Analysis Overview
SHA256
b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188d
Threat Level: Shows suspicious behavior
The file b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:02
Reported
2024-10-25 22:04
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\Adobe29\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe29\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2T\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe29\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
"C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\Adobe29\xdobsys.exe
C:\Adobe29\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | e01676e432791035d903771e450e4991 |
| SHA1 | bda419e272bc7fa2ab6b4bc807c3f3ccf782d319 |
| SHA256 | 9585a1c170dbbc6fd1b3abe688edc5191f1e27fcb3292fee19c4cf88179f4b4a |
| SHA512 | 58b21ae9727e4d60ee49dafe9e46c80550aee1060704120b7109830489a17a9c798c704abd7a3b2d8033a583e30624399c596a18fecdc114cbde5c1bfecfdf20 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0ea52067c91c66d4052df0363ac485d5 |
| SHA1 | 3a25668dc4e194a99b127c7b67e68e4f7be5ed0e |
| SHA256 | dd8cedbeec26450ffb13d4e08eeb764b13fbf71de35925ad088d95f580f4a9ad |
| SHA512 | c212b255c783d2280c1e122a287b589d258d46a643103e180a0376115b225fa0a95290db503a455b37197b29b0069aef236ea6ca01218fe6a180a8130b019b3f |
C:\Adobe29\xdobsys.exe
| MD5 | 17a4bccb31458c4c55d8e9d47fa9841a |
| SHA1 | 3d786f1185ba0db907a6077cc3d380d807a7062b |
| SHA256 | b22ee1b5c17161f22db93422f9a859167300e1135b362b84659338ab949f9c7b |
| SHA512 | df6c181088d344aa78bf09981c646fd03e71e8f8beebb46a98500b6ce4d1140bb574f672b3c4ec7611ed69b704f3eed67878ad2c8f6d14b45c368e10936e600c |
C:\Mint2T\dobxloc.exe
| MD5 | f523f6ff2e3a75494cf7c70463588338 |
| SHA1 | 219ad8d181e73cc0b603034c4efd89f92b5a0f3a |
| SHA256 | 17d462b5fd62be4294732d62bde1c57029f6fb34254f7d8cb1e68b3c4b37347b |
| SHA512 | 6372e173f3236d9e2731d62c22e19f9a2dbcc0ef7d99dd607a271bdd8de43f2169a03e1a091d8fa9147b707a747d57882d3afde1ba078746ac28d161eb3c21c2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 66c4ac737990b01ad310a4d8a3226613 |
| SHA1 | fd6b6b57c38ebfd317b928ee3c85f2b8a0d9306b |
| SHA256 | 8e9e3e748952fe5114d46e5b9c05dd1eebe0c685cd14f29b9b066e783da1315e |
| SHA512 | 734ac924540b771d13a1d7e93348e1f09ea8f30997341fe3227ead43bc78e696b3b997818de10b7bb1ea3319916bb6fd306988f998f55f582687a561eca15ae8 |
C:\Mint2T\dobxloc.exe
| MD5 | 832f30eb3fff35ecfcec2c491c38d718 |
| SHA1 | 7b6b3938b6411347b635f272f988d94d6d45e3d4 |
| SHA256 | 79c04feb3a810cd7a2d2f14207431137551e9d0c043add87752b8530a491aed0 |
| SHA512 | fddaff42aea7e5a52e3d178f7171d86128373fbf6004786807e4b6d9adba7b5fc237708aed214520bfcae5053e7f9ddad4dfe131edea3eb6278b45419c2a7eb2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:02
Reported
2024-10-25 22:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
104s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDotO8\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO8\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPB\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotO8\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe
"C:\Users\Admin\AppData\Local\Temp\b1c8d6c417c5220349566661261a2f3cafce0abcb929bbe26d131ed4c537188dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDotO8\xbodec.exe
C:\UserDotO8\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | f626c3615207ade87de7a323c57a7b26 |
| SHA1 | bac5e569f5413ecfb99d0dd05566a520184ffd58 |
| SHA256 | 3ebc53ea9e84894a3e98b7587ff835594adef66c9fd4c774a90b1cb3cdce4d0c |
| SHA512 | aa38c73eba2e1975e822a28f95810f655e54f7ab73457f8a82593e445a714493c1b9a4f524c0e1bf55661a70679b6c19e7f4bf52058929404b950d37a5d0d134 |
C:\UserDotO8\xbodec.exe
| MD5 | 4b69a65600cac42419597a39d60dde99 |
| SHA1 | c3c90a280228bfd7c3815dc3f937db26d4c6aa51 |
| SHA256 | ba6a05dd111f209fb641e9fb73370ccdc14ebebdafb3053c85ea9c56bf8f04d5 |
| SHA512 | 7ffac1a918f5acc6c5aaf9a6862bca0845f363350b8db4d7c5c7a96f03da03c67c32f0704c6a379e0da44a02b67dfa4a49df01bc5794528d096a15b07f2edc9e |
C:\GalaxPB\dobasys.exe
| MD5 | 2a64b387868e30a6292f0c2a2a4a74b7 |
| SHA1 | 252fee464288b734d72c4a2b6515772743fa61a0 |
| SHA256 | 3d81c90a906a61d76a0ed9ab568f007311e3b3a99c12eb7a7a0d129f2475771a |
| SHA512 | 088ef95bf234f75155aeff8c66f9a104f325d2844158fd6babaf48362cdafcf68757a21273f6288968904b36002b4e2298c30870299147c7f810c07e44e73017 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f7a443b9087255cf48961db3b22163da |
| SHA1 | 6228152da2e361d8374b8d564f16b9e12cdc1eb7 |
| SHA256 | 0d50314abae7aeeca7042db1bda904c0de5adfa2954326c6abaf0159bfb9ea70 |
| SHA512 | bd83f609df20b3053bce18c651f18046ac1b111fbe6ea2a5c442f64f0b5b0748d1a2c85954ed11c00fb2b6ff3561fb976e5d945dcfdd8034965454026ee777d4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 02a1af7e8a1ed28ac63931de9ebaacf4 |
| SHA1 | 89b87080755c05512e4df5e1e33e28e9a1fb7fa2 |
| SHA256 | 93fd88475ef600c669713a227d5b74ffb5545a349dc0992571103505cb841e85 |
| SHA512 | 272ea6d487c4d010e6211a0582542f627e02a00b7a5ceb1f1b9ef5fa194a9e84d8a6fd2faa4e3d97f90628c64e95444a58059cd4f151053eb621f34c03958ce6 |
C:\GalaxPB\dobasys.exe
| MD5 | a35768fd7c7c35b50defa22705ec9d42 |
| SHA1 | 43a08152a8dc053ac5261d39b78c3c2d133a5e0e |
| SHA256 | 8b5648905c21e41f7c4718797e151ca112dd486313862c1cfc2ca0d0db45bb38 |
| SHA512 | 420bc657b3ce4ae52f8718b65dcf813fbd8e366be20ca5b8082da68d4aebed9c2437d09ce1d73d31d058dd5853bbaf72b3bb43ee68bf4b81c8f8471d6e281493 |