Analysis Overview
SHA256
c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5
Threat Level: Shows suspicious behavior
The file c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:59
Reported
2024-11-11 23:01
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\Files43\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files43\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXJ\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files43\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
"C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\Files43\adobec.exe
C:\Files43\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | dbbe794b7d1e9930c5e26b245b7ada9a |
| SHA1 | 7771e2b873cac53688dfee441ebd2b588b238a8a |
| SHA256 | 0503db4a865ca857c2ead9e12f797776945bf8e97f79edc05247c7f2d5c53bb3 |
| SHA512 | b8d71bf2c803b9b173c71bc2868eee5ac045ec7ab03a9cdefb54a92ce3a14de09d7699875deb89404700c8c05b31505f432e5499b7100c3ea78c7714c9e75bce |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7c8cbedd6ed0b62d42477f34f0cf22b5 |
| SHA1 | dabdde4b895b9c6124e78557e5dce29598ff7ed7 |
| SHA256 | f3190ace32657fe624ea548ddbf3c0a41a49c3db909b238a337b836309a863a4 |
| SHA512 | 2a77391042fc4044373612bcbf2f079c1b0205df50eb72b8da1336fd0c018616c85dc56d498fad2ac37f61a626a05d9910c8a521a2c376e2d6b2fbb6289cf282 |
C:\Files43\adobec.exe
| MD5 | 010abc54ad22b0097656874fb22a7154 |
| SHA1 | 45bdf3c1248bfa8c3561f645584b422b09487bfd |
| SHA256 | 705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633 |
| SHA512 | fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545 |
C:\KaVBXJ\optidevec.exe
| MD5 | 20f0a6c2d04c94d3aea73a3cafd640cf |
| SHA1 | f0739c422f17fcc49d868fb2d2296d9465367ae2 |
| SHA256 | 1ab6252d7e5a406eb8688ac27e0aed57e7a3df230d1414c535b755cea2ff83a3 |
| SHA512 | cd1c1de681e24c88957ecf8651b7235854a0ebb549969e96f8592b85c10717d91bbc4dcfd428050c81e5712b81bb141e1cc8af96c15badc47652594276cc6771 |
C:\Files43\adobec.exe
| MD5 | 79bfe05e39bed3bfe258dbcec08804a0 |
| SHA1 | 3e53e6aa4b1fc5c4e86ffe88156a7ac8211189c7 |
| SHA256 | a30939aec512942ef10cc3c8fb8f46c5c618571a7877daedf0f05e9d537ce373 |
| SHA512 | 54ee965900cc7509b8c6478389c499e31b93306efa7a38984d489b53a368ff5726c990b8e80446ed6d9a7831419b80a808edc40a6e157b8de51d2f2d92ea83c1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b293c8f04ac79f7315b9712ce906491b |
| SHA1 | 497bb8b806ed3c7b2e38d1172830101cbb4e28f2 |
| SHA256 | c323b8008e3a4d726e32d167144c8c0068472b25be70016465a92fc90d5a48fb |
| SHA512 | 5c3d08bab6f0ac809c8b817b973e6b67486410cfe551594b993bf1a4c1ef10312df8762ef53535ef043a90f26e66460267cdb8d0b3706fe4a228024172a31608 |
C:\KaVBXJ\optidevec.exe
| MD5 | 0a1eafa7c08b57b9495781af29103e12 |
| SHA1 | 0e2c05c394c6fe6656354e41816b5423f4728cae |
| SHA256 | cb81f4d5d67b59dee2a6badfcab81fd821a2acf16690ee128964a818be1d0f6a |
| SHA512 | e9afe3e2c9edc2220c3e0dc26232688d2a4f523708bef9c5f9f9a8bdc4278e8b00f0644157f645935eaf4bdd4b6ec230b468269915f0869940ffae1093fdb31f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:59
Reported
2024-11-11 23:01
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\FilesC4\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesC4\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKZ\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesC4\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe
"C:\Users\Admin\AppData\Local\Temp\c1f42454ab422b3aaaea8883b3ff44a3cb7b42c947f5b647b337ae3d8d6f1ae5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\FilesC4\adobloc.exe
C:\FilesC4\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | eaba6178a71755b2ed2178b8b622c66f |
| SHA1 | e0d7ab105f9901bb30be040ef0d2e55e2e688edb |
| SHA256 | 927216629f7dbf9c40feeaaf37107d18e16fabb62df6c7bc9aed013df9b7f2b7 |
| SHA512 | 75c9f9f8ab90f6a8ba9db8ce70f0c5879bc415ab301c190ab9bfb526398aebe3d852ac08d4c207ba25f3264228cb2805632e61c5b1d31f6b036a7a4ef80220d3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7dad366e88d385535765baf6274d6c20 |
| SHA1 | 53ba86daf24361dcb252608f90b7f9ad83e63aa9 |
| SHA256 | abb33f56319dc1c0deb2bf3b6e4f8425837ef6a3294076a8f0c6ad96873220cf |
| SHA512 | 658fde955b75faf7c59188b8caf8433b7168ba0208d38fa07a086d595e3340b4b3d6ebb19b541ece531d47fc5d8983f41bacc3595567937f961800762358e9e3 |
C:\FilesC4\adobloc.exe
| MD5 | 19e86b221b1361b9b6f22a6f1c35b620 |
| SHA1 | b9e86c7b5a6a7c2ac7cf522775f4e7b5f7854db6 |
| SHA256 | 9a128eaa4cf8574d2c0ea3aec79bc1bb2c6af2f803ba4dba6eac243f3f101f38 |
| SHA512 | 6152845389a4fed6199483747de9a7bd361581fdddcb8011a8ede4ef4eea7de3e3a8793fc879b1cc026f11feef3b4c0360f015eb4215108a160e2e3e77d7512d |
C:\MintKZ\dobxloc.exe
| MD5 | a2aa82493782fb58a49875a59843e969 |
| SHA1 | 8aa1821c18e62193b89ef167083b078f4f480012 |
| SHA256 | 66bc97b44901da8f8d3c7e1cd8ef6abfd72077711a8059cb3508fafa299610ed |
| SHA512 | 8453e6d474c6f352353bbebde0efca0e1c0f1dc7820dd95f9bf844656c5f319bef5650d1c4d5d4037d07db0bed094ffee0c00708ac82d0c5c075ae0e6e5ccb99 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ed4f33db5297eb722788872b9de39564 |
| SHA1 | f3df26cd270216fd9f7501f7f5053cda3557dbf8 |
| SHA256 | 1c44c36cf6c547c99cbaeabe4beec501c1cca1bf3f0953be91a934f324d58390 |
| SHA512 | a9a47b8f35164399a7f6906331d7379c5061bd013912a7b15f1a710489b933fa204bd86a0684fb15af7a0196b8ab550e2a3990b37629c654ca76e1a458058af4 |
C:\MintKZ\dobxloc.exe
| MD5 | 2ea609a9118ccb74fd34f76d801b6448 |
| SHA1 | c8f8bd5a4a3f5681768c7b3d74a34f83be139ac4 |
| SHA256 | f74739ed382e5ed008d88c6709d9999eeafa9fa34882248307ce346223d0f138 |
| SHA512 | 11937a3eedbfb7b09b2847a11ff67ef918c5c6618c2c0eda6316744ecbfd3009ec05a6aa969fd8c6e082f75a2d6405f0888983a69d4d393cff72b670dce91fe3 |