Analysis Overview
SHA256
88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626
Threat Level: Shows suspicious behavior
The file 88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:08
Reported
2024-11-11 23:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\Adobe7M\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBH2\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe7M\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
"C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\Adobe7M\xbodsys.exe
C:\Adobe7M\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | dcaa1567e67b55277721aa9dee1d1912 |
| SHA1 | 0892a1aab51db8da5422c227f583098fb95c4d13 |
| SHA256 | c8656736f4118d1803f1143a1da0d1240e12f56b3c9afe1721a06c2487f1431e |
| SHA512 | 9526654060adfe6b61b19a3f4ad24b5064f2016048f559189a108b543222aecfe3ad0e031b4d72fb1d1cea00e44e5c23505fc928e19f18a2f6e1c9d6d6b48f2d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2bc20f384040ff6141eb24c813a8b134 |
| SHA1 | 79361c4432552fbe122fdf2b8a8b5999c5aafa7a |
| SHA256 | 6aa8d6a17aa1e85742f7cc8575877d399db701db53ce2781c3fe6685bbaf6527 |
| SHA512 | 8292605aa10f91e5ebb6c3dc29b8f89eee52e5e77a0a4737f66d1046930f5593f801a82202545708cb372c98bf5bcf946d81b9b65fd0d07b9f5d0ebce228e62f |
C:\Adobe7M\xbodsys.exe
| MD5 | ef0f638f6fd6048700a39f1329346d8c |
| SHA1 | 4314421c1828e056da3082f870fb41b17d0c9639 |
| SHA256 | 6126175486c8e7abd7395b934d59abfa03ff18beaaae0bc9b1c971043ae1fcc3 |
| SHA512 | f38ec4df8a818846c9c8cce5754d5fff2c59cd23d7a17d74cbc173f302cc43bf87dee057b31561cf6b5d83079de0d91092dc5108d9ba8283bd3600f9567bb51c |
C:\KaVBH2\dobdevloc.exe
| MD5 | 3f52b1ae4b7529887b4db28b9f5b79a7 |
| SHA1 | 9f35439dd3b3d01173f579ae325137975feef39b |
| SHA256 | 7a7f328a31b6a4ab42fc20ccc3a904a4795f99a2e29cb2e2837125706513d0cc |
| SHA512 | 7e6d19ebe93e048ff3c186ec08246dad50c8d7a8dce4d9b923e91a2ec5c2a44b030f1ecc47e14fabe68df1fbb8e3cb12d4c11047bf6bb18ebea73704f400ef81 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 628a7263d740617330f1d8658e3b9b9b |
| SHA1 | ececc80e0cae421839ad9af67b077a13a2bb089a |
| SHA256 | 24cbb48f6f5a1f2df513d4ec945b9cff2fbf70d7c1c937fa77ccd2469f121fcd |
| SHA512 | 5a85a13857102d61dccd9a2d986c58127e3a04416f20209a04135b7b9fe44f197271928c7c22134c000cbd0221995e6ef12660e21aa5879640aef705905c935c |
C:\KaVBH2\dobdevloc.exe
| MD5 | c59417404731b98ae63cb288bf098027 |
| SHA1 | c77f55b8e5078a62b266fce73a067eaa05af8207 |
| SHA256 | 39862a44300951a4306713382a74d6b4f4144c03b37a9b11cf0a9f3c433522d5 |
| SHA512 | e00537a6401e176d81222c6d796ece38b0e82b606da6b56e94df98911f373370eaa431947c70c6bfad915347f80c520f244bc45114eec76a2f5bb9d49a87e191 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:08
Reported
2024-11-11 23:10
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\FilesP6\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP6\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidEC\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesP6\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe
"C:\Users\Admin\AppData\Local\Temp\88419244eab9675bf0d0821cc96fd1cfe1addbcfa414c655f1d8f7ef1e2de626.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\FilesP6\devdobsys.exe
C:\FilesP6\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 86ea4ad862503ff8bf6023b229250877 |
| SHA1 | 12a2d8539577dbd4a3fb7f6244885d8f5a3bb67a |
| SHA256 | 72bebb7912531c33da792ae09c49ed5e29abe6437ee9977d3bfcece528605220 |
| SHA512 | fae7153856f508eda3e49b1e62ac0253c8a1c1901dd45b5ae9af8cfb0765bc41a7fd2de9082452523ca4fb5372a51dc409c5d93fd80ae41fb24d8c7ed3143bd8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e56576c996c34ff87ce0d543daac8e41 |
| SHA1 | 210277cf94fe9c08e30c192b1f633727c6e68ee3 |
| SHA256 | dea8bdf86c6a79cc3877f612f5e8287a685e4803b02a44e654986b80163062ae |
| SHA512 | 33447621637d28e5bae11798b4e7e5333b230d9265e9ce8d6f592069b7bc507b4e847faf539b962fa26b38d1b70414d92403cedf5dc82c0c9bc8dbbf658ec881 |
C:\FilesP6\devdobsys.exe
| MD5 | e98461758ad6752a8a4c6d493ac275e1 |
| SHA1 | 6c3e89ed39e13d5dd1192524815264835ddf599c |
| SHA256 | be2fd500615531bfc19317944d10a960d17d0e6995f0f857eea944a3f73263bd |
| SHA512 | 802b2a73b7e88181f5002492397012923a3ed929e31769b252d8763a278545fa779812d61c5348dc04908effb9d2b34d619f2d193386ee52cc366dbc4f2f683d |
C:\VidEC\dobdevec.exe
| MD5 | 6601aca06565d3acf05e2c873cb6fd72 |
| SHA1 | e78118ed5b2f92a8366f057d211b99c48506e779 |
| SHA256 | 999fbdef4fc909c31684c296dd32be95aff027a0953830d64b277e6454e22ccf |
| SHA512 | f550e4985cb88525f3e883e2e4da0235af3fb3f6bf0a8b2d9faf576818c0f2fff36598b85e77741bc6132e0149d1f6032931db8ad1ad0ce19281950ab883374f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a3aa751eee96442ba8c4eeab4f43ca5 |
| SHA1 | 8ba3fa4039867e2f2087629b17f34bec154f8687 |
| SHA256 | 401af69361bd5327e366a8220c9bc72c37891221d439e325bfc04d9973645ea9 |
| SHA512 | 4b6eafe158ac411da008f11594db43bc982e879f5621c7a7014b2a563d21ef2341fe31801a8880ee1e3b31a99833f7e40cfe186ea633d96c06e7668796179d56 |
C:\VidEC\dobdevec.exe
| MD5 | 02fc151485f0a22baabf5617e9c474d6 |
| SHA1 | 02334cbfdaaaa383e40082e2d7c3c2f69ecfaea9 |
| SHA256 | 1c4a06e04c9d2392b4da1db1ef81a4e1aae8e846a1431ee2ee32f4b796c3b550 |
| SHA512 | 94e2ce10c58b331ae6466bd33fcca60bf23862829673dc7ed9b09e8adcc0342675475835e90bd74f8ed468c0e13c201f3f69a16b0077e752e0cc8ed8d0d14412 |