Analysis Overview
SHA256
b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea
Threat Level: Shows suspicious behavior
The file b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 16:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 16:02
Reported
2024-11-13 16:04
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvGE\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGE\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQ6\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvGE\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe
"C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvGE\xdobec.exe
C:\SysDrvGE\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | e652562d7047cdbcd5d959e636621861 |
| SHA1 | 972f648f9f099dc221155109015f0887f38964bc |
| SHA256 | 914908b9bcaf6f31092046aed12e30f5f9256d0ad20dbbcfd88dd7fabdd0c32b |
| SHA512 | 3e7c39c77dabf0380bd4a105f5cffbee1e60768dd650f6581f219be158b525efb2933ed57e74c78e85e4a6a1c8baa621397b7ec91b8726fcfe5486bd46c2d11b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 227205b118edd28e301ee5d1a989b5be |
| SHA1 | 4a42d48f0c2504e5018a61f5a283fe161b8769d9 |
| SHA256 | 00affa7d0d80c86d6d61312fc857e90c77b784ee304c5093d4c5810080bdcd92 |
| SHA512 | be40bb8ffb5373f2798d9d623083f630585516d05014e14ce2b91ce8c8c1b155a25b901b06e5d81adfbfc9216cbc2941e2fe5618f1842dd8fc26b025788bf271 |
C:\SysDrvGE\xdobec.exe
| MD5 | 9c3b5544069847941d1dbc08121c98a7 |
| SHA1 | 400ebe02f248fe484f67261fd943a7a8ccc11b26 |
| SHA256 | 4b2a35dc174e09f62f58f6407e099f00a0382d16a46c4bfeccd87e1dac7097be |
| SHA512 | d3a84e890094e427bfb76008fbfc3e05818318815af20a17653c55cf828708068b85f6647416f2df207a81f6c3739163303bb2704b494c058309c700700f5e62 |
C:\KaVBQ6\dobasys.exe
| MD5 | 426aae88bd200d2cf93b420cef56099b |
| SHA1 | ab59ad8528c568e7bb71e74a72e146e80204688d |
| SHA256 | 6a38679bbb54bdb6811f7c5722947191bcdbf974933f8f2f2fa3d6ac6b347455 |
| SHA512 | b98d9a6b60d13663cd330d9ece14636e96bb60a124e7ef956c72c8ad0f7a2848e6bfd0b275969a5e86273433f2d05389f555013c3f24c267046b13f202621009 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 87990e39467f84c0e1eb4a7992918521 |
| SHA1 | 1640e3ede7166955d0dc55fe3ce0b549b2606687 |
| SHA256 | 539228483ebc04441a7e973dea8bc7e67da1ded97a1775de53d5171b778e63b6 |
| SHA512 | 9d70712a9929bb7b2a9428337a35ae7368463fb9b4540cc7cadeaf9ca20ce56079936d60a8fdd940fc21401eca381da6954c34a7b42ca9e539e623c33e5c2ba6 |
C:\KaVBQ6\dobasys.exe
| MD5 | 6e0c13b46a65859b41f6097aac96139f |
| SHA1 | 55896def3bc08854c84bbbb17d675bcd7e442dca |
| SHA256 | c709032f381ae3d759c5271198d663628776019bf7d729c0ed9edac5c90527c7 |
| SHA512 | b5ce613c55b5d9bcc0ea1efcd9772138b0dc7eb02411f50d0e7e3dd8e3c2a21ef254903ef301b6249ed79dbdfadb88fe6c13a2b2d7fb0c3a339678ad7ddadecb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 16:02
Reported
