Analysis Overview
SHA256
fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623
Threat Level: Shows suspicious behavior
The file fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:50
Reported
2024-06-03 05:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeQ8\xdobsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHK\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2900 wrote to memory of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeQ8\xdobsys.exe |
| PID 2900 wrote to memory of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeQ8\xdobsys.exe |
| PID 2900 wrote to memory of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeQ8\xdobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe
"C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe"
C:\AdobeQ8\xdobsys.exe
C:\AdobeQ8\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\AdobeQ8\xdobsys.exe
| MD5 | af0c019f6af35a91433f99e4dcadf50b |
| SHA1 | cb539b9ad85364b61985bd8fc2d6fcc13ef80370 |
| SHA256 | 045d313750210ed77b978f203a4f96bbea22d01eb6606f7fe14a4b6dfe49c64c |
| SHA512 | 3c98bc79b8f83da26f30676d9154b7899c74f076fe3bdb690025cd03c61dfcb249e5d66f2af3cb08de33ea9c89c380c0c5dd5a1db69fa59b48b36da7b3d0124e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad1339a49e5e0ab8073bc860f1f026f7 |
| SHA1 | 7f5f8c888fde603298f1155fc1e38d986db6907d |
| SHA256 | daed8c50da9e3bb596de73ddbd8656b92d32d74dcb0cf4ed053fbf2c524d7ef8 |
| SHA512 | 3f56d7ae3643a71ae9a49843997f51c1b21a8ee6bdc4c1fa2067ae3eb7a273e3dace4b0be434a82078f23d827f7f3ebd81055035f7093de56d1435fc2a0bda82 |
C:\LabZHK\dobdevloc.exe
| MD5 | f31b9564fcbd84d940e8be61cb07478f |
| SHA1 | 3dfce58ff3269e4d9e8dce5aa5634791c99287a6 |
| SHA256 | 7fae5d088409d57a47b034d917f057bc2f60236fcddd011ca6479288492538d8 |
| SHA512 | 696db959cfff8a8dde54223dfffaba2e89059e0111dfaaa1bf3ad3e3a3b3949d8868aab258c0c9b501ff2f2ddb0ea9f5a5e0a87e4510755e167890e4922b16ce |
C:\LabZHK\dobdevloc.exe
| MD5 | 4bb077376c4c5edb3eb1f1704ba9d2f7 |
| SHA1 | 0656814d980cc763280d9c3a515f6d530fd05b9d |
| SHA256 | 37bbc798d0f8fa769709efed1af7975e2287ee7e7fe432e12d7d8d9df4de1b69 |
| SHA512 | 651d05cffaf83a81d3b52c720b5e85cb3b51757b673e88beaac2d84dd578bb8bc1b3046253c5045f983e77afa49fd9297d3b01d82ba2da553942a5f90f249275 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:50
Reported
2024-06-03 05:52
Platform
win7-20240215-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeAW\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAW\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQR\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeAW\devbodloc.exe |
| PID 1240 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeAW\devbodloc.exe |
| PID 1240 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeAW\devbodloc.exe |
| PID 1240 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe | C:\AdobeAW\devbodloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe
"C:\Users\Admin\AppData\Local\Temp\fcac7af7fe2eaa7e422d9769932a9e09d7e862f7a210df9da24d859a7a6da623.exe"
C:\AdobeAW\devbodloc.exe
C:\AdobeAW\devbodloc.exe
Network
Files
\AdobeAW\devbodloc.exe
| MD5 | 87f24ad0aeaaaf411b499f137d752130 |
| SHA1 | befc3bd3d37164623746a030b5d80bb22f2328d9 |
| SHA256 | bac30a9578072421546a3ceabb8324486fd81b4a17117fdf8511a5c4ea791b88 |
| SHA512 | 8d903205038d4aaa77bd2b8b12956e9b8a0b77632dc5edd6c79d4d2b6424fba5d6d088087b276e42722eab20edcd64091d566950aa7c89669bdffac48dee6b1e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9c2101d5dcaf530dcb0b234be0da9999 |
| SHA1 | 065ba1c70db94caf6da4f129d676714cef4c1f72 |
| SHA256 | 2a47e531315e256dbfebadfe0927b5970a374f8321fcf4a8d7a6eb23db94a131 |
| SHA512 | 75a68e5907488e3d382098149c05ed837b5e922f1acb8e75e1c71d51e53ec5d097a5c6c62cdb860bf38e0422af2c47831c56437ee45b92483193973f52bf0912 |
C:\LabZQR\bodaec.exe
| MD5 | 192492e23df170f5d6cb445720c65911 |
| SHA1 | df4b99b4e56f771ddd32590c5fd22f5493b85ca6 |
| SHA256 | e035dc1026fd82e3a2f255b73134d0b40349b3a3f780d2341c2bd80046308f0f |
| SHA512 | f6bb78bf5ef9cfcc28b4af7a7f77a853259165f7d73b2b8a5024f3f052115c925c9ac9d4f9a03ccfcf48b2ff4d278717b6181a1b123e87468c226754eada13c7 |