Analysis Overview
SHA256
f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991
Threat Level: Shows suspicious behavior
The file f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:35
Reported
2024-11-13 19:37
Platform
win7-20241023-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotN3\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4I\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN3\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotN3\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe
"C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotN3\devdobloc.exe
C:\UserDotN3\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 3b27597bdd8f032cd29673d81cd284ab |
| SHA1 | 196407f9a97aa91d6a4ad9eb977ffc12d92af339 |
| SHA256 | 1f7407376793b620dc7186e1f07cdbe21bf80171958a0df8b9548318579ce07d |
| SHA512 | e8e23b030ea3e9b9b06523985a9302388b94865d45e4cab0de84fb15789b4eda32eec4100892c9c2bae0d00d89a0e87e21b479c8dba567faeebb09e360bc2c33 |
C:\UserDotN3\devdobloc.exe
| MD5 | dabe842a5a4ef0cd859ab859fccfadee |
| SHA1 | 8898a82c0945d884407839d076c99d9affb786d9 |
| SHA256 | 26c0c31fb4fc2e8bf210112f55e1edf2a775e1d04685832bfcf1af3fcfd4712d |
| SHA512 | 2b467b8a9f412b7a14b2f24ca4e82329994574dae7ced0bd73b45b30a8a88bb5b9a199c4bcd32e4a14188609c87d20e0def04e8748c0ada46a6b23b18c0946e2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 362cc9fd7ab3c9c0a3a9599e033cc36d |
| SHA1 | 0d1a74c0f541ab128963dc5ec1ea890920e87424 |
| SHA256 | 719808dbb83bde84464e385ea56919223628ca48544701ac384160232df13744 |
| SHA512 | 47619eb8ec3f2a61ff9172b131fc2ffe063eeba2f9b693b1ea8ed1b051c9f1a2e6991f016c06c44512999ffedc20233785297c5d092b2226de1d6476fa973f3a |
C:\LabZ4I\bodxec.exe
| MD5 | e4ad55bbad99e8e318ed04d8d3577ef1 |
| SHA1 | 94b738e0654db5e01978c9fb624d0aa41e51d79e |
| SHA256 | 90835555fcf497fc09b1dde5610b9aeae14ab5d4111264e734bee4f5018c0ad9 |
| SHA512 | 3408e10d9f3e7b5815406714b268c3cdaac6d3c7a21aaa452c02ae93b4f091718dd04118d8079c6a150f5fb751e11a3305be6c7de2ee3319c5ddc05f299d9cd3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b7599d773be77e35045c18930b048c20 |
| SHA1 | 3989674e68bf47856944c45997aef08a43b58aba |
| SHA256 | 514d425e4e1ac2e682c14859c92c502eb09e5d61d6fbe5f2c152c5944523585e |
| SHA512 | 40826fba6ff2f40faedfe35195c8856a8a80da39144bc484387a4276ea2183f8dd00db70accb5881e76dc489bc9ccfc859001e5320e1017118ff2b28dfbf7b5d |
C:\LabZ4I\bodxec.exe
| MD5 | 6f786bf0e447ef27215da2a970ecf30a |
| SHA1 | 9e8b4732c42db131d047bdace7fe87fd97dcb0e9 |
| SHA256 | f1e8876a2547a3c763a7d299be1395d7e96c595948b3fc26fa50d50c50c95da8 |
| SHA512 | d1a44c9bf40e1b80b34e5bf55fe6b2da396d8b3d287053b4ef0b497f05e1db946bcc189db1f9c633868d4eedfd8656effe30b2a916d2b83d6ef0db44f862f9da |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:35
Reported
2024-11-13 19:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotX7\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX7\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5X\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotX7\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe
"C:\Users\Admin\AppData\Local\Temp\f03ae703025ad1f2ada0980663f4a570ac45fde0a8432c3e55f15842fca12991N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotX7\xbodloc.exe
C:\UserDotX7\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 587318ee01c813514e42d9efa67e6114 |
| SHA1 | 2e17464dc96fdf636bb3fb82df9d148996f1972a |
| SHA256 | da55f0ad2751856c2b521fbe8200da6b2d9cfe52394cd00b2238bef6146c1511 |
| SHA512 | 63a18d9d2db027754e603278580f0a0b352173dfebbf47e6b7d45dcecc970be30281562954040069ee6045f5f6cac984c308b2a1a47ff70deeb1ecd54208a109 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d433c1d6567631fa6fb3a0052a9a062 |
| SHA1 | 9c1528c8426cf5ab24bc7380c10e1d316f07210c |
| SHA256 | 670911d13e3ca28087217fbfb0f0ff6a030b27001fc79ff0b8aa49dace3e9d9b |
| SHA512 | e2f7d44507a5c60ac3494ca47b556dfcac0d76d5cca13362724fd3f581caa8d18399127557e957d5509a69d1859c71a99df2fdd7f8a50dd379b9251114801c81 |
C:\UserDotX7\xbodloc.exe
| MD5 | 4d1b5952ab1fd516c327f6be2a312ad6 |
| SHA1 | 7cb369aeef4c541adaa153604a79861f239aece7 |
| SHA256 | d2403212dd79475366b911f89872556928260abe8c9057559bd13372be254fcb |
| SHA512 | 2ff79532a00782c545fcc4d51d34dd8f0292fe6ba90db4e8861ad0b13783ae4565856301c7868d5f2e214aded1f5364b5c3260712b0112c41e0574af686169d1 |
C:\Mint5X\dobxsys.exe
| MD5 | 6cd629ba20e1f743bb284df793d9ccf8 |
| SHA1 | f5d466974722d09776fda6aec372a27194636192 |
| SHA256 | d74785e2f85dc3d4f31297a4600292a164bec7045038bfe2344239f0348a6274 |
| SHA512 | 450f68f74bfe38cd076be06f377c288fca55ba080b2b8dbf262cb2f11c0ceac44750e591491381d385f116c1562029d5a3d80aeca9f63b4c3e79e3debc85089f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 189df933c9479fb6a2ad5d900b304c1d |
| SHA1 | 277049bb0ee37941cde4f81afa16ef53a27a682b |
| SHA256 | 31d320972d293e32cf22807c22d6f0592670086480d9468f09beea33c7227b42 |
| SHA512 | 6411b5c69ba3cfc94388c3ab1bdfe1e1578963f7004368d43ad21881f345b4a5669fecf008c90fc5bb6790cc1ac5622ab6684eaa9c167e3b5238bde189f58d85 |
C:\Mint5X\dobxsys.exe
| MD5 | 591a5e67e50a03805bb3456286c8fce5 |
| SHA1 | c2e646b8dfa32a758586c58d3427f96820d7eca5 |
| SHA256 | cc799bdf2e1e07ef0ff464a0934b22a3d3e39d110747c0651caa8c5c986a2363 |
| SHA512 | 4fe4723235a25ceb9e26d7e24976cc1bff7df1aed5c6d8fdcdb5ec112e1729f5161aba609da8f238ac5966869806758dcfc6c4dd120d41a561d27cdc62fcbcf7 |