Analysis Overview
SHA256
f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49
Threat Level: Shows suspicious behavior
The file f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:59
Reported
2024-11-09 23:02
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocY2\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocY2\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZ4\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocY2\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe
"C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocY2\adobsys.exe
C:\IntelprocY2\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 2b480f2f5aedfabc569c936cd676e1a1 |
| SHA1 | b4d737360f2eede0dc0a1993771417664d9e8150 |
| SHA256 | c54fe40868f0d6e0950acec53af1a66d4864e7997f4cb3d2de3765cf8138a292 |
| SHA512 | b9cf8fead965c3a65a688a1bcb85feaf85969523dd3d73adb0ca33a4dfd8cea0aac7a2ecfc7221e2e3817b7a3774daf8048052befc10bc256b133b41ddba79b4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f436fe30c6edbe61321163fa677dc414 |
| SHA1 | 32c5a625f9a7fc71109e9cf4cbb665443acdb4f0 |
| SHA256 | fbc9eff0c4e2f3b62fb6d632a010339dd51db9d2a4e063ec70a20b25484732e0 |
| SHA512 | c3e3528cf1d450bda2d5ce497ab26654ba9acba45fefaf180ef6fb4acbff9d206f1f785ac015b44ca7e7f8ddd97921d57b235ab53e4b237ed80c8eee0ea2a5eb |
C:\IntelprocY2\adobsys.exe
| MD5 | afad08bbfba551c8062f2ab185275936 |
| SHA1 | 4d85e70feb2e66c212eb1000a21a21d6a98c4fc9 |
| SHA256 | b6bc904315817b13c559bf489cc46b5386506ddea0ea7f56559b9c89bbb3f3e7 |
| SHA512 | 750c025546123ae4d4dbd9c46c65b022a591bebdfc572bfde98dd9d0a879c95865af5bc0ed7668d478f0bf39df6ef9e15a19eb4536f2f844cb3a7c55e92ed7d0 |
C:\VidZ4\bodxsys.exe
| MD5 | ff9b52e5f3503f4863234ef6b1131e84 |
| SHA1 | 1fefba0594e71cbf7729f73920a9770618ed93a4 |
| SHA256 | e28a388da0b84a12e0180c4b88bfd609ba4f67201350b4851cde316678fdc088 |
| SHA512 | 20e1ce0ca2d92d23306c9c3b2b02d1918d0688ec9e86527f0a0a517525d4da9264255015260e7f4eb98328821be05e6a0cec4c1b22d7b9523a6bb0911c697675 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3879fed8cee679de96163565207cb50e |
| SHA1 | ed50cb0e6130f8b1796ede19dfaa38f5dc0afaa0 |
| SHA256 | 570b957adbaa34fa5ef69974dd6f50976adc0454e62a4bb6027fbf5cf6b3ddca |
| SHA512 | d7e75e73396385beb7a48ba78a9a6cb1c559ffd63eb4c674ebed0f4f76e02164c539ba7b28e87baee02e95b155aa1fa46581967fdc195bb78fd341be4e9fe1dd |
C:\VidZ4\bodxsys.exe
| MD5 | 43426d85f5483c0ab1e12849ac73d600 |
| SHA1 | cd4d165cb167fc7f7a8cbc57056df9b790502c59 |
| SHA256 | 7875a092a8cec9561b89199746a416d4b5249796116f2c53752c0d7c5ad7302e |
| SHA512 | f35b50540dbe5c71928efe70fa4d2c085ac3452bf0e71e150d1b9859b55fd266add605349b678d40dbe61f3f0b77cfb365624d376cef16d15ffde6447f8507bb |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:59
Reported
2024-11-09 23:01
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesPR\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPR\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCV\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPR\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe
"C:\Users\Admin\AppData\Local\Temp\f5616e54a4c0b246668aa74f9b234fcaa08c763a8a1e24f4328340a9984dec49N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesPR\adobsys.exe
C:\FilesPR\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 68f8a9c827164aa639cf1bd553bec4c3 |
| SHA1 | f592c464ce3119de0c2ea1eb14739963ce16d629 |
| SHA256 | de89532e3ac87a1d33e6a809124af411d09cf97691894f9bf8615bc056b9e62d |
| SHA512 | db62d9ab758054edc98748f76e65e2f59cd05d57b861f029590db462c6edcf3e04e13c5d7065dc1599ded6602b4cfee29582db6ff2d42ff1a9569500eb3bf9ee |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1934631b03823386774459d3a4140b26 |
| SHA1 | c4daf9bc2ef5b474ddceefcff0746af8157c08f4 |
| SHA256 | 7465327bdf138571e3334b06e0030f05937985a47980608776cb1794ba923b52 |
| SHA512 | cdb69df90c20ac338f4a716ac2402c1d41181c2aab8f028c31a72eaf39b10a7af57111202a51c6114f2dcbb9d76c6905efcf8cc3ed1f74f4ab98567a9b649791 |
C:\FilesPR\adobsys.exe
| MD5 | f9db0cd8e78c7595247e3a68d4e417a8 |
| SHA1 | 202abce425bb40e286cc00025f2f145a99c7b08f |
| SHA256 | 80734a0554ad13f8a23424052aeb5e84d34332e75a2a3d8adce8a2c2d1bbf7f1 |
| SHA512 | 14c2c9342da60fd0c079de1fbb3cb42549bc275cd0558d4d5c69afc44724e4bcdb4e7e02d4c86edd724a02be9a8f7ba14d048c4837eb63e6c20725a7c0f6916f |
C:\KaVBCV\dobxsys.exe
| MD5 | 5a5d1d4074348b617bbc6054e5f1cc8d |
| SHA1 | f850d1a93660108e97d9a72c7e3124432f3e1c44 |
| SHA256 | 3fd4c4f9da011d8287ff8da1b555a7a037fdc5af1a2bf6aff2c74cdfd79c814a |
| SHA512 | 9148eb59dc8521773bd1a7668daa3930d4b4d52c6ef8bc3fe4797378347c0c3619e9c8acacff72542b367f1aa3a3d4866564a466c333b45f7bcab42b0164e15a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f80ac3990032e7c654ccbb4ca0a55613 |
| SHA1 | 620d5f160c1365a204c6eea5563d864c12ccaee9 |
| SHA256 | 08464be0a8abb86f5da0a4151cd4378661a3f21c91a79580d5bef7fe7f4dd8b4 |
| SHA512 | 5e418ac0680d9335e910065c94ef347365bef6aeac732ee4160f438732d38b31d2f30076274957803d023aa4c7f7acaf904e0ba37ed7009d2312b1b4c66b3612 |
C:\KaVBCV\dobxsys.exe
| MD5 | dde3e3a0058b80333496d67f83909cff |
| SHA1 | 717d121f5111bfd2287754c569ecfa7dd7d9b391 |
| SHA256 | 4a70a19cd96950b5458d42b99914384708e1a5d18f97aee348f6b643dd181876 |
| SHA512 | 3900c394d52c435e724668a8fc181d29c1067566b76d8d21e20c709ccc04be9fd1d58fb0348ccb2322ec5e76fcdcc805c4fdf12b87afcfea852a01a85644de16 |