Analysis Overview
SHA256
ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639
Threat Level: Shows suspicious behavior
The file ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:21
Reported
2024-11-10 01:23
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\UserDotQ6\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQ6\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEB\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotQ6\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe
"C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\UserDotQ6\xdobec.exe
C:\UserDotQ6\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 769c6c8d83d3b36246ab3cc60a7d6ac9 |
| SHA1 | 44b5342c1b79671bf5c6bcb8c7e3b7d7532c3c26 |
| SHA256 | 97769fb33a63f82e6335ddba9ad590ddca8144d24aefe29b7057d667f14d1180 |
| SHA512 | fdbb8db43911e184d524e278d85cb21d8d4f1c9b33055079ade0ea843a1f94ece91b60cc119fe6ab285ad50ce844e9d7dce4b91bfa5aeb8df35d5ddad2c62a6b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ff5f5a6151a728c8d8085d2f69d8cd35 |
| SHA1 | f56a3c960fa299fd941bb49afe5b182a10e9d0ff |
| SHA256 | 3c31ace48eed1b56228f4ac6861a9e6e53d022046534c46321b2922e0f44a9be |
| SHA512 | 912dfd49c24ac5186b32ef852fe948f29cfa1d8a09a3ef77567fb034b615dc34025b6033bfed574e07d11402abdc2a72275a752741dd77ce127faa7804aa7399 |
C:\UserDotQ6\xdobec.exe
| MD5 | 4554abf08da4ec7d0054d8a5e7c529ac |
| SHA1 | e1833b1fb85cc4bfaddc0720c7d6bb2ff9694f03 |
| SHA256 | 5dd5e2ccefca6c9d739e6f445234c3e911a57f5ceded73f2a66bb47fc4dead20 |
| SHA512 | 66a4b3dbf485dba42efefc0666259822f338e68e1e34c25939abbc7eda975c5c302ddaf2ba171a9b9bae1c747aae77f4a3d60d5e1a47e8f2e7083529f203b246 |
C:\KaVBEB\dobaloc.exe
| MD5 | 1ca3f902dd8b83fab93b4124bc575daa |
| SHA1 | 54e6d8633f89f18bfe97aef03222ae52323040d9 |
| SHA256 | a34b9f046cf136a13dc746ec5ccd1dd0a4d8ee6a0329e5c31b012012d43ef552 |
| SHA512 | f83afcc047630de31d772e42ef57b12f144dbdc07f8008eac95e4774bfddf1a7227c1f146726f5d488e280874fd51d76b463fc0b9a44f2a4bdbcf2ab190a27b8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fd2287e4db6bec0898aca3f974c841de |
| SHA1 | 9d905c87f8e1d069a3268f7dd33bdc31e6bc9326 |
| SHA256 | 632b399c6efdc18fa77ec7cd578838afd31f840038721672a3fdf8a1f9123b2d |
| SHA512 | a1892228efa2c7137a41b75dc688a9d704ff8f53caf8a8835ead74deb384547935948cdf63df9cf3a883b4053974c07ae11bafb1d1a1089a7630dd21bc565c01 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:21
Reported
2024-11-10 01:23
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeSB\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSB\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKS\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeSB\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe
"C:\Users\Admin\AppData\Local\Temp\ade21eb090bbfad006fbb8af1347a06225bec90baf8d28d87c8cbcb7c3dce639N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeSB\abodsys.exe
C:\AdobeSB\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | a66af0b093eb5e0065c842acc30dc566 |
| SHA1 | 962beee22d406fc9f38fa7debc6fcb2fe95e8679 |
| SHA256 | a0c4f0da640bd1f69433cda4c31b3ef2674dd4236c2c74cc6cca8f7d695612d0 |
| SHA512 | 77e53c566ae5ea9fea947624626d20ec54b48d1a2aeb7bbfb6ccf8d013e5ed25e3efb4b980a712413f7cddbfb2be29a6ecc6f2cf6899daa1d7cbff7c8c1743eb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0039b74cc1969de33770aeaa325ee66c |
| SHA1 | 3c4061247e99bc13fd48b6772414a21ee8b610b6 |
| SHA256 | 0fa7aea8ce2bd9aaf2f99f4e27ab5195189d9ff50f938316909a15f8c34648fe |
| SHA512 | 4734da52cba5f5bf4c1cb20d3fc4bfada8fb911313eaddad45b98bff6e499b9a9aec4e4a7b4d1522de75e06fc67148e70e978ced6cdcf6d1b4f73cb853f45638 |
C:\AdobeSB\abodsys.exe
| MD5 | 8a70b8c82d4fd24158a94a547f31382c |
| SHA1 | e5857c3736d2ead7396f0009851a1bfe3c0382c6 |
| SHA256 | 49c7457f33bb0d1e405db44f783424eaea28dadd7ad017daa7f5a3941d6c8b16 |
| SHA512 | 021be8b710707cdedccb2f9609458bb214c8d43269bed746c5adefb255050040c2f2b9363cf4c6321f5cedad9451dcbacdea9772f0de5de1364500c9f0c1b897 |
C:\AdobeSB\abodsys.exe
| MD5 | 72e6a13e75a23e7ad3e235c1b38e8e3e |
| SHA1 | 482c964eacca373de97afe5c1314644fec95390e |
| SHA256 | d8522e4d8334bbc368a9cbdf659f03f30f87e6b917d77c70e8a0ff57cfa04d01 |
| SHA512 | 8d1f152692470eb7c6683c3e6102dca7ecc285ae1c0ae932d76ad1a3c95813218e269b7ea1afc6ee6cad6047d820ab06ec76f9972879570ce67cf644ae529521 |
C:\KaVBKS\dobdevec.exe
| MD5 | 735db99bee29e6f141f97a19833e17af |
| SHA1 | fe7b96578235097a369665cbf95370a7e422f69a |
| SHA256 | a6e76e7da3d358ee5743615b2f89774243eaec5c9600535c8c520acf276461ad |
| SHA512 | 66d544087d3e7997ad60377deb5feb1b19693de16e5fab168ac567003ae87cfae8b5bfedd81712940729a6be121d53bafb0f22bcb1f0565d30320d392ad6ab2f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 65de8caa34c61a68e7c1693278177774 |
| SHA1 | ce068fc94a2845cceb088a3d1f83dfc401f44f51 |
| SHA256 | 8d977d4d28895ce17d6346b3d745a8ebe075b96e30302eca09037b9344ed1851 |
| SHA512 | fe132a031bf26beb6319ee32726e650bffc899d79e2784b94ee65eecfb6183fe1bef8b4d3afa3a4d872b3863cbee440a5de262545f4c1cfe2256eb6ed8a03137 |
C:\KaVBKS\dobdevec.exe
| MD5 | 25b06622d06135711387e4ee9502477e |
| SHA1 | 594fb1929682c0169e234a9d3d94edc1fe396515 |
| SHA256 | 5b1d95c1bc534b9e8ccb898b2f31a69f520d672f0c5320c90e06860fdfee74f2 |
| SHA512 | f60778964df6b2b4214150e40128cf66f0de6cc9ab657d9ababed5af3df895ed4a117aea75593f983f74d850c4d4ad99b90952256a2f2c8b0dc82120da412f07 |