Analysis Overview
SHA256
07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347e
Threat Level: Shows suspicious behavior
The file 07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:11
Reported
2024-11-13 15:13
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDotFH\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3U\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFH\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotFH\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe
"C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDotFH\xdobloc.exe
C:\UserDotFH\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | aebb6c9293b9a520cf1f4221b5946391 |
| SHA1 | ed2446ed55d5e530d255f0aaf33fcbd95a78c57d |
| SHA256 | c50df23a0688f2934becc60cdb0be985fc4922037606c16d244f7d70449068e3 |
| SHA512 | fdc1160b6e040ec978c87f9c370405f9dea5c2af7cb03c36165d86536c5e86f1b969fa7b9ee5d6bb68e2c17f5ee72fb2bf85ed0c41b305b143fa6e221beb9422 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6fa87360a2e5e8c1792969cc1abf74ab |
| SHA1 | 4a094f21465adf4db2ea1f1e44ff24b00c975d01 |
| SHA256 | e130ae1ff8ab38409d20a7c7547d39a67258ccdc923242d36558f3c03727b61d |
| SHA512 | 15ddd91d470593c01694142c9ff2cf67b2da0376fb72086541daa10999584b87016d4d46831c9e63c7b6e4b645307f9f3f538749b332b88290e4b803f82063ce |
C:\UserDotFH\xdobloc.exe
| MD5 | fa759a8d1b29b8efda5972659131b05c |
| SHA1 | b42bd9538e9baa2a2df96b7289a0b0d7fd07c775 |
| SHA256 | 38cdb2493bfb1d55b51201549752aaa70b9bbc6d39e8cf7abe4c2ed4619aafc9 |
| SHA512 | 082bdfaffea0ee93e5d5af1151ce3ae4b69c24db3c8b0665dae012a5947941db0e52506eb8656bcc352befa662a5ca8dc798b86d3fdc61b012b38946ab5b750e |
C:\Mint3U\bodxec.exe
| MD5 | be6504d8d66e0676d1dbc26a533a5427 |
| SHA1 | 22b945f85809d8dd376053dfe26963f3e10a8706 |
| SHA256 | 084e2c387839644ebfab1c5c4bda2b9d3c4b49e99c2e8858f5dc28dcb49f58af |
| SHA512 | b036d0bbde2423ba7c7a90813ebe404b0fe35a355fdc6278fe0ce1407d8816abf66a30209512384d56831cddd0ad8c67433f36918f33259631c9a86c15ca61d2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d6e76da24d38ef77779ea240bdacf877 |
| SHA1 | 425508df786f7d5a7103aa40d584280f38427391 |
| SHA256 | e511e67a77049070a8d195a8f22e0f59f6899daee0c249e6b148fdb0aac86b69 |
| SHA512 | 987c31d0159bc842dac0b9b256301cf89e16a886e3b3aaf3a79f878f590c8b31c61d1302e42489167465690a7d1c821a0513d4fa8a69ea7b6c1bac226d7bcb15 |
C:\Mint3U\bodxec.exe
| MD5 | 8e93216596f0731aa114277b6e0f330c |
| SHA1 | ee134ee2cadd39650844e47dd0b558ae98973020 |
| SHA256 | ab41fee35b00d95eaeb183eb5c33bf2851ad3cc4d3bc26c8881fa8a4fcfdece1 |
| SHA512 | ef423999b16124dd9a08d0043f0a9726f81c7e72790335d059ec1e81aa0cd3b4e70e91ea4fceffad785a2412b0a91862faf8645d114f2b96d7c47867b96c7d82 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:11
Reported
2024-11-13 15:13
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\UserDotD6\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotD6\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPA\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotD6\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe
"C:\Users\Admin\AppData\Local\Temp\07d39ebb1bf295c8331630d5f650fe43316d1eca6ea934fade9f7537bf72347eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\UserDotD6\adobloc.exe
C:\UserDotD6\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 49466e5e58bcc4174a738b4df59f21c0 |
| SHA1 | b41ad81deac3c8c4fc21c5e4aecaa747f2ac0d43 |
| SHA256 | 6e5353f166c0b3478666a666375db7718cb2009081476646100cde8985cf1ccb |
| SHA512 | 39e5536403329f97f1614cc51891ba144e4d7fe38973f6eae93968e6b3243215b9e7c439e253c1b5582602c9d0563b8f1dc3be55596b6285abd35485a56694b5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a690b0751089f68e49336d6b944c6293 |
| SHA1 | 5c5d2ed3e5b04cd0d5d0e106c4815e4bdc7cc867 |
| SHA256 | bc9c2ef7e87abac6ff2cd4f8824e95b7767733e858bb8c60974584f1c4dea853 |
| SHA512 | f48fb0cc9ee9b7e3ef4396a94d17e8aca1107b676945fbb232a167d3c09e338f9a9a122f7a80ed41fbc1a7e758ffbadc467c8d9cd94f5a7eab756bc550f36922 |
C:\UserDotD6\adobloc.exe
| MD5 | 4758e47180382008eed8aefa9dbc700a |
| SHA1 | 55799fe005f6ff94e6f54d407c0bd086030361b6 |
| SHA256 | 15a0ddbf6d6b094de36594af1cc5112e2315fa3c0288508eb83e32884836d981 |
| SHA512 | f204c579bfe900a7c2ad24bc0f8099c683f03fb2f280918fa1bfb31ec4c4637be343d57a758c10a736a8f694deabbf8e92438cd081cc0bac8b49230876a85c2a |
C:\MintPA\optiasys.exe
| MD5 | da16fa4f58ba51ceb3b13218ecc7b4c7 |
| SHA1 | 3a166f306cd2c459e4244f51d5275fb81bce4bf0 |
| SHA256 | 495ed06a573d616dad9a68df0a44290d906c9a7401ef40593da3de9844fd221c |
| SHA512 | 414733cd9d20015eb1f0250fe101029214f5bd16a60b787c363c64a08f9db98afe742c7d7d819de8586e3a4366615c779afd032fc93e72cd3b0014f30ce3f71b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 13c2a7e90a264afd0ac7e5d51d27c538 |
| SHA1 | b232f2b418fc4df2afbf16a288aca1d21d14db83 |
| SHA256 | 2532fcfe7626076cfa5e663d74d6e5458babe62e27f29cad6acccc89ec1b5379 |
| SHA512 | 49b72cbec83532e269062fea65be74af4392e13b25947fe159f80ae0fff202276ee3740c567fa98804495dd3826ce9529a77a8918a1e803378b7a30d9863f6ca |
C:\MintPA\optiasys.exe
| MD5 | 1494aeb7547d386de37dd8519bb74af8 |
| SHA1 | e385c953df5e38ddf2246dd5b58220ac75c0c02f |
| SHA256 | 4f9f866535cd5c2c1197d84112fc200f379477b0e7df2b5342406684324eb436 |
| SHA512 | f93172a6acffb4912311de5b45469dba07fb9ce12c6fd023a75ced287d68b82670d7b47c166009f9ee987678e61348e72018757fdc58faa635af0198e2daf77e |