Analysis Overview
SHA256
b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a
Threat Level: Shows suspicious behavior
The file b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:02
Reported
2024-06-14 03:05
Platform
win7-20240611-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\IntelprocF8\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocF8\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZC\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
"C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\IntelprocF8\xdobloc.exe
C:\IntelprocF8\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 4488b978aa7bf6050d07b0c1300baf12 |
| SHA1 | 4b50049088faf7df3c01417ecaf7544be356c8ef |
| SHA256 | 1f5c9920b1f4188cfeaa165237918081c434a9f817452e6ed58d25bd6c639995 |
| SHA512 | fbfc4cf713c7b1c57fe5d6bfd0b62b06f58d313db82d05ad755761c8877f2d0be321256cfe13e934507bfd22b215cde1b29fc6d1faca26013d337ea8ac7089fa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bfbb8c9960c21bb08a00c0f55d16abd5 |
| SHA1 | 16e0971c4dbef3843d0221c3d096c81ed48a68d5 |
| SHA256 | ac783fe12aca03853871e3ac883a5a9c601ee4e3456a9e37ab23e3c8ec72919d |
| SHA512 | b87c1b3240f738722cd1093579ba029ddec6941ce1c691eef58308d78156a61879c89675b4a6bad5a4bbd1ce42bc1644c0c5ed5fa164e2d42738653269835a8a |
C:\IntelprocF8\xdobloc.exe
| MD5 | 268e3a8ea03287cc7519a0fc60327041 |
| SHA1 | fd97ab6c6a34afae79be113b65d0cb2b759a7fbb |
| SHA256 | a7c764aef2089180982c3e8cb355bd584a4a48aa23756178f587686d76c8069f |
| SHA512 | 7e0759d4ed7faa89fd3cb514687a0e940866f1bcc4a260e9308ee7c3486d631e4cbb0c03b78e54d04df50721ef4119e25a43e2393e70643634947036dd4e3a8c |
C:\MintZC\dobdevloc.exe
| MD5 | 424003c69f4fc0796d25305b5f9a63cd |
| SHA1 | 3593266b389b107756031ca1014c0c2626df28b8 |
| SHA256 | 401f5eb1cf75bb9f0b6e875f2ca49beef8814b090bd8bc20e49288795e52f92f |
| SHA512 | 225dca45bf16a74c13493efd5e6f18f5f804c03f7cfcb0db258b0054f71b5015ba68fca9aa7beb8b77e838542226abbaf1cfd0a54dff88f6e5a97f196dcb7c39 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a2e6faa03a599daf73c7ab57f7149a57 |
| SHA1 | c66ad9a45cbc257a60f687b04766388ca0e95c10 |
| SHA256 | 0af66223fe33e1e32d2990aa644e0dbc4d0a7c1f1855bd1a99d0fc2b303860e9 |
| SHA512 | 88fb207c58f4ac1ab18b00fd05f20b1e527b24c81c74a36a636ff4b5210b6a3542ce2bd9344d5bdc3aacc48d6b64bbd3a78089de6699aaf0a806d3745a81b9eb |
C:\MintZC\dobdevloc.exe
| MD5 | cb1208bbb917de445bb915dc77b92cd0 |
| SHA1 | c43fd95221fd5eb8de97510a36e89c4b18a2969e |
| SHA256 | 63071af24c13178e280d5895f4ee7f734053a6f3bd5e9d579d0d96c30036eb7f |
| SHA512 | 93f84e7778ad8294e8d12ec39dd8672323b82a8788a139ed7fdcfe3e9a5ac48bc5718384907bc0bfed944a9a2903fbf284a7aaeb2c951c2e1158036763a68482 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 03:02
Reported
2024-06-14 03:05
