Analysis Overview
SHA256
0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991
Threat Level: Shows suspicious behavior
The file 0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:58
Reported
2024-11-11 23:00
Platform
win7-20240903-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\AdobeZO\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZO\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4K\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeZO\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
"C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\AdobeZO\xdobsys.exe
C:\AdobeZO\xdobsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 952164d9539bb6fe373932b7659ac1e2 |
| SHA1 | 9eebd7f07a6ab972884b53db9d96c6dafaa40764 |
| SHA256 | 40f9e615c5d49a137b7a5936f7d0911d49ddf6199cb32cdf819b5fce6f591210 |
| SHA512 | 79f34ed4f9faa84e3b64d7c43b9a868fd1b3ea41024b0c9abc4e3651bd3f934e2e59fcb9122db7b6e09ce584540edfb04d3e7ee5dc68728cb728b294ef5716e7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 88d921a41fabeb3cad4ce9e179f5d6e1 |
| SHA1 | 19aabb4bec95caa868bb6e01829d9459450d1caf |
| SHA256 | 5ce5c0d3dce7b80ff08161f4e65b840ad114241035a52e22dd049cc6574bea42 |
| SHA512 | 7d66d8d348fda6b366df36969c125fd7cc69efce1bdbe166ac911ab83ac1784cef1fc8149fec2088e30c544f4f50d65198e54ad29533a3e176271b7dc119ad91 |
C:\AdobeZO\xdobsys.exe
| MD5 | 204a05a10dad1a06e68b89c19bd400bf |
| SHA1 | 71bc9dfee106f6eb017fde5c50d3f8e21ffd67f0 |
| SHA256 | eac2874a6bd90a38bde6541bb0e0fe6772f94304263602f4a2a8c38a5577a42b |
| SHA512 | 01207948290b61fa7dfbd3ef8a6cef9fa7243dc7028a558bafc3bf632f201feb740ca1b7840fd620394b232f4cc01c7e64cb36c7cc071ba876c05b0fbef9ae94 |
C:\KaVB4K\dobdevsys.exe
| MD5 | 983208efccc0e70698afe0543962a3e4 |
| SHA1 | ca89037f6a5138a552cbdda879debcb1bfaf5cc4 |
| SHA256 | 8f67249b1fe79296f3ada958796d50d5c0d5186b1b6aeb30c7d7ff99e0598a3b |
| SHA512 | ffd580053eca1aafdf5d95fdff93fa672557a8f5348df54e9cb92d2c20aff5a57d5a4442edfc67473297ef6fd1ade395a7ac322e24060ecb72e147eca53b3191 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e2adce868aa9c523bf1bd47f7ebc6267 |
| SHA1 | 22c9db77b048cc3d395a5141c544655371e13968 |
| SHA256 | 8180df726a823381aaceb846b1508e688c99691e8ae4f1ff743c6db619fccef6 |
| SHA512 | aac07f8c425ac2d688b20cdcd6b89463b6c33ac63298ab89a96c6278347dbac09bf07073991941f987f7bca5bc22038a1b19d5a32d94338daf8121d0fa419d0b |
C:\KaVB4K\dobdevsys.exe
| MD5 | 2a389542beea0684a398a5dc0ffff5d0 |
| SHA1 | 6ef0a6408cde893ce38f1f04b0f9d7a1cb54ad0f |
| SHA256 | 7ebc21e1f79d53d77b2cec73a62a1e6e84c79677df3a7244eb41912ef9cff61a |
| SHA512 | 72984864685d14f94a0f69a43f274a572f7db9ed84fba4240835fa5d25711e439c4959b3931e2926f9edef0bdb071bfdf02fab7dcb0233285d356d197de5703a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:58
Reported
