Analysis Overview
SHA256
63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f
Threat Level: Shows suspicious behavior
The file 63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:04
Reported
2024-11-11 23:07
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\AdobeSG\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSG\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBR\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeSG\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
"C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\AdobeSG\devoptiloc.exe
C:\AdobeSG\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 1cfe43a3090e04b65bdccfde99cfa8ba |
| SHA1 | 0e2b41c8bbb3165723f5c4ac10504bfa765baf6e |
| SHA256 | 4761f6cd6acd7e6285574cd75fdaa49369f092621006171b71e228b23ff1ef8e |
| SHA512 | 7f9ef4e0045be189233f6e2465879bdce3188ac6a25d1346f523743fe4a0330c65c27e32ac12275c15949bd81a6560f8fe7d1808350d8fa97a2fe6e4be014111 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cac17bcafc887d5bc5508b5eab8f57a7 |
| SHA1 | 9b003a9e3f7a5a2612fe5c1a6509d06ae63f23cf |
| SHA256 | 8f95ee50eb5662b1707ad6a13613df58b452a1f7286c60d4a068c64f8934e925 |
| SHA512 | f080b0f963930f733cb04dd44eccb4034b08345b801601abfe4b745c7c30cb7684c5006033e909338a144774830448c21eb45812b5e0f3ab13d87ef34c795daf |
C:\AdobeSG\devoptiloc.exe
| MD5 | d5d8c51b2fde8a110cda09c14c77cb92 |
| SHA1 | 074015d597c2f59ddcfd8c68421f1e53a5ce68ff |
| SHA256 | f3065b774b89b5ab34ae32feab7549c491dac36e923f375172dd78da2a4c6ae6 |
| SHA512 | cb62bc421c9897e5ae0da4fee097c3c76ebfa252beb3c0bcd20386dc5409ee5e1cb77d9e4e5fadcbbd19b424abd75d31cece919eca22470591626706a44dd4c6 |
C:\MintBR\dobdevsys.exe
| MD5 | e0c7863a3f3d9b89e39b3713a7a24f1f |
| SHA1 | afcf273b40c4fad21d8db58cc9281afcfdcbb756 |
| SHA256 | e5502dc0c28c3f4a460af1cd2726d1764f403d9c615d9ab94a2d959de085846b |
| SHA512 | 49b2efceae3bea21d42dbbecb688121ca5dc89f0564bb00c52672987d1737b6d94179672620c799e3c7c18414b0e3d8029369d4f16cea1107dbec7baa1618437 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 95ef975e41c91f9eac483d77b6b3938d |
| SHA1 | ad9852caaee53c6b24f08ec9140b88e821faea3a |
| SHA256 | e700ca62442fd70ba3dae1955a9ca3a7e69e7247aa2c714f8bc7c75eb2a202ac |
| SHA512 | a2cee6e314bfa848e576a5e32fdbd46bf4659dc62c26b9973e87ed268bbb44308fe56e33c3613b1d132dcd0a113e9b49d565560365fae6b9a3fda0a9a8a28f6b |
C:\MintBR\dobdevsys.exe
| MD5 | f1aa967e87f59b6b6f57dace67a352ab |
| SHA1 | 1c95c5481ade9f57ac03e4c115ac3cfe83301cd9 |
| SHA256 | 9468e3a56ecb8f9f050bf1e338d1c5cf3c29374a825335de73871e6b4a16ff50 |
| SHA512 | fc28831ae142841d0c430fed5bff8e2540fe9521ec1a9b0512ec8da60bbcc7fa9c81712149102946e414616fcef99d27aae37ea640eb159bb1cc348522c1468b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:04
Reported
2024-11-11 23:07
