Analysis Overview
SHA256
d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113c
Threat Level: Shows suspicious behavior
The file d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 01:19
Reported
2024-11-09 01:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\FilesOT\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOT\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRX\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOT\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
"C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\FilesOT\xdobsys.exe
C:\FilesOT\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | efcd8aefdb73e99d0de812d7f113a7c8 |
| SHA1 | 9424344c76ce12dc8c811f785bd90dbaddc74cb7 |
| SHA256 | a678197c85e5c1ed4c40e17e2d0c8e92dd8d757ac3c965e5767f2cbb3bb8e478 |
| SHA512 | 5cd2c0b8f7d247695b15f2920d4173c7dfd98cc9ab2ffeaace7523b94aa46bdb4667b521b61ab70a01ec99b68aab60d871dc9e1bdd88daca8621c3f90273d7ee |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 34f3c4d39001897f4421795117f84c8e |
| SHA1 | 76ab80295f178e7e9fba0c29e7ae340e80147306 |
| SHA256 | e3ef49a601373e6399f416a5c100a3e4f616aa350a57b382876525fb584b6391 |
| SHA512 | 83c04cf1f9dab30b6cb966fc42844775998f38f2ed82b36d3cf5df6c96d54bedea5461bb0b45964c9497bcf52d4f1620c6665550f37441db9f031a89fd6a1548 |
C:\FilesOT\xdobsys.exe
| MD5 | 4d9cf771fb8e74a81c50672c908d776c |
| SHA1 | 53284bcaeec8a6a73c8b3514b1e2715c498de845 |
| SHA256 | e9443a1a72f434f1b4ff26caeb142b9a999a7c5ab2e99a442049c1d6acf5c4d1 |
| SHA512 | eac6f863c9b02fd4c497baacfce748df9f3371874fac9b62ff8c4ab1a8ae4dc4aa41adc002c4314e0caf26bbc696e06b3b17e64e99252491a47c424712a135cb |
C:\MintRX\optidevsys.exe
| MD5 | ebdc35d7254c99def9219917c79662f0 |
| SHA1 | 778cab0923645fd7b82b64146c66feea9a1801b8 |
| SHA256 | 5278fcc45f79b614aefc74622d200753e7bd388b0ec499bc3cea4843d68a0b4c |
| SHA512 | 4be269edb11d776925ed68d44cd7288152fde38b412646fbef10ae7a7c171cc90e33b3ccad7cae7bbd3dafafbbc6b8f9e512644f21e2df767da17b3651d559bf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c438ea64186f522af644e1f3d0a69dee |
| SHA1 | a7e81174feec195e30047b4f3ac9aa5a2e2c3868 |
| SHA256 | dd2ff09e6dfd828794000d6f1f19627c376cd239a073dfb5fa39e8edf1aa0294 |
| SHA512 | 469f98afeb76a7febb9c0e268a39fcdb729fe9cb563900b8acac146b3c3e0966c068f6b2321088b9151f30e7a9a50f37942add0ae92de329d40625147ef8dd37 |
C:\MintRX\optidevsys.exe
| MD5 | a1e8daec3c0529d0c84653e594c674e6 |
| SHA1 | 4b4dbbd2659b9766aa856d9fc68b2cd1b9670670 |
| SHA256 | cc81ba9b96923f610c291d2334f98e804a8494614f0498e4b5d1d5bf4a7852bd |
| SHA512 | 36230da409ec282d6c7a25b7221cd2ff65cc179d6d5e0c95ae503a2fd71f43c4d58528ec7a874bb22e86954716f1df62e5e56cbbfe1bb51563d243237df421e3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 01:19
Reported
2024-11-09 01:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\Files3X\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3X\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEI\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files3X\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe
"C:\Users\Admin\AppData\Local\Temp\d5f12d230736a4c53bc3804436e7b61c33de95da8439dddbb617484f6a37113cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\Files3X\devdobloc.exe
C:\Files3X\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | d19b929827d354495470fa4e167c6839 |
| SHA1 | 8f3e82446bd8e2540b5ba1c2583e953d90c3b02e |
| SHA256 | 3555a446a96fbfb9b894f61719777feeb594640b494f681b4768ecf48cac0c23 |
| SHA512 | ac534f3737d7e8df9c0b411c64621027198b419604f016ecfd9326ea6d0e0c9a1437a7140cf34fadc710a1c6936e6bb26c28ba31b7a1a0b6c5729f0470f89824 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fd18659289fa188a33b2c00821b73614 |
| SHA1 | ce425aae5ac7a10e9f967740ca4f5a4c8581786a |
| SHA256 | fa7e0362559c7ac7e8f24df15b66714f46b0a0d6c6dc01bb7429b5926ccc5eb4 |
| SHA512 | 51dfbeeac84cb591d38319266b1fd5d9bf6206d5e166bce1e22b3746c63ff570e3de7d7d58eb40c6fc6d5a36a8d4950787b03203668517a54252b7b6720b2fb3 |
C:\Files3X\devdobloc.exe
| MD5 | 0d0837fc57dfbd33269439426341a684 |
| SHA1 | af075cec6c3c240c456526ea9e7d77c4c3a4dd69 |
| SHA256 | 39897b94384d84cb544b37594e0fda17ea6e6daedd11b6764452560bf0e62534 |
| SHA512 | ab766a6a007a946e550db347a976b98d1313c656905f9b64230711cdc865af8efd874b81d8fa58f689fd36e69b445b229599985669d9c339288b97be296a8182 |
C:\VidEI\bodxsys.exe
| MD5 | c0d1bd164f639b6fa712e27e4c1d5b9f |
| SHA1 | 853bfa7980b5b5fdcff3d16fbf8ded82b8f0f67b |
| SHA256 | 06baa796303d3bf1cd0bc634a45d812d892fccb099566ed2a6f1e006101e9d7b |
| SHA512 | f1fa867eed4bbba71c5d4f3786a276a3f61c5d76a197450683938c5f8cb4e1e178f38d9a81dd66fda0828cddda8de19ba9a283f1d2da7adef1716aaedf4a9ef0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 553732abc93bee21a254326f8af6f514 |
| SHA1 | 340daed6819acf752c6b4802499fe1fccc944d05 |
| SHA256 | 912ffca1f4fc604b337d487ec66ef29e0ddfa11bc02365a87b71f6c8141885e4 |
| SHA512 | 719d4d75272be1f402db8ca9e0542aa099593c18ed2e0c5429135f288039e70272707f2b40fbc8cf90b11a8cb46f417b0b7a7f749ac5af47053c767451a3ed3c |
C:\VidEI\bodxsys.exe
| MD5 | 56044aa01c5c1a3c2c13e12ab92c0dc3 |
| SHA1 | 97eb1490e48894f7d324b2f7d0a2b70440107295 |
| SHA256 | 5994cfddb99b9641a721319a369fbf93870634852f214d8cc031411a96d894ce |
| SHA512 | 0b761bb74aca7a5a44cd13e4cdd97372cb0f968625864c7fe46a7f7d184d89e95d7f06f4142bb2bc55712d08a652374b401a70fb9e0f918f3175f109e2b82dc8 |