Analysis Overview
SHA256
3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7d
Threat Level: Shows suspicious behavior
The file 3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:54
Reported
2024-11-13 14:56
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\AdobeXM\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXM\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6R\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeXM\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe
"C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\AdobeXM\devdobloc.exe
C:\AdobeXM\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | fabec4cec4a5f037e7203e16d4f66581 |
| SHA1 | 9004e4c9b2db15e6a9609e9ec61fdc19850a9a96 |
| SHA256 | bc4708490c6304075f39c7181b769134c07e91cb1a042cce1a4aaaa34a379895 |
| SHA512 | 8461cde925e49881cd258801b23b9afba3d17a362ad2caa08246d96165e3828dc472ccfa37310ff6ba33766f66c411a9262b6f6a533cd0c119a27c47de24272a |
C:\AdobeXM\devdobloc.exe
| MD5 | d2d5e76f52dde27d9f0d12e7cd5e4578 |
| SHA1 | 364cef8c33cd6861443c9febc13d9d5342c9ef83 |
| SHA256 | c84e94fcbd3b91015cc58ffb4a34a5698c1476d62ad3fb670f32965a280e6ade |
| SHA512 | 310e8928f2fe8c3a852a6a609867b20893c08e6146bdbab3dc5533a095091304122bde60a57dd5b861f6f4f1f91a0eb00e9c8a5e377af6cd9dbc69fc90821c88 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c77925dc6b1de60e3cb9e16abe952430 |
| SHA1 | 5652dbd45df31d2f285549ec3dfba80bcb058bd1 |
| SHA256 | 6a10df4585f2c295be7249e51b2cdda7144bfdbe26452d2cc11e2c0592ce384a |
| SHA512 | 980e60e47eb9ff663d4b1e585054a408935655a6bd06bf950f1280a828eaceb117a6c3ff697a9395cece29a073df178a745dc9152c19228b77184094aa7fb53a |
C:\Mint6R\dobdevsys.exe
| MD5 | d0e8b0fc8c089a0fcdbd19e580399693 |
| SHA1 | 61f22e5e3f4d1a17a431b762a1ad0f8c5f5eed71 |
| SHA256 | c302232229077ed8cf0d7dcb3ab2549eab8aaf5801a28ecc4e34dc6484d86476 |
| SHA512 | 7216ef828a60e5e0de0b4da35011a78900be280fe0c9a3270c445d5476ae751e30298ad6c704d9447c6be58ca441ce9b0f120d006894fe3a2a1807d34d41fe90 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d445675e26f50a6bb96c52f7fa1909eb |
| SHA1 | ca39d45bc0bcad5e99c747c4bb9ce97ae8a46720 |
| SHA256 | cd6d76b60a99f968173c09da5fbae822f622a6b83df019d9bdcae75f2ca627f8 |
| SHA512 | 2b43801ea6bb5f9dc2f1e12eff18e26b571b592dc92ca58cd235427dc6228b85262b6de378f90130b018f48de006dda8854145c757ab0316b2f4331c13b68692 |
C:\Mint6R\dobdevsys.exe
| MD5 | 1e144ad03c03e683f8544530ee693847 |
| SHA1 | 68e3b55c651a9f429626e262b97e58b31b51159b |
| SHA256 | 826c1e548f54d14cc3ab553525d90007b1d58af8b77e0e5cca46a349249c0576 |
| SHA512 | 79dbc775a0580b6b6400ab3afad19fa4cd9fa745ba5ee017bf364c2881fe96360bcd3f46b69122634bbf9193bca3cc3903097774e4efd92a0bf8dfa6421b64c3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:54
Reported
2024-11-13 14:56
