Analysis Overview
SHA256
d0608ed4f5d17b8e9fe55fd59f06f51c3be3a850d0a9edb83b096aeac4296515
Threat Level: Shows suspicious behavior
The file 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:25
Reported
2024-11-11 23:27
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\AdobeCP\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCP\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2Y\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeCP\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
"C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\AdobeCP\xoptisys.exe
C:\AdobeCP\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 6e0b2cbf1b96046a1c8d488bd3c52503 |
| SHA1 | 67882c5c48ed4451663e424cdd37e14c87bc9deb |
| SHA256 | a86a8a83fd247756084ac1b40fd7791d7bddff032e03cf19ead3011030f8e5f8 |
| SHA512 | c0bfe3aab14d621fe0e822e319d592f07ee484397e4105cd27af53595a5c6c6e3933dd338f63ea09311b193294a7176675b20dfb3d8e4562192ecde1a78e66ea |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14b144f9afd091bbad4926ed3f2691ea |
| SHA1 | 7c686f6498facb4baf6d4176d1fb2cc5e46a55a8 |
| SHA256 | 44769ca0084f7691077444b7b283ab31c199052ad483c597ab934c611346e74e |
| SHA512 | bcd6f8c2008144ec91590753b5b1dff4ed5266aa90f118600f04415ac1b12a5cd0d13113a4d4c2a3d560c6aad750327e132d095bae48a7fdd59a932a57724c1a |
C:\AdobeCP\xoptisys.exe
| MD5 | 69c569ce85ae4ac92c23ed62ccfaba1d |
| SHA1 | 483d0707406120ec71fec0e01f126613f81acd39 |
| SHA256 | 10df2fd229f5c5b41b22a6fd23c21230051d39ee5e22742d526487591eb569ed |
| SHA512 | f494a3b99ce601c193f32814c99900019ca11864ad8d9afe3807d5c4ca55d6efbd71d4904f54e59fce4472e41bee18724e35cab1dbdfe28b1f83bd902d0de318 |
C:\Vid2Y\boddevec.exe
| MD5 | 29ac6b89d4e0491177a88adf518b8427 |
| SHA1 | fe13633e026dab8ff34c3d4a19f2ce99b72ee8ed |
| SHA256 | ba31f3902232fdbf0afdf9a1da1acc06c2b76131bbc8822240feeb130d694182 |
| SHA512 | ff7fa9703f8778cd4a356b48671acb733f9588a8e4faf32545e368b5881b68a2b7cd7a9901bd8c290d5f404562335db71f32abc669809de7afa6efbc76d14119 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ad16d8d6e99494bb1df98bc610c3a50c |
| SHA1 | ae4da1b76b57f16ba33f5e251359fa1cdf13d4ea |
| SHA256 | 2cd784a12fb0a5162a8e9e19d5fa748118de931958f72c0e0e15780dd1ac54ce |
| SHA512 | c983742bb363920fd800b5b6ec8ca28ab2a9b661728097d1a5e77c1b61c58764a464f89e67aeec72e73b4104de4fc0a4118562db44cb00ef29e080053835b5dd |
C:\Vid2Y\boddevec.exe
| MD5 | 04e003246e4f4c90093bec8fac8d4b4c |
| SHA1 | dee33ed5496137fd9c564b37204eaff424f4d8aa |
| SHA256 | 126f7ad5f4b547bf3efaab4f103cf7b6dabf5aa9598616319cddd16b9d5d8010 |
| SHA512 | a0e6cc52ebbe0a3e26b4b2dafa3a5af828dd71d54dd53bbbca000552d571c8c6cb6ac9f383a4991393ea69c1419ad0a3826905323dccd85b3031452e93011a8c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:25
Reported
2024-11-11 23:28
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\Adobe2R\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2R\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8I\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe2R\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
"C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\Adobe2R\xbodloc.exe
C:\Adobe2R\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 3e064563d6efda5d0bebdd22cb763538 |
| SHA1 | 20385b93fe8375153c32aa9526eef83778031e2e |
| SHA256 | 5f325226ca6b6a14e7110d65974a52444f6098d1ec23dfd05b72264fef628892 |
| SHA512 | 0b6866c07b9c906d8d3779fdcb43e74a8da88985a75827dad7dd3a09441aa6d402e6aff4b7753684c17ccba5e0745108e5f1c48efddd68bf2e3fa3ac84fcbb3e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c45cedcfb6f3705734821193e9edd249 |
| SHA1 | 51a9e452db15153363aefe32746109ac949d8806 |
| SHA256 | ae2491e91fcdda13b59188ae4a4cfd882c2ce5e1033b22ae65c91cebca9e690b |
| SHA512 | 21b2ed4c1e2c29666c61e115ae31753d158144d41d3edebc622aabb1572b6dc02098077d94e4b0a38f24b61f7a128b26d7675331dc45253175ec440d2f21ae65 |
C:\Adobe2R\xbodloc.exe
| MD5 | c90d6a36c4003714c0d8ff1a76c07712 |
| SHA1 | 28593530449cb940e93920e82ff4e78b1c1bc93b |
| SHA256 | 95d38a02bed3064364d4a067e4b085d244472222aa201666013a925b48b3e0f6 |
| SHA512 | 4035df6bd79f366b39a318aab4c26fb0b754a4512d773856a362480064d972e6969c338ed46d5dae9053f50693864afed8ec73fe9b9b5876e4ad456bf0c4e88d |
C:\Vid8I\dobaec.exe
| MD5 | 1dc564368666ae3d07f1eab8a3fcef8d |
| SHA1 | 08406dc2148796ef6b28846eca4603bdafd942ad |
| SHA256 | 66ba85659792ef388c2945a4375ffad35597aa6beb01ab8304e91e9a8a77a981 |
| SHA512 | 935fa6d5b9f12b2780eefc61d6cbd388cacda152585bff3741f099dc71c742739dfd47ac5e8793ae8e94546257de357cbf7794868537b4312c00883b0d432628 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 866e640905701764d5dc13cfc014e9ac |
| SHA1 | 1f7bd6fbca4813bc7b8ba391da6540cc315f8d82 |
| SHA256 | 58f6e33b3e720d4166d81cc1c6d3060573aa6ea178c194111ecac74b67a45aae |
| SHA512 | 2bfcac98470e27f4a3312ff6d0ba3aa4d28f583b2830f8cf42c18daa9d374621b4e22ed1841da41887c88858917b7a712ffbb8cdb5e43b02b772aaf1b3f2d59b |
C:\Vid8I\dobaec.exe
| MD5 | 69d5d8a5560a569d4b62991e3ff1e5e9 |
| SHA1 | ca80bff24ce364fa2f4c6fd68c798726c224500a |
| SHA256 | c819e33858d1a1135119da386dc51661820900c8eb1d72966a7ee1833b7eff95 |
| SHA512 | 5813a83da0e87f30293bf3a838af171225bea1d87e929a588d160008634712911192e87ee9c8860089b8d408d0f17ea963ada5f12a1f407e5d1b3b2d8b634cbe |