Analysis Overview
SHA256
ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922d
Threat Level: Shows suspicious behavior
The file ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:55
Reported
2024-10-25 21:57
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe09\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe09\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJR\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe09\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
"C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe09\adobec.exe
C:\Adobe09\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | f9183ad9bb477608307e7c423d971c56 |
| SHA1 | 50c360d2f9e310e6082b161d9d8c7afa15f6ec53 |
| SHA256 | 2680fe1f156f75f10f4df523d3ab03d9c8637453bd971b2fcd73c91d45813d8f |
| SHA512 | 702bc52e810db1d88666871159ba3254c7c19bfc0e837c02d3afb87cb885638ea9f5cd88d4a1dc7f8d76701d659c02ec9de261c08b40aa67edef735a02423f73 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 549856c44910ab30e45fe7fe1083ffb9 |
| SHA1 | 06195baf8a35dc93ade96c133043b07ba7e8da6c |
| SHA256 | 3bc57ba1ef5ae459c734908388ade6f188790a79e07a8865d8ab22ab2fef035f |
| SHA512 | 93170cf6dda6c34b8e5f23af9e08831929b3665f3683c571ad92c6d532b1e9961167fb924a9c82211aafabdcd02a886f4738c345ea27ab0efaee7787f05c2fa6 |
C:\Adobe09\adobec.exe
| MD5 | a151490713e9d4f26aa310f6fd933624 |
| SHA1 | 05ce1492908c31a54dd24914fb3a130a51f85460 |
| SHA256 | 9ddd58b78a546ac898a1ec326a6a67c53e7240e3e6edad34690a9f0c8944ea61 |
| SHA512 | 098cd85f34bbe33dad91d7ae8f7aeda4c72183f15fa2d0d9e27778e96fd3d4f353466e979e39c543217b6c91a87a1d866edb4eff841c399fe9498ef0e8aa6799 |
C:\KaVBJR\dobxloc.exe
| MD5 | 470dd0f2105e9839a881f41f4a977976 |
| SHA1 | 5dba250838823390de8c0b7cb7e29ad89ccf0bea |
| SHA256 | 18889d7e43c6104caae98bcb5837156b5a7bbad071aa7987a4b566e5a459b455 |
| SHA512 | 5fa59711a8d7995c81aefe4546decf2aeb6435ba546d9b1f51852c817cb8a0129fad3139bbb67f9bccee51d92eec9a09ddd59bc144195a547143652a57a3ba52 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5c7bac193bfbc09abe0f9417f2d469da |
| SHA1 | b552d728ea434118f9174a30b2f81566d5387ff8 |
| SHA256 | 81157c6bd89dfe6c0343b2a2ff733a2d92c79335fc5d1fc890d31cd0629e0d17 |
| SHA512 | 2c2731b528645056f3aebd478cd26f6e339e97a69d021e28755276becf3dd3910fac2398360afef79201e5571939eaa0e048dac59d239f53e0c2031286cbf431 |
C:\KaVBJR\dobxloc.exe
| MD5 | 6864709a3492d6eecc2901d378a3923c |
| SHA1 | f819f76efb6013645614cdbd8b40aa065381ff65 |
| SHA256 | 90aac658de2f07e728626f6fa857aeea35903288dedd81dec061d2e73f7a8173 |
| SHA512 | 2e669b559d3add060665fc67f21dd9cff43fec0262fe9cfcfb9b48b9185a5852e90db226707a161d827534b304670d064451f932f174aea6d41625ee74ad8c1f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:55
Reported
2024-10-25 21:57
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDotJ7\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ7\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidD1\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotJ7\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe
"C:\Users\Admin\AppData\Local\Temp\ee8a108eaf578437280bf4ef425fe01cce29a4a122eb3371e775bf295694922dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDotJ7\abodloc.exe
C:\UserDotJ7\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | be8245396e2e462caa7cbc944cb3b4fa |
| SHA1 | deb603e48609d5473289fbee85c331b7029538ef |
| SHA256 | 914cdc333d5e8625d9055f885fc7c5d19cbae8bfcc163fe481baa4ce42feb3b3 |
| SHA512 | 0797068b16e0c54e6f124f335396bf23e5b3acab494238adb461513aa60687d5d1ce69f9225b7adc9e486924afbd0ee29f6f0addeddd1390721a54f8a606bac5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8dedd34b0e9f973299fe6ec0ecb8c0ae |
| SHA1 | 8df16512486f9264f7eb28d54ed8b1febaf7b8e3 |
| SHA256 | 89ac524d1e0575e9b510b00d0ffeb39ac54615157c2c906aa0698cb871a154ad |
| SHA512 | 86115590a1e303f4de85757118ed07facf5e3d71eeff4a193cf494728e60493d710de3524621c8e18235ea916e7462809f8af2763a9d42d69f53215bfadb2335 |
C:\UserDotJ7\abodloc.exe
| MD5 | 84c123c5c1f426596f371e0fe5408175 |
| SHA1 | e624080d124d4d2f5db994510517b81669fb0a34 |
| SHA256 | f6ff61cdb21901da355abb6283961d193ae9d5b7c063205af153b9970d1562ab |
| SHA512 | b2300264eccdd53377ebe1a36b0dbac33eb320a8426085f578397e788bac1c7b8588f4d7f6a41a3cf7ad53d7f3c6c27bf60fe625f6b5887f4bd6e02d35b7f846 |
C:\VidD1\bodxec.exe
| MD5 | 5ce46de9d1c8ab23eeb8a98bb0b2232e |
| SHA1 | eb2b026ffaf5a7802065fa5971c5c4495fa6763a |
| SHA256 | 0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0 |
| SHA512 | 173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f7a885dfb6b3c6671a557298ee563fba |
| SHA1 | 7a2865439f5f25e8ccbcebb94526daf9b2c9ec00 |
| SHA256 | f37f335973151a3b8bdefd927411012ac9c0674db19527c91b24028d2dc38fc6 |
| SHA512 | 309f285e719f64233983879f9a8712e059f16b779ec1269c5f8368a509b87a47f52ba1085bf4492577f58d9e592938836012c30692f6d981e9275fe1f1b6d71f |
C:\VidD1\bodxec.exe
| MD5 | e0d078a205e761b605100008293c62da |
| SHA1 | 26cab603ad5abff45d58814cd63dbc3425ecf697 |
| SHA256 | 3c6c3ef861ed245eb21620229531a2fa1a58abf96ca9535c7f847356d92df01a |
| SHA512 | d590822d0b36add970c91271fa4aba3dc45cb0fa131694ec30f7bff0482b24fb8f3b6c6d574114cbf37fd3706d31cce926843988ec628e454be59dbba906291f |