778249845167e1bd4cae1b66d3cb2f |
| SHA256 | 39955dff81db3c1e8eb544385aa65a813de85b9dca086a1b534d55245f567554 |
| SHA512 | 09d1627dada062795713916d613656a23465a3e3f6f811da78982169b7f9f85fb031a854369160cbedd665e27c9ae5cecdfae7e08736c4fcf64d0b0926647b82 |
C:\LabZY1\optixloc.exe
| MD5 | 3fd2d6dfd6b723b967a5164086c3c0b2 |
| SHA1 | e0b760698a37c27815e136594152169e6b3123ad |
| SHA256 | b74196810cbfda25952c2b2d3b80afc4fe616e2cfd2ab0da12d0081ef82c3cc9 |
| SHA512 | c5f3c718deedaf04daa23ea111a6c3d517750a9388492ffb4ad2f755e72b45daced448200e29f51d3cad23c43b76ee9aa86c0baad1920e1ef1066d720065bf68 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1b7d1b2b45852a76b1ab70169d8a761d |
| SHA1 | 86fd4ec3a7f4f4c6cd69e2da82ec7d67f9c399c1 |
| SHA256 | 714dc6891fda6b66ae8a678125175a79be963debd884ee9ce6362d2eab3a5c7f |
| SHA512 | c9d23822230ca7ac709c8c6e6c811490d5e65a3577023d950befb74e4038e2d9265da5daa2cbcd5e4e146641809aec310d42ec8b2a17a2a89fdf9f5ae0cdcf25 |
C:\LabZY1\optixloc.exe
| MD5 | 13dcba811ae49ee41e4d9247b03882fa |
| SHA1 | 5c7f3378ccdf9e957a3df2c360be9662b9d89818 |
| SHA256 | d44513a8db5b8d32b18a839668e474d15c2492c811ec6bdb42be97a619a24c55 |
| SHA512 | ea7f1b59addc75965697ff04313b7acad9f72a06c6bb7aaf1bb0a48b3aef7e32739a851cb037f37952783e4c810d9cb9fd0562d3007fe83d8fbc8c98ef80bd97 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:47
Reported
2024-10-25 21:49
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
108s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotZ7\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ7\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8J\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotZ7\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe
"C:\Users\Admin\AppData\Local\Temp\b54b947fe2a4daf89779cb54005a28bfde307a5272caed8b6193670e13f4d562N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotZ7\devbodsys.exe
C:\UserDotZ7\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 169f0cb40e66d67edfe78b276e0e770e |
| SHA1 | f756dfb3ff047bd1708f93d19aae851b1783110a |
| SHA256 | 257858d7e8e55bebc06bd00c32e78ee7d72e80be70a2d366cd54ecf0ee3ec546 |
| SHA512 | dad4ae24c9162870155d446a3e22efd405997f01d8ded0bcef375d4fa0f02a7a54925ebd12189f4263c446aadbb12313da6690027a80a7fc03783868b6f21696 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b489d03f69f393ad886002a8e98d1a6d |
| SHA1 | d900401d798b7f52cad2af45edfcc6656673b840 |
| SHA256 | c8b6f57aeec03bc7f6c22338eed0f3c3e94f6de0505d7f9879f9594e8600c980 |
| SHA512 | 55a7cd2b3e827e3e7b684cb57676e8f43f0eaccfc5a17ed993d2c5ba09ed4b64b5030b3e8a3f0225848f95373916d6057de50d48c6475987d9e3e2521e73a2a9 |
C:\UserDotZ7\devbodsys.exe
| MD5 | 5e6b687e48647ba8b0e7f41ad43c9f48 |
| SHA1 | e209d21951c4233fbb4bed8b41fba307f3643f5a |
| SHA256 | 823415d119edbd7ed5f8789ab33b7d85176fe0395f07fcfb7b07470381b6ad20 |
| SHA512 | 9a0c1ea0ecf9d16884964c86d3957473d02b51549e874d8f06961eda21bfb75313e4eca3168bed2966e7298f2d563f377d4779fc937b512ca824d7852e4aac39 |
C:\Vid8J\bodaloc.exe
| MD5 | 642d5fd1c5d47e0cd3efc57772bc2053 |
| SHA1 | bc41dd3d35783afbd472e73a9f63190d7e166933 |
| SHA256 | 354d593722f5c5af8706226640303ec107869e0842004e188841efc1b84c1798 |
| SHA512 | 3c5ab6241a835ab0cffcf0d36944fcc6eb3aa2afc83dcda29790a9a82f9f14ae2423a853816bc47894042dbca59e25ab4eb432113fe9ed87505cd8093adefab9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dddc7fabebc2fc204e53da3573c80ca1 |
| SHA1 | b9df54602ba0dd18c9e57050a84a194c752b52b3 |
| SHA256 | 80920a7662984b1003a0849dead2dc6d923fe9b7750e56f5c96a50798de0326c |
| SHA512 | 4535dfc3fb2f5e9480d81edbd50b5a3d33c33eafef96e45e02dc687eb5a3e035ce2545a64852f5cb58d0719d1c7d1179ac01cad9703d6133f3e7efe74f0d6cf5 |
C:\Vid8J\bodaloc.exe
| MD5 | a44b2b9b212e50d4b2e889bc8361e636 |
| SHA1 | 3d2b4f07a8739084e70e0c57ec43d84edf191869 |
| SHA256 | 74a7da2fe915218456275fc65b33ebc2131c69d7323b3ac89e61ffcad5521756 |
| SHA512 | cf723930340d1ddb4cfc147e1e5c4b09a335c60bfe114728434cd84b0f93bf8a86ab3a3e463c32f21fa420e3d377710cebfd81c297880e597af23479b3192171 |