Analysis Overview
SHA256
513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74
Threat Level: Shows suspicious behavior
The file 513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:03
Reported
2024-11-13 19:05
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobeGN\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGN\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxP5\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeGN\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe
"C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobeGN\xbodec.exe
C:\AdobeGN\xbodec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 54a92aad3bddd2b42f0e944dcaa78f0a |
| SHA1 | 7b9dc0d5b4c9eae21f2e1a8113c66cf0ee0ec5e7 |
| SHA256 | cc4de2442335a72c3e2b75d12bbc1fd98b6ffeac5bcecb3d6810d3ff3e97d300 |
| SHA512 | 7efda7740098241d34569f97af95c56a52ad014cee4079560e7e48302214e5b750fbb2e6aa68bd5709e802dce6e17952f3e7d029184e8083f835b7c1e95a4d3d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e338ef8d81d896b80cd7ff2d1dbc96e4 |
| SHA1 | 8042cac4446bb41acd5afdddafbee54af7998dd8 |
| SHA256 | 20067a2c8222a1432b5d1d1958043172c49a2c516f190eaed896298d62e2b344 |
| SHA512 | 1756b30ce978b120b086d90f4b857b39fbfeaf8f4cecd837c573cd9a37cf4235341b783d951130505125739b5607971a10994cebac429513111305e30e77c0c3 |
C:\AdobeGN\xbodec.exe
| MD5 | 9aff31926e2407280a5dc87af52da52c |
| SHA1 | 954e0a42a3037a11ac3c15b674e6632ff75ac4d3 |
| SHA256 | 61c70d26f36455c5795e3e9268c46f86f65064b6fd10846532bc9d5f8bf53c78 |
| SHA512 | a173be3cd9f63ee0b025743acd989bd908d7adfc92bdc043463eb749396a6db34d6e32e4c9b06efdffba82503b5185f2b43d3f040efb579c235e88e631f91c8b |
C:\GalaxP5\boddevec.exe
| MD5 | 1487d706be7cea55de8bb8a201b007b8 |
| SHA1 | db9a5cb382eb69ce1986bcaa431c2ee2fbcb59cc |
| SHA256 | 842220635614165289e485d20b0c21a17150bdc6e63749d1da8b8877ecf98004 |
| SHA512 | e7d287f2c0e4f1cd164b5e5bcab8b153e28005b4828f6381704ef8388c71591243be12ee8bda2cd3fb844ecae373d9a7b5a1f1585fa8ff29be908028aca85f1c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dcbe51ff71266b40450e4684b2429abe |
| SHA1 | c2f07e45ac1dd0fc2ff08771b1155a158dc3da7d |
| SHA256 | 2b13de1599971bea398dc50f876c1cf0dcdec08835941b4467b456183c6d89a3 |
| SHA512 | 82ab46f613413102976af915ca4da974271ccf98b500437dc469c117cde7fb0fef4c78120b140b1d3b6d6e93e830144397cc9167ff8188b960f08bd8bf7b5158 |
C:\GalaxP5\boddevec.exe
| MD5 | 82354a62afa75a80f2244cd79b602f2b |
| SHA1 | e873818aaa16ccd355934c0ef461b8b69fd064a4 |
| SHA256 | aed9f218aaccc43a00cc3ac1946249b51658340d6fa157546271ad16745f01eb |
| SHA512 | 80cc557b98920934304f25775d929cdf0c8042f869d884b217bbe9895380a1bf1ff568ea647713fa521c3749e8c60259083ffe184065832d55fc401b17558599 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:03
Reported
2024-11-13 19:05
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesOK\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOK\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8F\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOK\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe
"C:\Users\Admin\AppData\Local\Temp\513af0a7b78f627ff6ad8a1c0675796a0b41324c97e6dc70fd1fe242bcd1fa74.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesOK\adobsys.exe
C:\FilesOK\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 7a75631681c8dfc80a3a7b27a73878da |
| SHA1 | e5b920b70cf8f1f19b72c80ee12b2e4a35b971c6 |
| SHA256 | b1edea356be44f437c2bc737320aa14482770b6f9785502584c233effff4be65 |
| SHA512 | 5e9c24d9cb945be7095ba8f560412582291fecd369a6675114c320f6c245f884612c6ac0078a21f9f544d07ba1506fa45c661b4aedfe481d5ea04a9a6cd385df |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 66aa26815a75de3a5caf973d94540ce9 |
| SHA1 | babeaf50bcc1d1dccca98f495fd2c3d0b5f5e27f |
| SHA256 | 561ec201fe1fa89d0d8ae05db30675b2b1164d44a69112cda3adc19dfd64921d |
| SHA512 | 97ee6a1cb846a17e9ca045ab9ee4178308ef19f07c7b8d85264535e683a0ea94cda1cd25d3974100339a50e01e5d9f8bef28cabaa42f8ede892f927b635f70e1 |
C:\FilesOK\adobsys.exe
| MD5 | abda4e82f518d596a97cfb2bc728a108 |
| SHA1 | ad6099b26de295a02f1661fa78c94dce983ccf4e |
| SHA256 | ce7d0d9b63b8f1003b78dd7f9ad3538e60e1965984f433ff39520742c82798ac |
| SHA512 | cfcf46a9182cc04ccb393d22a2abaa87d98844701fc465882d077e256c991f471d00c24dc1a04e34e2894f778b1fdafbc52006747425d76028667266a5b701ad |
C:\Mint8F\dobxloc.exe
| MD5 | af5ac6238db5999be11354756e974518 |
| SHA1 | c897b8533794d4b4fe2f3c90b02373df17b366d6 |
| SHA256 | b353d2150b3b470e3efdcb3b1bc1aada09f37ceab89930e92d0a1e194d4bab48 |
| SHA512 | 7a48477e71f266f88f85782b3041699f52d22ce56f01ffc8024e2c49bd64ea461c546049103920657e92957c67918cabeef99f8f26ce370c7ef3ae5cd55332f0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5d505c740b61a3723f5b2e06851450e8 |
| SHA1 | f9427cb9c85c2b16808fa837a5847e73c598dfcd |
| SHA256 | 3dd9a021510a4d64fd168e44ddc65b8bafb929c0904bf19eb138acd5ca7a9e63 |
| SHA512 | dea47f49289554989775524c769da69d509585779f80fde4bcb9691e07e53beb8873d508cfd3a61ba0e9672c1e5fe30bf449b27c4a3afc13182026bcac111826 |
C:\Mint8F\dobxloc.exe
| MD5 | 336200e56d2d2da5460dc52d589f8f5d |
| SHA1 | c22a4bf085a24d3daf90fd11b03b9c1912222ba8 |
| SHA256 | 8e479ef80c5c0199502cea779f360f21a0bbcc16dba7bfa13b49aa084c964248 |
| SHA512 | d1da0a1317c00a127363ab960ef3aa1588ba055e2cc93983988d2e118b5f2f94e15b0e6d8822c1dbff59bc985fe6db2d9ad20909ad79a6cb76b1381842a62e88 |