Analysis Overview
SHA256
8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39d
Threat Level: Shows suspicious behavior
The file 8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 13:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 13:06
Reported
2024-11-08 13:08
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\Intelproc5J\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5J\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBD\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc5J\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
"C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\Intelproc5J\adobsys.exe
C:\Intelproc5J\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | ca1cb27809f92ee0eccbaf8576f847f8 |
| SHA1 | 00fa815d54e9183d65994536c6104579cace2be6 |
| SHA256 | 3c0764e7f27fa0ef272e972dd7f16ba750cbddc3ff0f5f499c8f5cc73118dca2 |
| SHA512 | 093028c0b9ae72eca569e1df3dc22b266cbffe3b44fd03c1ecfdf6d4ad3fae98a054eea89d582964604cf90cfdc91a151afc462cb1aac1f0d126ccf6e25d2122 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1ece35dff22c942e1517309fc8a1080d |
| SHA1 | f81922f4be9d12b31df53f6aef2cb8cf148b1856 |
| SHA256 | e9b6b9c4c0972c518ea5187086024a445e4b89dd3c13fd08ac6bd4184e8c2f81 |
| SHA512 | c0a27c17114039997b5a766282e49f4c8f5b8bb3295760d93d46cb92fb36f93d90523d3f623a94944941b23e2174b74d65670df4edbfe0a36429cdba071821f2 |
C:\Intelproc5J\adobsys.exe
| MD5 | 3d5c84c24686972025ee87acc32ad3a6 |
| SHA1 | 4de5f1319439ac0d1105eb0ebcfbb690ca3b6341 |
| SHA256 | 42a36be27ed499edae722cacb0b6a81765681fde1c6d49c4c0e454a7031b4b90 |
| SHA512 | 3cb5698c886a345aad4ffdadbdb9c3fb2bd1dc6705e64e37f768b0934672c7b4f78f8d2b7370200c8a936557336f6494d63219f91851555fe760bac2711ad7e8 |
C:\VidBD\optidevsys.exe
| MD5 | f07d3f14adc0450b64283432c54bab78 |
| SHA1 | 61a67708af12fd67b4ac16c0c3a3a7dbd1f42d13 |
| SHA256 | 3e6279b65573dee22f56caaa4ed806d89d437ebfee211d7b9725575c3e367106 |
| SHA512 | 2661f5aabe7110f193fc47f8974ce70d49ff5692f50aaa3cca6a91214fd5d8a44f6e985b37f6a837570b206ca5fc9271ac7a494f9d8d5f9f2c20840a66862880 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e89a51b58b07ab63a4e38c2595f6f92e |
| SHA1 | 4699b4ff3bd19d2aab06240d8c657c98ed4ba669 |
| SHA256 | 0c53ef48746dbdee36566bb00f4263eb0844f93df916ab5adb7a984b178d607d |
| SHA512 | c9aec1c1fc2929106c4499e133ed2afbfe6d05bd30ca619d8aaa2169cca2ecd97799ca2ba640967bb21eaef128a724a8bf071336886c9bea5cc4fa2a74b96718 |
C:\VidBD\optidevsys.exe
| MD5 | a345d6b9ec5d20633f324e23e3c60efe |
| SHA1 | 3471650b7c3fe05a5b294af0fac495754bed625d |
| SHA256 | 4221d731e8417255c653f8395b258c397b283732ff8477e4b45cbc20bb8ac151 |
| SHA512 | 8211814d27432a59846a013d3d554f8d0cc5e20e647d8ba9db5c255db9b73abf85ce5161f5c8a12748b906e2befc8fcdc8985bca6024c0b5706fde97fc560c69 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 13:06
Reported
2024-11-08 13:08
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\FilesNW\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNW\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSG\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesNW\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe
"C:\Users\Admin\AppData\Local\Temp\8c0d3161100185a620266907a51e9f02037a3969fa525ea6908306909fbec39dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\FilesNW\adobec.exe
C:\FilesNW\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | dd8bef981f282930a034f83df8367903 |
| SHA1 | a88362c114488c4652f87523fb3e3fe809eeabea |
| SHA256 | 49526c4b10a69ba358521d798c1bcb9499fd0c9f0ba5c5765f31ec2fd6cd6451 |
| SHA512 | 863a9c2865264d9c76d43711acd64a7a924620bfc60d361e67106e7b4ae338f75d345cdc8b692c6450993390f547026faf515436c596a16da4c649a0ee4b92ab |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a2769b475f6a6c6d6f8c5edbe10f092 |
| SHA1 | 14ffffe226ba4b1db32f629fcdc32e9c8bf19a8f |
| SHA256 | d1e282c90e0b4b91b82725664010c26af3fb5d3f688fff429dda4d0cfdb6816d |
| SHA512 | bbd84d7b6156702ca525065fd49b2e6ecf8ea8542507e6e979ebe2c8f4ca021884002b2d3d229b5a1547e3ff3fbd68394482185a84b407100d3ddab192d68824 |
C:\FilesNW\adobec.exe
| MD5 | f1313f3c640b9eba1e874109252a649a |
| SHA1 | 5933eabdda64aff5d456eafb95f7df8f7ce79e70 |
| SHA256 | 2cb02b444111d8c3a4374b496e0c281033db3de0246ed9af610f0f105b72f9d2 |
| SHA512 | 3f41f7089d262bba0f9190c77202793eb995bb0a6df49d839ef2161f1f00c0f3627ddfc778101cc6a7f8466f5869540a19248e98768e809b473eadbfac37e095 |
C:\VidSG\dobaloc.exe
| MD5 | 9d1ab53997f65bc5185b49b6e2479ef2 |
| SHA1 | cb532aa628a2837e0752bd57d69b4451291e9f2d |
| SHA256 | 833d0577c3514dc8d97bc71854a30666efcc5ad75334cde6ade2f634c6ca0416 |
| SHA512 | 68ff0256151067ddddd4d98e0d075a3b5c7197dc87c2c65a12e0de39931c65a5d9b8f70f0c35857130625c6c4b51d2f212f5c74864e5f8a3b52afca76ecec0cc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad50c09de3db7f654a6e88d0bb8c6cc2 |
| SHA1 | 377f1b04623782900e42dbd5d6aefe498a6e82ca |
| SHA256 | d4339c6fbbc6e3f9ddd601da2cc99336513f25843da8e54554eec37528568654 |
| SHA512 | 123b4880bd70b4626cdca82d5e2f25587275b47743fb7f1ae581886abcc54c0fcb33f571acafb25426de3bccc11e997afaf69f53de1d1c743fbfb307235070e7 |
C:\VidSG\dobaloc.exe
| MD5 | 09d44ca6acac043781be969fc6687470 |
| SHA1 | 549362fc10dd11e2a7341b1b1b2492aad1912e85 |
| SHA256 | 440da96083dc9dae8f390d4bebb56e9fc74f4f468d1a810fc008711786160e93 |
| SHA512 | b12b040a7cea753ff80d4ec43bd316b59d88e852583e6831da09dea06927d91a5753c3963bf8e57d03206d3c47b93375d6194621574b62b347cb20620b8741ea |