2024-11-13 16:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotAZ\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZL\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAZ\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotAZ\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe
"C:\Users\Admin\AppData\Local\Temp\b8eae9230a42e8961e810c744ef9041afced895b26035cb0f08472184ed91fea.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotAZ\xbodsys.exe
C:\UserDotAZ\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 484b3c628d20bfb4e373435c53bd652c |
| SHA1 | b165e75f4ea3b9d5b344332da564caf871accb03 |
| SHA256 | bea706ab604b4b0d33f5561730b3df2c20cb5d67305726f4c1e7dd04982d292f |
| SHA512 | 989aa824e575e521130a29b7ba747becf8768afb062cb607d652f785ca1576d8acffdd986ea667414ade6bd525a52a72ed89b36f6f197399dccd4d756ae8b3d5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 854aaac3fa7b1bb44dfd827e0b7ab574 |
| SHA1 | 481dd97b100a916953cd8d8998821a18e4dfdd47 |
| SHA256 | f69b742c7015acb5cf54cb6c2d77e4567da8407072948abf27fa178df02a297e |
| SHA512 | 3c5c2b3ba3905c3a1217aa16fa9113b136120fe52ecdb30a71d88c5790872014f117dda2eaa3dc62a329def7d4ab66fee3ecd9fb7f806dbff9d8a16fdcea4b27 |
C:\UserDotAZ\xbodsys.exe
| MD5 | e222304b9cb5d283b741ec4631617a4b |
| SHA1 | fecb3e0180e99386d9b012acd2450bd53f32a436 |
| SHA256 | ca5101db9c386c020f507683916e360860a36214e8e9fb47c3b7dd8747a60eab |
| SHA512 | 8a8d40c19ad9c596cf9fecc666ad028d51d6ca91e8528a36a6e2fe726e6a91410040cad967046c32ce1515f1cd1cf75bfb730135c41ff48b8f4bbc82ea1cbbf7 |
C:\UserDotAZ\xbodsys.exe
| MD5 | 3327166934036caecc215f41eb66b9b2 |
| SHA1 | 33b391c580b711548f6c11861768db486f917981 |
| SHA256 | 38e1675112461e5d75874fddf8e9865c83311970bb1c949ef64177080bdf76e7 |
| SHA512 | 4628c3fff3479ba92cba15331aa96b9beb5dc024217c39e05c9e5b233d345a009b171026ea6e3b5eab9a95d95016b4fec718b101123b61cd6dba81b657a66dc9 |
C:\MintZL\boddevsys.exe
| MD5 | d016b0ad254ae9664284c6bec29c5ba6 |
| SHA1 | 7ae5e9559a1832a9fb2100c1032f300c8dc78e9e |
| SHA256 | 7c02f64b740ff9995b503e0f1e0c8c01d837aa4bd8585709cf0f8dfe61831374 |
| SHA512 | c22c1b33c86d3a40515e18681d66290f6976b7510b3d4fce432a93ed4220ed0ce1cc8d8f3ddbabfe38b8176b15e6f826172e59fc74b34f4e1ca4414306ea2430 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a2e05bc5ca969c2d6ae2ac5f09bd9282 |
| SHA1 | 399dcad056a15cef2ccecc370e980189cfb343e8 |
| SHA256 | 11e7ac63a819009c1da02aeacad7d9b682c39a3e6d1a36669366833810282f1c |
| SHA512 | 2c0a5b2c224d84f3a198e9b1c427f5f6b99d521f8731456fcaab876c2a1a371d4bc1077c22ae2fcdbbbabfab96a469e899dfb1e258e618af828998cdbd77d3e8 |
C:\MintZL\boddevsys.exe
| MD5 | 9c9e6feb4758b527a4726b4096d4df1e |
| SHA1 | 2aff72a50a03fe6048fb7cd41a292aa78ccbad0d |
| SHA256 | 0ecbd9fa5b90daa9d3c0481faccbb1841bc063613c864622c84cf237a119f0e8 |
| SHA512 | b83c31e5c18cf69b650f288da92d94117acb494f5476b181e2b05223c105e184ee9373c5ff98abd810fd0b9abc8da187d06dee3ea15a156e39f3eaa8815d45cc |