Analysis Overview
SHA256
42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40
Threat Level: Shows suspicious behavior
The file 42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 00:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 00:01
Reported
2024-11-09 00:03
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\IntelprocTH\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTH\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXU\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocTH\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
"C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\IntelprocTH\devdobsys.exe
C:\IntelprocTH\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 0b54a8efe9dfeedab9b30b33d7db7f85 |
| SHA1 | 6bc8fe5c30073b2d87ad7d4b2c19ee0bc2c6deba |
| SHA256 | ffcbc857921e6643893b4530e04df28129c39c7ddb9db67f1a578e60618e0ac3 |
| SHA512 | 5293bb636f67651bf37157bcd6f3b2ebbc658559ef69d7109a8fea6876b881ea32b6b5e7fd4890ec09390149b1150396d146e656b096077aaf8c7ebc237e5b1a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5339d98b541f130e7572607f93dd6c6d |
| SHA1 | e60c2c042c31ba5823b71b1e831ece6f305c8924 |
| SHA256 | 4383fd5a5c969a36260717364bd96a65a6a147ad5f2b9b9bf490df476acb0eb3 |
| SHA512 | feb29794af6bd9f4d4e3f0acbbfcab73cc7d11011a505370970e8ac25d1939f71f8aea2460b949855100e528de76bf2ece96048da0b575a1705eca491bf8504e |
C:\IntelprocTH\devdobsys.exe
| MD5 | 57a04070ca83c00ff16d6afade31a7c5 |
| SHA1 | 1dfb31f42c9e6b2dd431797fbadff8babf933a20 |
| SHA256 | 5e5d7c232601ee9a91f634a63593bbe782ef15f1927e2dc40b3512c66a10d98c |
| SHA512 | 92c354cde6e06357cf18fc93594927d0ac133f46a4c9739249a5dab2112617149e3c29b3a165ac91b0a7de37d6fb3949647abf5c6a639bfbed05a30bf5c15bcd |
C:\MintXU\dobdevloc.exe
| MD5 | ee4827c1317f21bbec46b6a28ea36394 |
| SHA1 | 5863a553ac702cf816b2f11b041a5424385c6594 |
| SHA256 | ee627072fbf25f3366053512bdb383272450f8caf3e68cc33c0da7d963de429a |
| SHA512 | 825dea012f777235880ece8f68a34b96d70dea2078b96836edeb52b270bcb705129399dbc749a93e57334fe3bf747771c3dab60540981e90ceacdc0ae8d22f41 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | abbedd48e1c2605dea6dd1752ed9c2a7 |
| SHA1 | 539e92d1ca976460434c09433a823f03485a20e7 |
| SHA256 | 9eb233bb37831478ce49c86935f155475b57ac6d86b785825cc20baa01467422 |
| SHA512 | 9d913e1b15f8a865518cebdf271834f3f72970f865f3d1a03fce449bab6ccc148493bebb127daa08846c8cd1627acd0a79693499537fa9b24370c9e49c501d74 |
C:\MintXU\dobdevloc.exe
| MD5 | ba1a8f6a982973e40427cc1f472919ad |
| SHA1 | 55bd6080a753e833b11c30c78629a35fb6251e56 |
| SHA256 | bfec55ff59b920c8e1a4dc5130857db17f759cc68c77c11d67ace65a762dffa4 |
| SHA512 | 674184393b4b1727d77f6ac420999495d90ea0ca7258d15d14fadf68b146f0cd701d5e92db8d136e4bec3254737cd4ac21c5ef154390c3c50780db4dd37c3046 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 00:01
Reported
2024-11-09 00:03
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeCP\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR6\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCP\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeCP\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe
"C:\Users\Admin\AppData\Local\Temp\42b977ac1c189067ff5fd3853ae6e895cc471caa050115d3aac3409873649b40N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeCP\devoptisys.exe
C:\AdobeCP\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 224745e89cb23cf387cec86bddd27372 |
| SHA1 | d2efef360ff41d39c7f0bd1f1308fb569c120913 |
| SHA256 | 1cc08945310f6d2137110cdb3577748b2b71647285aaacfce5767495605f0252 |
| SHA512 | b4ed535866796d63efcb3f0a50a4a6e29169a698586a5b4a82c6a1e8a5862837a2dc7c4dcec03f772743289509df46817ded319d279bac9c28f0ae814917e749 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a1a0fbc24b7606890b5b396148d6d5b2 |
| SHA1 | 200a965cf3ce10201fd38b186fdfe912df8e99c2 |
| SHA256 | 3ca444291e19e1519a909bb4543b50e1342b6908a7b1a157df1f59fd04aab066 |
| SHA512 | f8f19d3526c49b7056d1c0cb442032dea2b7d2bd70d457504bc029804704b9a968b902ffc1978b9a7436b31773146336d6e7a778f5f0c9278066259828d81aec |
C:\AdobeCP\devoptisys.exe
| MD5 | c85958552ca53df5cfe3a431fe83c299 |
| SHA1 | 6d4783ab0987d622e917c4ab4854a0bd92ba477a |
| SHA256 | f28dcaca530aaf867d9c1adeead9a3407c6406b1a71bd72a430335e8585a137e |
| SHA512 | 6fe0dd0f1a1b10853248338f48b9b4acbeed0394ef075d2015f1a4b475432eb4baa311dd82ae3f4c5a2a1add4291aa4950fb5641ebcc132cca0556054448e2d5 |
C:\MintR6\dobaloc.exe
| MD5 | d2ad1414c7fc881eedbb5658990ded66 |
| SHA1 | b7dbf1bbeda1b1fc9c5f315db56a43b99e1076ea |
| SHA256 | e8315b492b9de26e1dc0656dc62a454d09fa582d7b8145fc8786265cb1cbe8dd |
| SHA512 | f3f8db602d742ba3e9b9bd69d7583db65f05b07dbc81d82831820d7176948ac1cefa63574aaf037b2dd992f9d3ea1ca33c9a6ca0b856f490f73a633a0ccb401e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | eabde8b37200d12dd20e1df4709ba347 |
| SHA1 | 72c3748eacbc9b2f3e6497d6ddaefce6c340eb5f |
| SHA256 | 3aa5d454c0ec3ecb6d1458c23c022d7e9fbc92cae5bd6305a661c6756594400a |
| SHA512 | 209db248e9feabe5dfc26f9c5f796f0d9e5d99e963513d4dffb7a1c40a397cec7bcddca61cbce92a166c7392483aa2b4f0ba2e53ef8738c380365dc774842136 |
C:\MintR6\dobaloc.exe
| MD5 | 03e8d0a7f0c1c55f1931a8130f07ef4d |
| SHA1 | e76110181ec468f257f780bd47aba2df414f0af7 |
| SHA256 | bc88bac0a2b82ff5e51b659eaeef6790bbddb60cb127c8cb2d7d1a3b410c90e7 |
| SHA512 | 0f79d9e21842137e57e53f02823957a4eff4510db47ba8cabad8be86c0803517cf39f520c8de76e3db354726a9d95efeaa27a0e5864a70cd9b2a2979e74e0305 |