Analysis Overview
SHA256
1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2
Threat Level: Shows suspicious behavior
The file 1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:59
Reported
2024-11-13 14:01
Platform
win7-20240729-en
Max time kernel
120s
Max time network
20s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeWY\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWY\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4Y\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeWY\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
"C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeWY\abodec.exe
C:\AdobeWY\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | c5f4f454d930578c2b2e5f2888216f34 |
| SHA1 | d3c331d34db7d28970662c50582a32594338c175 |
| SHA256 | 89af68403bee92e321882e3b6c9db43f2bf1f02e1bb3493edf37a7d787d1ab3e |
| SHA512 | 2c7728b2877d5f4e1cc3d07953a94914fd3b6f03f30f65e0b1a34fac896193c1caa20ac1ed8081e1612f0787d45d7a9ab4cbe692023f07012503cf51de34c9da |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 07063418c10263ca3c058f8cdac66369 |
| SHA1 | fd2c6f995e4848ae14ad452664b65b17a5400433 |
| SHA256 | 4b42773b6cab7dbaa5e54e512b652c9a1c6a2a6b3a015846276150ede1cf64d7 |
| SHA512 | 9e0b4aae1e5f595143697859369f09c6e49a4c9e8e27a835e4d0829e12cbe5369308f4f368bd3b426561c04710e88ff85825553486f3f4e825f95791b785a35a |
C:\AdobeWY\abodec.exe
| MD5 | 79c1d0ffd19c6b0daa00acd02f9fd6af |
| SHA1 | b296cbb3f67e84da56231b87c9b75b6c1e35f7be |
| SHA256 | e159097b9821ccc3c0e9cb83ab94b83b362011ccf5e8df06b51ec96b09cb02ce |
| SHA512 | 0eb80c58a306a15911be284699158e3f06962dcdf605305b4c7c0cd5f1b83a6bf71e78397c212ae2b56e96ec611058c1bc3a71782ebf1d293dbe7520a00f0f94 |
C:\LabZ4Y\dobasys.exe
| MD5 | 708932e6ae8cdaf469effad64bb6eed3 |
| SHA1 | 601e30e4950ad84519ec8ce5338c3b2836532c78 |
| SHA256 | 37502e81349981825e41e7ef01b573cb99675fa369858df75464d676947b4f18 |
| SHA512 | 25d7b9285cbbc479c3a66d07bde5e84dd2d268e33ffa9bd02f587225ca5930415b677a4debc7c9cea3d858ec06c927b757190ed934f1b2dcaea3821741911214 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 26452f54233da6f964b6f36f10bb841a |
| SHA1 | 3b9151d63690177d6a4bb7d6534568ecb9c4ad0a |
| SHA256 | 371616bb1bb39a6d70ecb9febc9c813c4a73a2523be4362a9f65240e278a56e6 |
| SHA512 | 1bf72208e9a31eb3496d276e2ed2a0649baec983c584141140bb41c45c3a36488f309d09159bb91a5c4619ce405418d841c31f849e04e6432848e5b441b9fa8a |
C:\LabZ4Y\dobasys.exe
| MD5 | 9916434bb785eb16d7ce86fba8a7da45 |
| SHA1 | fda3f8dd493adb0b7ac243f159baa0c367788af2 |
| SHA256 | 6a8a4313ec147e22f3c44e1601125b05b42de7b9be5e816b37bf8dd28db008f4 |
| SHA512 | b1439c4f5c269f9588f91368d88eb35da535694727c58218e639e27fe99a4904e1f9e092492cf1f718be116f362230edb642b900e447da3b1cf56f83d3745165 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:59
Reported
2024-11-13 14:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
83s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDot8K\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8K\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7V\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot8K\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe
"C:\Users\Admin\AppData\Local\Temp\1ea85afd9dad2407ea4f42935da9e7ef2391e7e8ae2013477369d4484ad9d7d2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDot8K\adobloc.exe
C:\UserDot8K\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | ba5b380699cf75d1987acc20e57ab57b |
| SHA1 | afb20df2599d590796229ee07e30c2cef33904c3 |
| SHA256 | d12733b58317ac431a012c427779d5df6a5036812658866e92c38a2f07e3fcc5 |
| SHA512 | cd0b33387fc5ac15521afb1ff3b1054e0a6faed58374f6bfbf8a4561b7f8f1e697eb85d095d4056121dfae86da216b663a3e1ebafb62ce869db49c96ad451e9c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c9746e30437a669d3615def2c0d93464 |
| SHA1 | f9d8b2b966363f5e40f0b70d3c92cf7c8919c414 |
| SHA256 | 9bfb29a7cbea7740ba18516db524c41d2c5d753054ea6564136b76f8b2372552 |
| SHA512 | 737c2f9913a5a296b9ce1029f2b4eb086ee29fc17bc40c6a3df7e56c3a0dc316898b525d64ae1ea95664f38ce44e7dd4b719cd1120850c6e6a3b58034e7e32ba |
C:\UserDot8K\adobloc.exe
| MD5 | 23b9af3c82fd8afb5a068bcd3e08ae51 |
| SHA1 | 0f8a490aaa15a6c8eed665b94185710a49f46974 |
| SHA256 | 13adb7641b1b2c5e910453141fd0d4761f0f27dba808e3fce8e6f28ea023a751 |
| SHA512 | 8c4c9cfe12b8b459df21bc287da4d6e06ec33cda49e032e4193c61a4bc68cddf63653afefd2735cb408535472e13748e28b2b512e3a43f93484a9497740faee2 |
C:\Vid7V\dobaec.exe
| MD5 | a1feffb4cb528bf0f07d30f4be398441 |
| SHA1 | d23fd0af780a9db09190af0428e2ab36f6c47232 |
| SHA256 | 577faef1e0ba9560582a739dc644b77dcc82342c8634def81fdfb009e202d00d |
| SHA512 | 52ee2ea3ae237321770408381e62a488af29741af0f0e7fb62378b81ed4aebcc7914c8282548640320e05d310f21a5e8907624e2f2f533b7c91985967f57d524 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e287b52e70cf2f5bd68165cdacbcfb39 |
| SHA1 | ec3f4eef38c2b0d950473f94ca2d6381674b6f2a |
| SHA256 | 74e280f6b13a488084568df0f0a1eaf4df9bf6915e023785915d0aef2d9f3960 |
| SHA512 | 3d5c642a9a4c6f9ca7f8d14123ef8c19e3d547549b260583e9066b4fb6f0c8c5440cebd973e2ae4509370700e8b6659b2974c0b645e70d2355fe6956e0a9acad |
C:\Vid7V\dobaec.exe
| MD5 | 2b50093d6627fcee545e6990d82f9c4b |
| SHA1 | 2e37331732f0e4ef9c52c719f672b02c5f4c8b8c |
| SHA256 | 3301bdc72e896d08e5ac823ab3ba8ddc39c9f5614f5289a4f8f7d3199d7450be |
| SHA512 | 814b6e92697aef4370d379a2bdc0537f3c49481e0dc1a1c620143c201433fca2cf64ed8761b8fde0da719cb7a33af7e5aa38bd61e3ac638b54b49be8797988a8 |