Analysis Overview
SHA256
f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3
Threat Level: Shows suspicious behavior
The file f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:25
Reported
2024-06-03 05:28
Platform
win7-20240220-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Intelproc46\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc46\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3M\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2080 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\Intelproc46\adobsys.exe |
| PID 2080 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\Intelproc46\adobsys.exe |
| PID 2080 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\Intelproc46\adobsys.exe |
| PID 2080 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\Intelproc46\adobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe
"C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe"
C:\Intelproc46\adobsys.exe
C:\Intelproc46\adobsys.exe
Network
Files
C:\Intelproc46\adobsys.exe
| MD5 | b9037f2212ac783012b3e4dd8c2e8783 |
| SHA1 | 442dc5f528d1d2f957b804e4b95b931a0acab4bb |
| SHA256 | 3fe4281085255bf98ef63daa5987595292a64c39af0bec3c64de414b6f9cb779 |
| SHA512 | aa7dc8389d799c362c355f347872b9723b1b47f68c26d9b06e9649617355820a374b166b6381fd895ff20b9b824f1d932c1aff92b14038dbfa96071da48776ad |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c97847525031b8973cc50a61a7f5248d |
| SHA1 | 3977b7617b197b30067b6a5b08e509e00a54c268 |
| SHA256 | da25e933ac75f93445f06bd1ccd2cda329f4a4014bd2c92330bf4be260d97c49 |
| SHA512 | 20f5cf1f326a1c15e828555d5163ca4e7c965318ed1091e6ce098de66db293c2e4f623de35c0c74ccf0c08b5053cc2d8785f37d47a082367dd344338bf080665 |
C:\LabZ3M\bodaec.exe
| MD5 | e3ad4eac2b7e4dada7bdc34d6327f245 |
| SHA1 | 1e0b4684fd8c614e728f0477a9cbaa8b9f87b0ee |
| SHA256 | 5d3b5c46a9af97c94155f875650f45aadffa303317165e301e176641b216c760 |
| SHA512 | 4cd4cac0e94fd394781572a5f6c994451817ae046e1bebb262b8341f94e8a84ddd86fcfaec3cf5403644149f0f146412681a0bbacb1fd4746f8cc4a100f9ddc0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:25
Reported
2024-06-03 05:28
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocEC\devoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEC\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIO\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1636 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\IntelprocEC\devoptisys.exe |
| PID 1636 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\IntelprocEC\devoptisys.exe |
| PID 1636 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe | C:\IntelprocEC\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe
"C:\Users\Admin\AppData\Local\Temp\f05fb2c2dbd0b7ed7bc3b65d4997c5b570870c6a80a4e976b7335c21873389e3.exe"
C:\IntelprocEC\devoptisys.exe
C:\IntelprocEC\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\IntelprocEC\devoptisys.exe
| MD5 | dd423717d7c0ed49e527eedc8cff57e2 |
| SHA1 | 3032937d6bb1588e13a63409909d87079b9d9727 |
| SHA256 | 8d6ce742319cb020dfbc6453490e0e0bf779c6b7e0a56a1cff1c8a33a9ae7c2b |
| SHA512 | 54a8c8104ecabc0a5ed6aefd3f1c686aea45781329b9d00f8b262e968ba1784ec52934ffdc8139ac42f892af93aa911d98aeaa6ae354375d43cb91a4fac70779 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 198dca5734e6bd7592bcd85268aecced |
| SHA1 | af203d807161feb516a41986361ea59afa2eb682 |
| SHA256 | a8cd7635308acd781b2a7129110e9d4d3d74c575755b7d192260901812cdb974 |
| SHA512 | 36537c31830d0f08af964285fff3a669a1ec35cd7e80efa7528c07ac84fe7e17cfde5519d3df6bb7545b74b7aed6077fa9f6a32172566ab6ccf3fb25464cb35f |
C:\KaVBIO\dobdevloc.exe
| MD5 | 16ea00910a316bf3089b5c9b5e9cb518 |
| SHA1 | 4098b7e520facb947fda28392afe90ccdcf11580 |
| SHA256 | 4b2fe9a111e11ddce712af7868faac56a29b3b673bf20a91b47438ba4ff7f271 |
| SHA512 | da193ec6099d99b5d16e8a96cd396cafd60faea4cbed8f6a9d7450c07903ca8bf1d2d63c81e2187d0789b6738b53f082105a95efc14887d47d434a51c0179468 |