2024-11-11 23:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\IntelprocIY\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocIY\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4U\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocIY\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe
"C:\Users\Admin\AppData\Local\Temp\0e5c6d610ea1b577e36e331d543c510c6463612d152c3f07e2fea8f50ee2d991.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\IntelprocIY\adobloc.exe
C:\IntelprocIY\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | a3a99e4910fb60bdbb0e0a7c30baba0e |
| SHA1 | 497241c397e96e1db33e38da9caf945a95029de5 |
| SHA256 | c229e00c3336d8ecc5b4a4a54928408082191e27c1e0497712a74754293ef035 |
| SHA512 | 90f18c669a035777e07e8915f8d33681b952ec28ec333817dc5e9da6b72180398dbca3224202472872eb8cef10fe5f9e5b1c6283a589262ee9c6ba7189c003a3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9e73eebf6e43c9e8bcc80345294a8cad |
| SHA1 | 7a2bfd07b07fd75f86747e295e4ca0b6558974f7 |
| SHA256 | b1cf67c9196980e783d7a6c0f90df19ebbaacf8f01671a9524b303d7a52752ac |
| SHA512 | 308fd64655414fa638305d1b7991d73ffda6d2b3d9924e94bbdf32b1368c753d8bd2854bb71a2b97b4588166bea8cf94252034876d146ad0eed8acecde5f73ac |
C:\IntelprocIY\adobloc.exe
| MD5 | c9221e0eb3a16dce428ff8c482aa2dff |
| SHA1 | 793cc75bc04db78d6d21cce028ebc5202ab1f199 |
| SHA256 | 89c1ad531a116c26ad2fba26da6aa3bfb742ddc6af38f6f62b23e30e4064dc82 |
| SHA512 | 47ee868b2819e8889fa54c5e846d987eb2e67d90d25d969bde5b4f55cf75e4b12765acc7077bab313d9e96935a1d554300bfac8ef2ebe9d36f2bedcf78e5ec12 |
C:\IntelprocIY\adobloc.exe
| MD5 | 1b0e8c585b73aea3163d4b6b9f3474ef |
| SHA1 | 0f9f694c3515f4ca17affdf851fe83a761dc52eb |
| SHA256 | b35f9f3a122def26731ce307bd4420797a66960e479a1c5383e92968a4caaeda |
| SHA512 | 7be38543d0a1d753fb36f12b73afcaed5fc437818bdff3d49408904120270335d7b7d1aeac3f8f0a7f9cddab9e9a5b6368bdc509ea98a74f58e895222e32c7ca |
C:\LabZ4U\dobdevloc.exe
| MD5 | cef51197dce2890a2055b4bdc0728943 |
| SHA1 | 94cce71556d92b8c7abbdd892d5ba6c7dd359fac |
| SHA256 | 06b8fc7dddf48866ed37f2a28160e7b4832348cee160cccfbc98da9818663f5b |
| SHA512 | e019ae0a71409e9d0a8fffbbd3f2fe56096cea74559fab5effa79ad834ce946ef5cb97a6108c198981f89805fffa1fa6b8de07f0a9700bdb57f2c2e457b576c3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ab2ee4eb83160d67c5ef6d15085c560e |
| SHA1 | 8bbcc17cf86b5db296f4cee68b5f84e217bccfd2 |
| SHA256 | 567e09dd60645ffa24e0e8e75db20b54ba03d846cd433cace609fa42ff19e795 |
| SHA512 | 58b8ce1253d96acb11ade7004e39c2b728ed42972127f540a450da5c5412d4e3394e2fd5a1f8538c7e307e53de863344dae26587e45847e728ce970d1850be41 |
C:\LabZ4U\dobdevloc.exe
| MD5 | 790f7205b4301ec602c0a2fbc5c2ef6e |
| SHA1 | c2b4d64e91312b297d7da1e115f26de11018a8dd |
| SHA256 | 0f69cf209312523ba469875b1aad04715bfbdde96244fca79175eb5de133f6d5 |
| SHA512 | 1d566cf3e019c34f1ea74fabcdaeb56c48079383d54606e0d5f56554d62d45b5531372844b15f9b9370d26a1f62095e643c3394b01b4ac15f5bc1d734c34ecc9 |