Analysis Overview
SHA256
5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86d
Threat Level: Shows suspicious behavior
The file 5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 14:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 14:52
Reported
2024-10-27 14:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDotPN\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPN\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax0E\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPN\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe
"C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDotPN\xbodec.exe
C:\UserDotPN\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | d7bf70fcc4b73d3120fdea82d12a3c20 |
| SHA1 | 5df9b80819bc0c6a96a594bd7136ae1e337c8585 |
| SHA256 | f9d83ca81a845bd97e06a5ab762fe60d11429aef6f208593b0ed60915bb4f271 |
| SHA512 | b734ef0e3cfac5be0561fd8390de936ed14be82241bb1d79c30c782bff1c4a38f0a6f88e80868c498731311a05315b21e9a821afd65c8c1c74c7f1085ba6ce72 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 15d7b37f4fcc281c0abb738471f273f3 |
| SHA1 | ef4c91c836a7653a07a4fe7737a8dfe776e2c31f |
| SHA256 | 2004a0a76b19dd78005cec80f92bc371240e10b7f044a316b5579873c086bf9d |
| SHA512 | b1e7952b89e77b35f697fd64de24c3cce957564352a117ef86a58261545c41b24edd6a2f3f26b23ba063d59d823a269376a63563cdac23372f0046b467071dc5 |
C:\UserDotPN\xbodec.exe
| MD5 | c2b7a538a5d88948284b296e54b4a09b |
| SHA1 | a34124239d7130964bbe8af0e949c86da40b4004 |
| SHA256 | af5613c0b99a00809b8cd12cc83574180deae73b114a12183e0b1531c3507f71 |
| SHA512 | 57118c2b807b23855409c9184e214a0302e6235f20eeb6f4875c98b3ae3aa8dcc36c702242ea8ff1e5c62f65b864c28f1bd88f102514a9345ff284b9bc15a67c |
C:\Galax0E\bodaec.exe
| MD5 | bab3c85c20e7169fbb6c4e6c7920ff6b |
| SHA1 | d55d6461843dce49b749d9edb3f4f2fc28c766cd |
| SHA256 | d710c17b643a053e1b667fe560bd7eecbfff4fc6170ea5b41d08a9d41bcfd037 |
| SHA512 | 56144b16f3b44b9f2271d3588745a396b4714093261dfb9a087e72c2720cbb8eb4b935c78fef7ebd40cc6295193e870917f59e330a0a3f316cc34240fe228f43 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3acfc397259054e15e55e3ba986072b7 |
| SHA1 | 6fc09929f5e9f12f8753794c32559f38c2f4b5f6 |
| SHA256 | d08d9b110329a397c8743c1f3660125ffe2b6a2f6794becac59faee3dcfff6bd |
| SHA512 | 876252d3848f9c1fb881dcfea675e17a12ac2afbec8e243873bec959d49e60c51346d704c2b4e8fe163ba76a3a01c7e00a0b6570d12f50363fb048f004ee1fa0 |
C:\Galax0E\bodaec.exe
| MD5 | 99956c0446134f8be6df7ba7bba1b109 |
| SHA1 | 39ce74980036caff2b20f4cadb503201d92651a8 |
| SHA256 | 15b378bfea500c41557eae8fb8692cc39819293350d72a42a965d86fcecdf069 |
| SHA512 | b0593c09338bc948c1dad7c70639115f7404bedc24b8ef001a82f96e3228fd896198ca6435cdbf58d1c018ad022b62f58572831caae0ca1132024250e7fa46ad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 14:52
Reported
2024-10-27 14:54
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\Files1O\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1O\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4Z\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files1O\aoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe
"C:\Users\Admin\AppData\Local\Temp\5787c535aaa844561dd4859550bb95f9a8f07da59bbc528e7b6bf8132bb9c86dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\Files1O\aoptiec.exe
C:\Files1O\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | a719040989120a58b1a51a111884e796 |
| SHA1 | 115857c40255c3c001f9512eeeacc9a1315b2faf |
| SHA256 | ccf880635cc246f4509ea2dd945193b7eb4bef070125267a70b56363996d58bf |
| SHA512 | a45249e3a5cb7cbccbe16ca49d54f31f83d368d11d74a625256edaab468280e90856c337a06fb7bdf6da964a2cf2ff199de5cfa6d1ae22db2311f88a0ff3a1b4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 897f766a5006fc1352b43b59c1ab728c |
| SHA1 | 7a74164c36f6d737be9f12fa1337c662dbf9365e |
| SHA256 | 0a27024f7a752d2e34ad29702cd1bf7968c812da002cde7081fd4feb2b60866a |
| SHA512 | d5a38282be6dfef77894c372dc17b9b0c719d6738edc6e25ab2025fd3677ef82f94a54b42a417c8ca9dd5978355807d0c5eccb22b014133991208611e8ec440d |
C:\Files1O\aoptiec.exe
| MD5 | 72ba504f48caafe4654328ff5d6414fa |
| SHA1 | d8ca8d9c5cf9f1d4258df25f762cfdf0f50268be |
| SHA256 | cfe9c8adb349f35ef0cbab74b3966ef17e157821e916dfdb29e212f4e2fcc1a8 |
| SHA512 | 6860c24852ce29ca80333f325adf4c2cd680bb8afcf73c70e96f9df56fac49494758d1c6514fecce60fe297a791d052cfaf20e541b81589ce30d8127b59c2a0f |
C:\Files1O\aoptiec.exe
| MD5 | f60df8d2172eb9354d8a1204ec34f9bd |
| SHA1 | 578ac10eca14b1ffbf4133010922f2efa3feb734 |
| SHA256 | 311652eb73834872451b40b94dd4f395ce4193322237dbe0bb0dd75de7488025 |
| SHA512 | e47cb28e4d7a03cf4b3fa06e8647cf9046f5a548c625c0bcf4b94d6ebe7806dc14e3836a55385ed167df9d9ae340a8d4e895c30aba465b0d5a6222ee37698873 |
C:\Mint4Z\bodaloc.exe
| MD5 | d45fe968a7a7c6f8589e58dcd638621f |
| SHA1 | fcc747eb450d28e8ac4339d52af1898e8c686226 |
| SHA256 | 33a78942c71d79aeb79d223090f7fe922f2701da54b0bf02d8319eee996114e6 |
| SHA512 | 9f7120f614ccff1ccb577b86320809ee6378d2feb0f36d8020afccbf498a25fa4c81a4c14ee07d9cec6e9664d12d263ce585360e72483d46d98a9bcd06fc0529 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f80bf74803b3472042ef15449cf19068 |
| SHA1 | 32fb8b8ed1756a7ab77eba0f6ba55d80c1ea9a92 |
| SHA256 | efa278446cd18a84941935b346039a335be87dd7284967c198c04681341de8c9 |
| SHA512 | d42aa2907526736a0e31da396305be6f9d9a3d7af6ee5520a5dbe3ee334835a4060acb93e6dbea28068078bcf46e67942a14be9b2249aa6e3e8a88c7650dcf70 |
C:\Mint4Z\bodaloc.exe
| MD5 | 369521dc159c330985f91b2b64a8cacc |
| SHA1 | d418caa5e7bf57cb4b02d0bf02d75d6a2c18d093 |
| SHA256 | fb030148ed05e91e5be7d1a8dae2fe1973f64d4e95b2bb3dcffbe2b06f0d1072 |
| SHA512 | 637e927843dc47ba7216dfc5feba56aa58ab7eb76c55b9f4cb46989be44348b7780d3fbb20ee91ce630ab77fcb3820c0167d4260867162e3d66284cb966315a4 |