Analysis Overview
SHA256
b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7
Threat Level: Shows suspicious behavior
The file b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:22
Reported
2024-11-12 17:24
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobeE5\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE5\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT5\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeE5\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
"C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobeE5\abodsys.exe
C:\AdobeE5\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 1d818454819fd97802aa0746942d9765 |
| SHA1 | e00a1e210f2ee2f70a387d9e600b2f7babbf6eb7 |
| SHA256 | fce7314099fa1e4829cbeec1aa69b0b151cd5ee95dfaa3e987cbde4f034668c0 |
| SHA512 | 0385d2cdaeba185bcb722212a943e630082dc701c5046933b5b21bf51d07de5fca462c3cee866a53fcdb585c9f0fe89e67334c81cc65e82636648a430c6a5d88 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5fbd78922358f922873cdedd5e25babe |
| SHA1 | 17b2332a5aff6ea840f6e455c77d8730936bc4a9 |
| SHA256 | 482a3bbc58c100f10fbea2df7a1cc332be1484bbfc8039eb5a46e914cf9d332d |
| SHA512 | 7a8809dfff9d920c24656eb8e0c66b77893f75b54c12e750876d369cfbf44a0191b0eb3ff7755fc7cfad6c6a2e705c25e32d5e84a2090cac9ec1f90145d9adaa |
C:\AdobeE5\abodsys.exe
| MD5 | d66bd7c008ad7b4a9e0b99df91de8255 |
| SHA1 | 56f4d445d6605949be271e63451a4ce1fc6a92b2 |
| SHA256 | 443097d91df09e6e212f658e688b56d35af92f4c01948b27c9a7be21eff3e11a |
| SHA512 | a489ce8b5ea6fe84173f86eb294a75368e2aab67f3ac1590ea8daade4f8f26a04a46184f36a5c69a87acfb461e3db317e7db3fa776fbc11a372b045b8e05e589 |
C:\KaVBT5\dobxec.exe
| MD5 | 94ddd99007321bfd7b3af2f306793b30 |
| SHA1 | a7498f9f7c4ea7b223975cfec894ff5cae547170 |
| SHA256 | 88644a1244ffc6bd3a2d865866351be61da1def38f6c5f5da063b94a08344c8c |
| SHA512 | 55171c6e499fad5a1eb59ebd6cb828d9b42283b440a2bddff773cf29abddca130d57d3f81016b125bbc2bcb7d14b298ab4754c380772e3c0bb72487604d57bd8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f8af5861a3d58cf8d90a8725c01b631c |
| SHA1 | c75f7f7a74ac0f8c80409f73d84403fc94794aee |
| SHA256 | 3ef4ebe87a719a675b91e827858f3cf5803ea6341032d1c4c29c83a362b338a7 |
| SHA512 | c9b56f78c8a92cd29a7f50161816531a6b4ff3bf3baeea2b14876fb795cb8ed5ed02cfc785fff3fc9800fd619bbfb4b1917fba7ab2453291746e010b83057e4e |
C:\KaVBT5\dobxec.exe
| MD5 | 03d3196e6be75996b8519a625cacde2d |
| SHA1 | 41f1d5353f6a69128f8a3ae685887ef21143b7a2 |
| SHA256 | 4f970a4b2db3fb998bbc56f05b53ebfbda272db276e42706c072d44d4adc4d70 |
| SHA512 | de891583e53539c62c5034bfe0d493f21cf18ed406889ddcd56a44b351e42c1b4bec54fd74842ee5ddb415e5a1c7d04a22fe1c1efbf5fd80b846d1de1b6ee234 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:22
Reported
2024-11-12 17:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeWO\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWO\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDZ\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeWO\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe
"C:\Users\Admin\AppData\Local\Temp\b8c48b9ddc15710c06bc988be8ba14b05d3a69ab2b6cf33462548dd1080e57a7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeWO\adobsys.exe
C:\AdobeWO\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 5f04dad6081f60786100da8710df08a8 |
| SHA1 | 2646731d5cbc33323aafbe7d9a5d54c3a2baba46 |
| SHA256 | 14f4eed85794cfe1b9e3ee3114012b974fdf06c12830f332f8899a60058623e5 |
| SHA512 | 970d0423ba88b46f2342ecfeebd2c4fba7b3f5eda657faf60dffeb9ccb0da70c558aea6bdb9904c5c6adcc9823c0001412eb89cd000b0c9e0107887267ed1cfb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d30d6f5ea332597da6acb08d8717e25 |
| SHA1 | cb68bda2c8d91bca756cf017933ac72229297a42 |
| SHA256 | bdfff1edb63e88961a83075974d0d391b0c4452e1184ffc9882604456f6370e7 |
| SHA512 | fb0a0476bbb13c6c9f658e9a44692c0add81a899a2b3a6130cc7d4df7d0f2fcd90dca907350b2b2efe106fd408b42a98ce0f215c2d7346e068685e197dfc66c0 |
C:\AdobeWO\adobsys.exe
| MD5 | 5ffab038d17d47771c031d3b701e0cc5 |
| SHA1 | 74d331d26e5210e7e523c750b0080e1641bb61f5 |
| SHA256 | 1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982 |
| SHA512 | fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec |
C:\AdobeWO\adobsys.exe
| MD5 | c96dc72408f960e75ef8a6138820772d |
| SHA1 | 3dd72e937c15158cdab3b4ffe00aca12edebd60f |
| SHA256 | f3ce1349895b9d7eb03506e83faeadc291aecf7276ff9bf565c6985bb3bcc6e6 |
| SHA512 | a08648bc812a7ea103f0bd2e8908b1bd63da2659e1ddb7d4cae8c8981597ed58e4856c9657d01bf97214b50268f7571e98ba16f66f3145bb9f10d23c113f4353 |
C:\VidDZ\optixloc.exe
| MD5 | 92c97bfb8cc7475e4f1c3e33de026bf6 |
| SHA1 | 99ea6e9e089849197f004b7fa08f6814440a4b63 |
| SHA256 | 0c387b7d3108e0ae782f62c43808c86147736720709fb884b45776064efa41bb |
| SHA512 | 42d0b1e0206b7a2d020284d3bfb89850e931359be68057134dae0a1539bcfdfa198ec470d85786e7a077fa50913dd28833e4912a69bfa522df718ca4b073c5a4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c44c6677df279fa89b36e1da00cd0dba |
| SHA1 | 5e115c4e02a879202d4ce534339526324e26600a |
| SHA256 | 578af5eaf313f387380ac03b18c8b3c3351072dd1b7aff73cf20288d1451d96a |
| SHA512 | 8a3f07b88fc6638cbe0593b44920b7702c74c47a12dc738da9d67df853da84daf27417725eaaebb3e0ad42b2e7257dbad2796b13dbfc8467e2db0752a0e03d2b |
C:\VidDZ\optixloc.exe
| MD5 | faee513dd743d3b3ccd609363833fd30 |
| SHA1 | 499396fe99172ba38f27cc9739c744e96b35078a |
| SHA256 | 53e08c514c6373f5158ae7cef7322b3fc4703e369ea67e3eeb527cf4ae6124f8 |
| SHA512 | f120134684300c7cec1196568d5185bf25a7b154e40a966c5333fe259531028c00aad15bc961c5be153964c6a0e2f8a4637f8dbbc8f35257f6289b6ce344bc9e |