Analysis Overview
SHA256
fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c
Threat Level: Shows suspicious behavior
The file fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:51
Reported
2024-06-03 05:54
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\AdobeN7\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN7\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPG\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\AdobeN7\xdobsys.exe |
| PID 2208 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\AdobeN7\xdobsys.exe |
| PID 2208 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\AdobeN7\xdobsys.exe |
| PID 2208 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\AdobeN7\xdobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe
"C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe"
C:\AdobeN7\xdobsys.exe
C:\AdobeN7\xdobsys.exe
Network
Files
\AdobeN7\xdobsys.exe
| MD5 | 8c0be44690704c1defbd041ea601726c |
| SHA1 | bf50e9898bebd7154e00144b148b7a4f7b2702c8 |
| SHA256 | 4cd188310d1b27f2961b3bca2a2bc53d23c3a5e9369a3acaaf20323aa2935b16 |
| SHA512 | c159208f28dcd8d70cf04befe61f48efe6c81d753ad4a8d69340da99bd29f82b739ebc1a9e5d293d9561e05f709d12c415ba8c11a28867bb7995781312d7ded6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d9303d0334af42174227b588b1c2ef40 |
| SHA1 | 03a5521a9e03bbf05d4a69b829e056d4c247617c |
| SHA256 | d14aad429c2efd1f4ef1d009a9dbbf989b2bff43ab69ac322160126dae030490 |
| SHA512 | 910584f9de159b01c0cf56eefdaf69f6b9ec9245156c0263bfc88a5aeddd971bfd3335f2545a949b2b631b8d67e79a59a481ee33da973250c3a08918ee9224be |
C:\MintPG\dobxec.exe
| MD5 | 48d7d6583eb2bbfe2e37337e7f96163c |
| SHA1 | 062a59ee9ffd9ab53db4de0d85d8aa02aa5460cd |
| SHA256 | 101b2ec924c063a16a494de61a6490fc6d3d24b7119d81b6d3d6386fb1dd0235 |
| SHA512 | 500505fff5313667d8ba4d7aa01d89c90c6df362362a219f0578bcb85be688a06af1f19395ef56cbd9d29c63abc7a6235e86c77f1049e1af914fa4f7a5c73589 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:51
Reported
2024-06-03 05:54
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Files0W\aoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0W\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7V\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4012 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\Files0W\aoptiloc.exe |
| PID 4012 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\Files0W\aoptiloc.exe |
| PID 4012 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe | C:\Files0W\aoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe
"C:\Users\Admin\AppData\Local\Temp\fcff3e6b605fbf5b5386c4538d9e03d41faabfe4453e76d5bc5e2b19145c493c.exe"
C:\Files0W\aoptiloc.exe
C:\Files0W\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Files0W\aoptiloc.exe
| MD5 | 894a4ff4d898a2f78c635ff267614144 |
| SHA1 | 9d9215a6d866eb93b87ef12f26a23816df31c279 |
| SHA256 | 452c726747f30006077821824d04f2eec7b0756e920e87c7c2ba948a0d156a63 |
| SHA512 | c4d8734308b22c2fdfc86a951f6d2565ee88f694652ae27c3c5749cb35ebe8582d2c54477d1c1a6e2fb6626a1e79448cdc5bcdcc203eadc5e96d899282177200 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9d193d1552a43e0e8edb723e51929280 |
| SHA1 | da020a95ecb437343f697b2b0c2905fd699dd559 |
| SHA256 | 9514c5377217ad39768ac8bfe8562e0f7af02b322469f58aa3b1312cfb5625fe |
| SHA512 | a56adfa6b47e99120f3207c7adcaccf43c3689d50835039699db89ebbc6d4801caa0eead4ae56e4cd5754a8fb4330ed445345170d7f294dbed832f38a844f577 |
C:\Galax7V\bodxec.exe
| MD5 | 00fa9d659a16830065bf8d05792edad0 |
| SHA1 | 62723e2238583107bfecc59bd5976fd77a2d83b5 |
| SHA256 | a11befb4bb466893369f69221a0247a957338f83144de889952c8fa045ed4029 |
| SHA512 | 2673bf589cf458654e6e6e9b8328b1573b3cf8335d7176b0a6950381b40e1ae9591826e37f51af157581843c670b3be50412ae0d4e33ae958d939613fb9d7189 |