Analysis Overview
SHA256
eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a
Threat Level: Shows suspicious behavior
The file eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:08
Reported
2024-06-03 05:10
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocQ0\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ0\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid95\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2012 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\IntelprocQ0\devdobsys.exe |
| PID 2012 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\IntelprocQ0\devdobsys.exe |
| PID 2012 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\IntelprocQ0\devdobsys.exe |
| PID 2012 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\IntelprocQ0\devdobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
"C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe"
C:\IntelprocQ0\devdobsys.exe
C:\IntelprocQ0\devdobsys.exe
Network
Files
\IntelprocQ0\devdobsys.exe
| MD5 | 7cb40eed07816cc207b0bd2d0e97c7ea |
| SHA1 | 559263b680b8a05b22e49fb3ed9c5fa07606353d |
| SHA256 | 42dc458cb9161a414ef321654e70a1579f48de058c70d493930b693179a9443b |
| SHA512 | 0a3bf5bf56818d1e1f594351c3e01747ed10ca93ec3b3eccf9b7b01134dffa3213aad3b3264a4fcf780476305d1b5d13eeb595d21787c1ae1308adba5b3b8e10 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3d1d138549cc791d8a15838f84a6fa2f |
| SHA1 | 74d3c6f2922bc3f5c58649dca49a9ac47acdfb6c |
| SHA256 | d4a40bdd4250da258b6ef67a878e13c6b57f9937a8791a424a5f8ebd6527f18b |
| SHA512 | 2eb8cfc02b712906ec201564af414364d4aaff27ee541ab5d68d19e5e34aadc02014baa25fde138e8080ce769a83bcdc0fdd80a66011887c5050fdda2b54bf06 |
C:\Vid95\optidevsys.exe
| MD5 | 164352f25bb3b0a5e1414a2d9cc149af |
| SHA1 | 400ef4f27b881e103586268c307e0f0289c12c19 |
| SHA256 | 0879b8e8f7b43a447308daba5f90b0fae4747068fbce9992910cdb7722400fac |
| SHA512 | 015dd2d90e23ca4f80cfa1a212b141d2d26c1efbafc4497028773a6c70ecf2332b82338254215e8f4f2e833bfb57cbb1bf6bbbe08de284eee48ba7e08fa72cad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:08
Reported
2024-06-03 05:10
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
102s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeGT\devoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGT\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXW\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4804 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\AdobeGT\devoptiloc.exe |
| PID 4804 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\AdobeGT\devoptiloc.exe |
| PID 4804 wrote to memory of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe | C:\AdobeGT\devoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe
"C:\Users\Admin\AppData\Local\Temp\eb45bf5333ca91c8e6c98edaeb6125afbcd77f1d5b53acfcc47d8b879fb5c17a.exe"
C:\AdobeGT\devoptiloc.exe
C:\AdobeGT\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\AdobeGT\devoptiloc.exe
| MD5 | 59eb3fed271fbd0eb25fdf1362e4fbb5 |
| SHA1 | 2b2a66a0f396d2a546793491078dfb6383fab068 |
| SHA256 | e6cb333b020c0873557167ed6dcef3d89d7b375eb5bcbd0747070e1778b558b0 |
| SHA512 | 2c6ca7dfde9b86b86ba5942fbdf30bc3c12c3b4eabdf684e89bf1c1189f65427d308090772e9b022fcab0b7b5278213b7edad1519bf2da23f57da310d8f062c2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 792b4846925291527a24399da0972b1c |
| SHA1 | 0a0342b83caafd14f1208e7b101a6d109ac050ca |
| SHA256 | ca4046b6fb9f80ffbc2d7386c382f0cd437159e0a398f0ea0bd14af21f878aec |
| SHA512 | 96896b97baf99655174cacad9137e0310ec5b8fdec9b991c02c9eac23bb85a4960e2c7cadde5b5f5ef36d54e1d7e109ae805bd9250beed8787875010dff09d10 |
C:\LabZXW\dobaec.exe
| MD5 | a44b83b2c2beec977db594f72adea086 |
| SHA1 | 370b1f5317492d9c9f2762100ceb864f079fac39 |
| SHA256 | 159cd213b88501eed92831221870240b7401eb45e805d25bb736d1c71559155d |
| SHA512 | edcb01a43cb38e9cd6d71503718d95f028db3e2bb545df3a5113e508270e9674f6f909a2380b022ea67ef5dd7c01d1a989a953f1fc284d7f5943c160f1da0c3e |