Analysis Overview
SHA256
f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5
Threat Level: Shows suspicious behavior
The file f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:34
Reported
2024-06-03 05:37
Platform
win7-20231129-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeXB\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXB\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4W\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1420 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeXB\devbodec.exe |
| PID 1420 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeXB\devbodec.exe |
| PID 1420 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeXB\devbodec.exe |
| PID 1420 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeXB\devbodec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe
"C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe"
C:\AdobeXB\devbodec.exe
C:\AdobeXB\devbodec.exe
Network
Files
\AdobeXB\devbodec.exe
| MD5 | 7ec36980a6cb622940bdf56232517da8 |
| SHA1 | d64b0048c3eb76a2e5f8cda964f5df17575e03b5 |
| SHA256 | 540651aa5d0dddc722e00241c038ca43a0eea5e62efde33ecbee1efa56da0fd7 |
| SHA512 | d80d6abd9969ca854fda7533e1bbbfc20320eb2e665f2a97c17f58054f2dadf47835fb34fc289e7773c9f815119f4e58cc57e5a1f0c3dc32dafb61b59263061b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 856e6c53aba5f8da8538d65129d5434f |
| SHA1 | c0bf92dbf1ac021d0e4c8d326bf8dda0cf7b5c78 |
| SHA256 | dfd265fb87b9f4b06235232086652a588e2169b9368a394ba8451753c72ad84b |
| SHA512 | 0d9a7b0fe4e1ed85bda331147e506c620fbd73f4bb3c2bf4f5de5ca2aca9f935aececeedc3f2d4d4513abc33b81056180f2a3b555ec4cc7130973861a37e13c1 |
C:\Mint4W\dobasys.exe
| MD5 | fb0bc522811d5661986199fa87958015 |
| SHA1 | 9dfb531b68a0de11ea3e5fcbb74dff0506986394 |
| SHA256 | fdc433ae4c227ad5405e6971e91bfa901a20421064dfd2c022bb289f4f468eda |
| SHA512 | 936f291dc06bb213a2d9effa9e094bcc787f40c3512d987994da9b454edd3586e1ead60d456f6dfb783c9643c8032d3486184b58d678ace161123f6d0d81bbd9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:34
Reported
2024-06-03 05:37
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeMD\devdobec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMD\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHH\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeMD\devdobec.exe |
| PID 5112 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeMD\devdobec.exe |
| PID 5112 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe | C:\AdobeMD\devdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe
"C:\Users\Admin\AppData\Local\Temp\f518ebe2feb9f55a9efb704794c895670b4c99241780ef50886ab3ef1d3063f5.exe"
C:\AdobeMD\devdobec.exe
C:\AdobeMD\devdobec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\AdobeMD\devdobec.exe
| MD5 | 480b4c739497d6ab05c8c7a61992fa00 |
| SHA1 | 92701fe99148ef6a812ad1b9382e060e6d1bb960 |
| SHA256 | 672b8b3621a6bd38cacb1421d5ed45e228b50db8562d8dee4fed459a762b1e48 |
| SHA512 | a5cca4bec1117ca1ea798d7bb7b0f5ec46ccf62386bc0c311049e0acd1b9437fdb47c8f0e4d99caaa518c4bb78c7302248d275871d8ced8214aadbe10c77efb1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 598af75dc21014ab3e1298e291c936db |
| SHA1 | 0a79e3bc73796c947ccd28a5ac078ff66e050811 |
| SHA256 | 71a2b4ba67a597ff55d71bd0c81ecd9ea7b37d74595ff4bc146ac7eb7b824f7b |
| SHA512 | 41cce0f4942dfb528a9c0a9832226d065eaa66f4b13aa086e5b8baaa38ce8d9f84cea771f6589ac9637c95e43c4bed4b286f5f8400cc58b2e47922abb0de2d8f |
C:\MintHH\optidevloc.exe
| MD5 | 0024b9de4074abf70baddaf53e71d755 |
| SHA1 | 9625186ef7afe8a1d37a741132a8fa2d5c1d93ee |
| SHA256 | 6ac037504a3448af4107d6a363a740417a266be137fa998b32fcc1a860777c00 |
| SHA512 | 2418afefb4088aeeed58cbc6226d42d3516e54b426d718740794459430639a27ae722a5fe3ce6f15a583dbc559352a825d6b2fef8063d679cc9f9a8a9d4f1794 |