Analysis Overview
SHA256
11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1
Threat Level: Shows suspicious behavior
The file 11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:31
Reported
2024-11-13 15:33
Platform
win7-20240708-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\AdobeF4\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeF4\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVP\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeF4\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe
"C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\AdobeF4\abodloc.exe
C:\AdobeF4\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | a530197682e0ae0ecc38c2e697bde685 |
| SHA1 | 2a6287f1b541622569f96bde03ce77a96c8f5da2 |
| SHA256 | 2f8a3039143af71ea7b2108f874f8bc15db22254dcb40878e3ea37306cff1121 |
| SHA512 | e95a8522edd9bc4e2d5f1c6efab86b9487fc7929318bfa5a430bc88451a76310e24db4d5ab15ed9fbd11e2e8f94e4fd7063ddcadd8274f44694d2afcca33ef88 |
C:\AdobeF4\abodloc.exe
| MD5 | 95d9152c4769c3237d14e386a327670a |
| SHA1 | 998c06637ab198f6b0de4b0518203298473241ed |
| SHA256 | 055c4f8079bfc9d4430b62d10f2ca81d19c51824aa0df1efe1981f45d9942b8f |
| SHA512 | 776c159a8cdf2c2a9972009dd7522b992b3d2e88524fb114fb77e3444762e10bc7f41dc76104b56563fefc5670e2016bb2aaa97f87ca3300b76aed62de3e08c1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3981ac7c9e17a36528ed1c4a4637187f |
| SHA1 | b712697587bb9265f5a07587be6052c9cbbd6d89 |
| SHA256 | 937ff40e256c9caf3564b753be6894ab389f0ae08930fafde05f6f209e1f6ee4 |
| SHA512 | 8631b70f4952922b4b4c2b9b257b61fbe3de58d4263703ff3addeaa29c40c35b53421ce897670ba14d9c66a125207d82221bb6814357cda735647e6f06971cb0 |
C:\VidVP\optialoc.exe
| MD5 | 61b773990ee27e9e908970e63b267f79 |
| SHA1 | 522f4b8bd8207fe759634142fdb72607b71380f4 |
| SHA256 | 8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d |
| SHA512 | 6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 801040894ca948118a24debea3f6ba6a |
| SHA1 | 311e910817dfb0eb66a6a590bda58f6df7d3a90f |
| SHA256 | 93b0a21fb1e5406743de6cac72cec1acd7b15b2ab48d8df33a26f9fa63d8b371 |
| SHA512 | 2085486cc72464f48fd6b3852fce067dacb24a91cf2e989c1c187ab7a106f37f03cf4f10caa79d734e7c93233ee42c7430591a2e34e51fd29283ba9e68ddd675 |
C:\VidVP\optialoc.exe
| MD5 | 31053a19cc4d291a4f99aaf304fa80f1 |
| SHA1 | 896205e18e257fa548a6f663d574355514a413fb |
| SHA256 | 3b00f838d5999cbd672f07f3ff1e50f4fcb5b531cc103acd0f6c74844d57542c |
| SHA512 | c7f389e6fbbdee0c910afa7c74dafa02a87817e1e5f68340eea06dc3b8d1f0073f1b2d450d72c82374ed5b4f5b71f7d16b0777a39c557efa02c2d14cca1c6345 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:31
Reported
2024-11-13 15:33
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\AdobePS\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePS\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGH\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobePS\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe
"C:\Users\Admin\AppData\Local\Temp\11aa2aca61ca89c526060514d83e96cd36f46ee9b2bfb371ac85267a05aa11a1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\AdobePS\adobsys.exe
C:\AdobePS\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 30fff21f02eb0b2c2517cd5b203f8e85 |
| SHA1 | 365fdbca43d44000db9464858ed657df517f0e42 |
| SHA256 | f55f64c0860d6431f9039d154fd55622ba7f437e2f7f4d56d8ceeebeea14e8dc |
| SHA512 | f6e4cb463f88d6aaaa4289ad420835c2cbfebdca007281124d7582185546f8d7d7bcc2c7e02578f40e601178d7c9a0532e0aba3c220153f234dc76ea6899160d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 336507e8d06a81c0158e79aedbe4127c |
| SHA1 | 2af4ad27e438400e7294a97595907a81d29021b9 |
| SHA256 | aef62be06811cc7a701c99b7533f0f9730a6f2b583224a71be408ccd4903f9db |
| SHA512 | 88263f6241b2ebdacd1710f2754e13554d038e78c772ff1dd9791f85d89a35c60116ddaf80e73385dd6007d2d505c60cd8876ce3d6f43f6ebd3c4904658e8771 |
C:\AdobePS\adobsys.exe
| MD5 | c64e72dc3b86682267c884159f803b5a |
| SHA1 | c770e762e5d107d3fdf871406948f9b9575505cb |
| SHA256 | 7cda706c376d3d6e398915e59941e0947e7f19d15c38cae32c8b88f46b9e0152 |
| SHA512 | a1b228e05481f63256fb81ba994d602baf83956905ffef619d9b7489da5a709c76b01afd1b788a384edf24a1a18a98e5df0252b3ea692fe9cb9c73169e969727 |
C:\KaVBGH\dobaloc.exe
| MD5 | 2456e825ceeedb20f71206165d49e947 |
| SHA1 | 890f9632fef2a6bf43a9dfd735746c09de658961 |
| SHA256 | bed445e013cfb98c10918a7d597b299d1361eedd9c130606df15e64bf7cc7606 |
| SHA512 | 970e403d499e2e6ce89292e5e79ed790e0a90bd1db7ff84e7bb8662441954b77395552a9eff23069355d32fb3163ba55b4761c48c45bc8f4ad37465dad63e20e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a6c34c583b7afbd2808d8501d3243f12 |
| SHA1 | 5bf7e708249268611ecf290ff26880905eff8e26 |
| SHA256 | 9684d48208dfeea9fc27fd74b5573019901bb8135dace5dc48762cf0a7f3be8c |
| SHA512 | 1c291c7971192a7b9bf3e1d47253ed3c629acde109ff508869e7f29fe9543ad5c842f3fb7383b68a90aa73b36a30c7f668553b2383ac5acbf5c705736729f4a1 |
C:\KaVBGH\dobaloc.exe
| MD5 | 2a23090f40d6ef5329784a691a67b032 |
| SHA1 | 8b371426423ed6eedb2be6db8f393d5cdcef2ac1 |
| SHA256 | e46d2dfa55bf7f925af4a432b7a2665219ace3b2b61558983a5e08c09fd1889a |
| SHA512 | e2e8670d6d49b464cf93c05763e20019ab5aafd86dad71926e9416ae75add64f0068788a4ec78b919c5455d45b30df29d0902e7cf5c304dcc5275fb45f215e53 |