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeUH\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUH\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB84\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeUH\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe
"C:\Users\Admin\AppData\Local\Temp\3f32bb778573b2e60d0a3570bd999ca9673c86f422d8cd9f9cb3c57c52c6ce7dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeUH\adobsys.exe
C:\AdobeUH\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 93a445f2c84b2fdad4d42b9221666c17 |
| SHA1 | af23c10d2cdbf4c34961e7b5cd711982bad7a7c8 |
| SHA256 | 4177d5851b66f1bec08775b7ee10461ff7e993ef18c151556402833bfc6a754a |
| SHA512 | c337839dbb6205716236cdf303b11e61ff052a933229a1a9e15fb00f1845564ab874b12688a40658e6de5afe417b068a09c00d6f6c26d1eaaa49a2e63120e3b4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d7331b6b91beb46486d5499f3ca875d |
| SHA1 | 54a30bb1d2b0c0276ad7f99151fb9da4a1888977 |
| SHA256 | fceb34f0ca67bd7d2bdcc3cd0d52a6d38096f73383c891ed086f7a9ce8afa0a9 |
| SHA512 | c4d88e2929299a19eebc026c481bbcec05bc69e63f0ce05a984c75f5305bea66b7081a35d31d13918c6c5f291077381d734aae26d23966cb8e226202bbe250cf |
C:\AdobeUH\adobsys.exe
| MD5 | c51445d82c81876136a1b313e6d236f5 |
| SHA1 | aa8f8998595c3bbf0d97f7838b3c4239eafc5b07 |
| SHA256 | 5da2694bcf2cc860bc67435189fb4712f61d118ddfbe34b833e95d8c1667bae8 |
| SHA512 | 1d7467715aedd299de76fce15dcebba9e36467752759b1f7f95fd101eb26feb91858cf0fdf19b2029356aea8162be595c5bd28a7a97e4ce6b8e18a0fc6f539b9 |
C:\AdobeUH\adobsys.exe
| MD5 | 4880e862beb9575cbe734ce598357312 |
| SHA1 | e503d5f74b48004c984f7a24805a5152410e85b1 |
| SHA256 | cb5c9bc839936aba4b916bece0eba4caa8bba241dc0a0fb383b00fe933f573f7 |
| SHA512 | b1902d4a4c7f17944479f8829bce1af49da990349b74d250dcea85b4e0755111aee2f4efb3a38650221f1ffd067fa6565106db5544cf175372de6f49aaf33fb3 |
C:\KaVB84\dobxsys.exe
| MD5 | c013a7343202d4c97480e67e0846965e |
| SHA1 | 25a0a86a0d5ad4f6166b5410a236318997ccf7f1 |
| SHA256 | df960acf4f770dfaeaf9813cb688bf4343d2c3e5530412ccda36c84f591cdc27 |
| SHA512 | 9e02fb91718a22c22d5ff874060e734b3f30a6659e83e8bd2ccd2219e46bddd4b7eced3d651f96319aae2c67b704db0704fe234e744c0a0cf64683bf6f715b0e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4ee1769f4b0211a217055ef7ffcaea64 |
| SHA1 | 4c6c07a7400978c49030f0bb15f3d3ed547f7897 |
| SHA256 | ccf81fbc4f3281a9e4f940090539d01b3571ce3426f46e1b464ca9e1dc9bae5f |
| SHA512 | 146e052cabe254940101abbdb22f44ff8b2812838173992f0368aa6b18d4ec9d21cc122a51892806e83b68015b4b85649253b21e71156322a923aeb7d02bd9b2 |
C:\KaVB84\dobxsys.exe
| MD5 | 7705853270a4869d9e105b7387732236 |
| SHA1 | 9af0304518c0e2b890f930c3ce2163712a20b6e9 |
| SHA256 | bea71ededdc9be77ce285cbe9ff9f2042ed40f2fc46203f34994328fd97a7568 |
| SHA512 | bcfe2ab92aa6e53d5d1b7401ad655c0595cd876e19c195ad36c6e48d446ac45eb3f661c7d7742dd8d7b6a2462d149345dd0cbd238cf62ed65ed6cdf340ec7f99 |