Analysis Overview
SHA256
3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe
Threat Level: Shows suspicious behavior
The file 3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:39
Reported
2024-10-27 21:42
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeCP\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCP\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR6\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeCP\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe
"C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeCP\devoptisys.exe
C:\AdobeCP\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 1774fb8f4b610b67a0cf53596bb1cc7c |
| SHA1 | 1fc3dd9a6ef40aee01c17a1d32cd2e9197804054 |
| SHA256 | d6f1d560839991e7967349b13bf0bbdfecb29d7b247ef5dfac4d055a83276e54 |
| SHA512 | d41b613e134e42fc7ec7adedc73e55586de996a7259f1472327afbe38aefcaaefc570848de490672d0c4b68fc25085a5bc42938876188fee955419df01617a1c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a1a0fbc24b7606890b5b396148d6d5b2 |
| SHA1 | 200a965cf3ce10201fd38b186fdfe912df8e99c2 |
| SHA256 | 3ca444291e19e1519a909bb4543b50e1342b6908a7b1a157df1f59fd04aab066 |
| SHA512 | f8f19d3526c49b7056d1c0cb442032dea2b7d2bd70d457504bc029804704b9a968b902ffc1978b9a7436b31773146336d6e7a778f5f0c9278066259828d81aec |
C:\AdobeCP\devoptisys.exe
| MD5 | bc8dd143f41acd743580a34a39d8f56e |
| SHA1 | d4e1dec4510740c1c00d2249cd93d3e2cce8df37 |
| SHA256 | 6058b98b7dc49662d28ecc0799098338da6f7c4d00ab65edd9b6eb52fbf43640 |
| SHA512 | e6a6184dfc35844b23b9f0d7ab6dcdb2d47677a7770255bc877ef69ba46df08a68a62f9796adc75f517e015198072823caa5aa9da3523eca10ba1b0a019ba741 |
C:\MintR6\dobaloc.exe
| MD5 | e0866c0c3f2b333e9ee88961b2b14b84 |
| SHA1 | 398620305995c1f6a52dd679ee3813745af1dd32 |
| SHA256 | 361e326090d51670d0e47d5863fec6f1afadfdcd2c1d7c1e785e6e52cd9f1793 |
| SHA512 | f7a83a111e13fd6014aec2e00587439634cce4df0e3c78301ca081dc3051cf2a31bb66b06e895deab64ad297291a7d50ba4b08b84c8990727a1869af8da6b0c3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | eabde8b37200d12dd20e1df4709ba347 |
| SHA1 | 72c3748eacbc9b2f3e6497d6ddaefce6c340eb5f |
| SHA256 | 3aa5d454c0ec3ecb6d1458c23c022d7e9fbc92cae5bd6305a661c6756594400a |
| SHA512 | 209db248e9feabe5dfc26f9c5f796f0d9e5d99e963513d4dffb7a1c40a397cec7bcddca61cbce92a166c7392483aa2b4f0ba2e53ef8738c380365dc774842136 |
C:\MintR6\dobaloc.exe
| MD5 | b418beb646779e248748421ffc85044b |
| SHA1 | 7d8241dbe1536918d7ac8450bd041e58d4f343ef |
| SHA256 | 27fc76c2fceb0823bdf155fc74bf96f38811025e67c39240ce0762f0afeb3993 |
| SHA512 | 8d4ad3704620b426aede2a1426d98d19a6cf712c87fe171f366bfb67c4e41caeff5e385283897bc4cd25ebaccf20be4737189864c1f30a35498dbf60a0ae481f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:39
Reported
2024-10-27 21:42
Platform
win7-20241010-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocCG\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCG\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3E\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocCG\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe
"C:\Users\Admin\AppData\Local\Temp\3323900ab7f23e3e23b9830780a21fd8461cd31abf4ae9003d619da59cd7eabe.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocCG\abodloc.exe
C:\IntelprocCG\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | c5f9c92010a9098a32e8668b4806a307 |
| SHA1 | 56fb0921255f9ad4a7cacfd16a8c3656639f9931 |
| SHA256 | 2298755bb509579651de81a4bffa32654a0ddf1816be9d55a396293eefe5cf0a |
| SHA512 | 002d469b63565fbc5f4813dc6155cd1950ffd877828eabd9da5cbf07d165b124b0c48f555364c827d3abef0fca7a7b4d9bcda9d175948bcfd07adad9e75f2fe8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ebe048fff17a2b7052542647986c7ce6 |
| SHA1 | 093809d909f650b0f75a524240840d207ad1da38 |
| SHA256 | 0c126479e024da43ccf97186d682d2ba815b30e4ac6e9b9d724ef9e2810d054c |
| SHA512 | 0c71ce43d9b4cc593699c09b4df7b28b7561fbb7afd8c85602e7b5bc92b7182839a98655b1e9fdab02915a08c06dba884bc606b3074b1de3f8702727823e3bae |
C:\IntelprocCG\abodloc.exe
| MD5 | 4d54847a8832d3bf587e0d6c6284c96f |
| SHA1 | 5e4139ac0a77b3c698acb060147c289f8328630d |
| SHA256 | add3deec78fb0ac443569bc8ad69414818dbc1f2dc5ef3dec606ffca8105cca0 |
| SHA512 | 4f17a986c16f619acc46522c8f03a7f309373f7ef6354bccd0affb6e204095f6e0d7b8fa0ec3f290b4d7bcfb3a2dbabab9929add169c9de396da8da37ae9b88c |
C:\Mint3E\boddevec.exe
| MD5 | 2c0813283c1e876850b03e829a181476 |
| SHA1 | 45aa7908a1a920d6649f0a6cec2506bf828431f5 |
| SHA256 | 7d65f74f546a5a6aa557c2d987935d071e1067c69531a5f114576a8fd7d62ce6 |
| SHA512 | 1f091135d3bf100cff32f7f8338bc46567b0d9cd7f588663f5f6ae9315c4ec1885110421ac760ba869771113907a758aeba1e93a43ca2c50be7c0a806dc685ef |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 390bd210a95a7d941357da0cf8d9f923 |
| SHA1 | 643bdad32b97b81e0e3826ecd3bf80a37392bfc5 |
| SHA256 | e68deef4144f240ab6e105404828792391ad06e693de7250aa158989285dc92e |
| SHA512 | 583537c70924011f12ab8d204623e0badf1f9d13b20f7a35c5a63ff07d6d7460d808f80a86306c691b78ce668d9d9dac277b22cbcfc26bbaab1e9a13a173da5c |
C:\Mint3E\boddevec.exe
| MD5 | 9ca3e72b9e969f680a80ba698c8bbc6a |
| SHA1 | 3d822f24d6fcb7071d9b6e158c9e14eaa7d76af5 |
| SHA256 | 5513685eed9765f057633af8d24df847b237805e8d4972a0fe68ed245e1d6d99 |
| SHA512 | 96a2eac763c60a93b41ad442c59c4ae4fd8e48ced8582786bc393de46491b026c664a56b0646a4e1ecfc769d5cf982b57c4230d009700087aac4eccb53a79fad |