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\AdobeM4\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeM4\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6R\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeM4\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe
"C:\Users\Admin\AppData\Local\Temp\63e5586b88d5a84283ce9bed21adbe4707c73b64370a3ee87e34653cd3835c1f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\AdobeM4\xbodec.exe
C:\AdobeM4\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 912a33f9fff9d2384b8dca75fe214f3f |
| SHA1 | 8823b933c9dab696e0fcad89cfd00082cd810156 |
| SHA256 | 0963a09d170392f67d272c10fd4492003f6e2282f2e0f6e73b883d13b14dc70d |
| SHA512 | 1c4940ba9a72749ba7d2d48f1364df532b9493559f2b7704d5f7244e95a0ddf211dd1a1861d1612d9ee801b443e2b87e09c281a04c8040647ff12b9d9d2797ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 85828776686f9a00ac8a71d893c189ae |
| SHA1 | 54a19990344ba5e72706f21686a2a4f925c2bd80 |
| SHA256 | 3b9fefb7c27bead6e87a8de27b8109e50b994b562b719235a858c26239f6ea0b |
| SHA512 | adc3a086ad560dda18e2a0abdbf120a20911184ba602a67ae9388e01c61d04ad67f37be7dd018765fe90c4397b084876457ca31e716fa808cc8b984206354722 |
C:\AdobeM4\xbodec.exe
| MD5 | 500db616396fbaf4cc8551a12ca1f339 |
| SHA1 | 34b6e6ab1d8882b75e109bb82397721d75adff12 |
| SHA256 | 0dfe6fa7b2f912ab1b30011ae1b08a0e060d182f8453c119aa27e6055d428359 |
| SHA512 | d18d242bfe0f82f84834a533dbb5a0c71e7f741589d1798c7e6cadc8b3c31fff71b8e2d1cd20b5f604e13910600cc94233c1a4947598a170d66089e0aa7b06c9 |
C:\AdobeM4\xbodec.exe
| MD5 | 45c6a3d12383a4d712c09f2323ea6382 |
| SHA1 | 82c3288e8af6d371373f8a105550115a4a2db4b9 |
| SHA256 | f1e6304ea0e95634723fe9c8df68a6e18bbf81e1c65e27def8f118297f215e66 |
| SHA512 | f538f1e6903767f0654bfbcb9bcea5f57e3f49dde343ac03cdbb77a7b1c17023e78af6cff76a0f04e35591f0625478e8a9704eaf201606da5e73906ad6b6efc4 |
C:\Vid6R\boddevloc.exe
| MD5 | 81187fe23f0ffe1248dc09d7d4b61689 |
| SHA1 | 96364c1ec1ba5071f6190a7f20eda03584fe91f3 |
| SHA256 | b6a36642cadba0c74f8e29d6429b83649d63d2d45c69be683a5e5fdcfa61890b |
| SHA512 | 5ded54249cff72c36c91a3613bbcc7684e631903378cbaea3c14aa8ceb4f6d54cf4b87e04d9bd69d94ec3d58fe93ee6d4712da274fbf32db027d74739a905f13 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3c3e567bdd42704c60b95954d2dd6dc |
| SHA1 | 5b38bf1ba8986b879cb9bfcefbf2e7ea03d14e01 |
| SHA256 | 70199a7eaa640f6a4aee28e66ad02bd84d29a877321df0d2d33468a5603b9625 |
| SHA512 | 450cd5fac8a76bd37191d09fa36a5dfed17cd32cfe1dd6f76521fa41f9ccda1d892239360bf80c14e2c8f812ec6041a73c5c38b57099beb7291f68caa3b8e33d |
C:\Vid6R\boddevloc.exe
| MD5 | 9692e952c6f03dc5ee8b6b10364c77e1 |
| SHA1 | 1451b57d59d5fd71d006e085584e7defceec4a34 |
| SHA256 | 3dcce264a07fe01e429a2be3df5ab2e8ca9600c48ae4e5fbbd25307198c460a9 |
| SHA512 | 9b20c805f27ab554dc9fc8df40bbf601ea099babc6b55c588c4278a4564916d2a3c64bdb2e90054903c3cbd058818fa3cc2706a23881009f2fb7d5f47e44cb18 |