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Files2G\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2G\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQM\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe
"C:\Users\Admin\AppData\Local\Temp\b51be1a1106fc7eb8a2db1c43bb5c34c7f66872d1421d2c0265767afd57d994a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Files2G\adobec.exe
C:\Files2G\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 5fd621765922e590c4877db4fa81acb9 |
| SHA1 | 4b3360cc9e7003cbd0473fc2e03f3f399f421567 |
| SHA256 | e90d12847f1c2c37d44ee399128c4708e890e4222ac92d0ed31a2d8cf3c3df92 |
| SHA512 | beec1169b41a282eff6390df53ec9930d5ffbbe70a93e318600d53ec2f182692ef12018a35447b1408eca9ade2f27cdeb3401d35b51b8eb89951f48b556897a7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4216912a12fd4011701bf1be74e60616 |
| SHA1 | 2a20378703f8a2898dedecb637328e6ecf3981ae |
| SHA256 | c632abed9f4ef7392be05d8fcae72d718ef62819e131b6eb19a1670838b1c8c1 |
| SHA512 | e7296663eb5ca8e5cb49396891b6ba8583dee057defee27836c8060d36977a6b8115cdc00b14272dc7ce338877a2068491a7cddabec080e0f6ca566271385224 |
C:\Files2G\adobec.exe
| MD5 | cc5ef4d7d290241e34db344d87ddcaa2 |
| SHA1 | 11522ebbece13d79935ad6ac540f87f8b4af1d75 |
| SHA256 | d333ac5ce4c7500d1ac7913b517d6b944197cb712cad5b02a886e94dfd103bf0 |
| SHA512 | 469ecf60854d8db3aa33ea73d7d79da91f90c912a65e7bd05cf08e8eb8b047b018c701c3bb9ff95c407eb747eda1d2d00f3385b8713e7cabadaf267c8e9642b6 |
C:\Files2G\adobec.exe
| MD5 | dba575ff5988a64822fbb9b2679e9550 |
| SHA1 | 2c467244569bb98eb1f8809ef2cc59e1f83e5ff2 |
| SHA256 | db26523f997216b5c2d8b1a818d81fabfc6bda24953beac4b4eb6de52355672b |
| SHA512 | 5f6999e08ebffc7adde561eb239b647a0dd12b6c8de5c432572b55253acc65f64d220c61f4a4b225ac34f6ac52964e5d4300b9252603005e0ca5a95ee93cc814 |
C:\KaVBQM\bodaec.exe
| MD5 | 23647db45c46fd65b7aab98eef0783fe |
| SHA1 | 7555ef5be0b56b0d3b6e5d9234500047cb01cace |
| SHA256 | 6db1bccff64f57515a0b4f1c15a414a6a845a82a67b66b80373afabe98461037 |
| SHA512 | 685cc6969f1766561d9e17956157060dcfcda7847b790a65b9a3e8279765b3f7f364eb95e5dccbddc953c7a7f12c739373e7aa273a39a81bba1483f22a7c0cac |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 98fe53d103256420fa2d513d68954a97 |
| SHA1 | cf80c03d024a220adfc015e8f524bec282b38cb4 |
| SHA256 | 1a5a465b62c0537d0701ffb57571b888626577134b6c55fea7e37b84547ee78e |
| SHA512 | 70dfe867f5a4b726ef819914c55cfa1b309a8cc530cc850da3608683092f95b33fac1005b5740fe15dfbac92af5bc7528e654c3e6b7a5571d4d9e90bdfcb5860 |
C:\KaVBQM\bodaec.exe
| MD5 | 4d6e2ee4821ec834fd9b0e093dd1cb26 |
| SHA1 | a7bfaa8ab526fffec3881732625b759e63c562a0 |
| SHA256 | 2fa45d28fbba1e0f9ee1188db3543bab215bb1dbda291e12926473d54c0958b4 |
| SHA512 | 5d4d9d75548c467647e5a81b18a78090ec6a576bd77df660ac366287570cf0dd4c9e4e2376b35f3bd029ac0167347ad8d7f41155851fcd2ca5a1a351748ac149 |