Analysis Overview
SHA256
1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5
Threat Level: Shows suspicious behavior
The file 1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:23
Reported
2024-11-08 22:25
Platform
win7-20241010-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotP0\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP0\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotP0\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
"C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotP0\xbodloc.exe
C:\UserDotP0\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 7cff24274e88cbe4f976252711957557 |
| SHA1 | f06cfb56ae41bb0f511dc4473c13694092a7215d |
| SHA256 | bb2db57aabe95f3a1a47d6ea6fb107a011b5167f9cc2ed352178c91898f116fa |
| SHA512 | 404a9d089319047eda518905463ca87d427c699c45e171d53fea20cabd7ec0f8371009b8ed10ce53c13b8266520736dd3a99ba58ea5ba2ecbe687816062eda71 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e43e5b50d75495f8e5e54434f109ec91 |
| SHA1 | 998b92b0539e3ef765f3dc693c0e53b4c3fb886a |
| SHA256 | 109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f |
| SHA512 | f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5 |
C:\UserDotP0\xbodloc.exe
| MD5 | fd41b43af8b67c35d086caf7c1b3a3a9 |
| SHA1 | bb7e14a1463728d07ecc840a527bf4b444c4d3f6 |
| SHA256 | a1fed6c3fbf784c9f8ec89bc67d568f6359094aea167b47c09e3a4840fdb0bb9 |
| SHA512 | 3bcc9fc9e10dcdfb66b45092f1975dd1c2811cff13fa5364b5ce91db109d91b9a1cee7cd052e40dd6298a4e771884eea5cad5d78e45aa334de5f110b3930999f |
C:\Mint7A\dobxloc.exe
| MD5 | f6e6640385e0242574961e8c5ccf9858 |
| SHA1 | e2049f891c5b94978642f1dfbd4ef8563c32adbe |
| SHA256 | 6f76309341b25f9b19899bbcda50fa98f5c35c3cd9613d148e7b3f49e27d5c24 |
| SHA512 | 2d9929dd08d23a64a9ac3bddfe66c308854b956dda52538647c3be917e23ce035ed3055c1403a7f0afd6e307cc25924a5792169c22f92705525d114ffc0549e4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7c58c48f4fefff24ed23e6e76d57edfb |
| SHA1 | a3bddd073b8b456e247cb1fc8d317d3e7e79597b |
| SHA256 | 735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823 |
| SHA512 | c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11 |
C:\Mint7A\dobxloc.exe
| MD5 | 8ad721cb3223c0cb0b022c6cf99d1f1a |
| SHA1 | 99e1b9322999587da01c53dd1be3aac20a64aae7 |
| SHA256 | ec4254a666580ddda21c1d4b28a9805a5d6b1bde7d697e49780a04a2f59fd39c |
| SHA512 | f6c2d6c678dd330439cd301f544050af076e23f3a04efd8ee991f1744f510706ec892d2d68b699da9f65e2c45daa04d9c4173f2775f267613e4f3c00ac1d2dfa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:23
Reported
2024-11-08 22:25
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDotB5\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB5\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4W\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotB5\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe
"C:\Users\Admin\AppData\Local\Temp\1d0627bbf81022622a5a1d2508b712d91a369d10db2255ea3ac84f6af30680a5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDotB5\xdobec.exe
C:\UserDotB5\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 1e3547ecb2ca2b4c5c17873d41d67446 |
| SHA1 | d98d1a1fcfb5e09e3d1351866b5577eb94e6d6e4 |
| SHA256 | 6525b4331b390cbdfecc329ce55aaf6009ac0e8eaf7202c76e3e80dd085ab73e |
| SHA512 | 9fa15d36ce33b81a01615415965a7741936f3fbe5c1f5544b6eef2fe1327bdb02c29f5ee7ed5eddf61e49b008b670e2d5278c66def078fb9cdcf9acb1c646bed |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8dd51ed7c0fd42f6ba68db74bb1f8af9 |
| SHA1 | 1339bd2ff1b739b0e136f55201fcb05ae032d8e3 |
| SHA256 | 8f2896a479a10e9a773b7857d8a38880a82a73fdf0719b458ab3208bfec51924 |
| SHA512 | b4c04af7d2527780af0a5397d0a8772e4488bbf02fb4e88fe4c1c42dad391dc1839e4c67a021519cb98754d8a467112049f061a3aa6b1f992a4d6e3066eceb53 |
C:\UserDotB5\xdobec.exe
| MD5 | 0bff6a8bffb6b865fbe4908d666b07ee |
| SHA1 | 5e176ff62c86ebbdaab5e545079308f50395f3f6 |
| SHA256 | 1eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855 |
| SHA512 | 6a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e |
C:\UserDotB5\xdobec.exe
| MD5 | 1773562780076bc0357f512c14a1bccd |
| SHA1 | c19a79776bfc220c44b3577fe3594b5ea7e48ac6 |
| SHA256 | d58f8e820f627b9e38d5ba12c64762809f9751da31e545824f53336fde4fe933 |
| SHA512 | ef7acc9f815c8b57128c2f01b5edc0d77e8cd20568dc7392f1dbb19f9f90a7ac3d9950e0233b508c1caa6faeb391c3ba6c141336fa0944ecea7f2fd68133f3cb |
C:\LabZ4W\bodaloc.exe
| MD5 | 0df908c3f34fbe60c1fe418a7842f0d6 |
| SHA1 | 9e06bf1856e2a22d23bc18f23ea136707a3ee04a |
| SHA256 | 63eaa615fe2ea566029633e313e69d4feb59dadd21f62e803a01b7c9a7a522a2 |
| SHA512 | 6bcccb26eda145143e3f67a45f3ab0a43734096044f513353427e5d8e861c444e809c533ae95c3b1850f74d3cc31ab1dd0efbdeaaeb7172059a177b33f5f421a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e096f89193d31f2f5daea4549f7da64d |
| SHA1 | 6d8002acfd71dc968921c32b7b48fe832b43a832 |
| SHA256 | 877bdeac6e06a0043c0e0a808a2d25069287f546dce1fb782b93480e25bc6141 |
| SHA512 | 98a9a2c7126d4303444e8d82a6a67b23e7607e116e73281f518c1d5d8a3cfbb0796037f8718e70b7559c8261b35d27939d86ed278e466b1bd2df208d31eb2b04 |
C:\LabZ4W\bodaloc.exe
| MD5 | ce71db63a4047ef756d5c7390422c1a6 |
| SHA1 | c31aab720f97e086fd1e8d7538cb486e86f9cf40 |
| SHA256 | 3c6a9e7a7b7b05a44d0a83f80d525aa0a12df149d1eddc9d9e776a841b3dec90 |
| SHA512 | 3afc0ac85c5881f27778fba1156b047b06a16f1f334f1d24c53efbe42b66b416588f3aa6b4ffba1a97c51d5b384dc41070d0546dbbfb5aa7a9812111c49e1ca8 |