Analysis Overview
SHA256
a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0
Threat Level: Shows suspicious behavior
The file a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:18
Reported
2024-11-13 19:20
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvBV\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBV\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWO\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvBV\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvBV\devdobloc.exe
C:\SysDrvBV\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 0bb0578a38917e20503b388ca6ddfacb |
| SHA1 | b3c4d18814df0bfa8e5ad157282ccf25b2b075e6 |
| SHA256 | 6da6d10a670fa23d23691bd461921056c37c98ca6712fb91e3a27fd01be65493 |
| SHA512 | a38716e2c2fbe9162c96df95474d2abe81baed592df5dcbe34543485d7f97b8947e7ceef7820d4ff59fad3ab859f18ea45e690ab29de1d2ef9a0ecd826c66ff2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dffa0f4bbb861160fa7555d762b8afd6 |
| SHA1 | 1c6c2308bdd6158ae538a6440b7a355706a3e191 |
| SHA256 | 6aab7194af0b2e44fe7e46fd7a42bbc57525818886698dc574b2b8c52cdeea2a |
| SHA512 | 97153953fc2e5a44a0c72cf77ddaf0c5a8a9ba7a200c9a304ce99d4bab24ee560faefbb707e1b9f4e6f0984079f7d2af02611c782d15c61e9f17f23100181624 |
C:\SysDrvBV\devdobloc.exe
| MD5 | 56e0de840d12b4cedfc9eb637a0dcbb1 |
| SHA1 | 1945455ab204725fd7f62f6f2b051112ed8d0029 |
| SHA256 | 30d7204b316eacb04c43eb989ec49cd4bc7c6a5911bb11e9ad446fdc927f7bc4 |
| SHA512 | a3182cf1280a3f1c6cbf8558712c376e1f412b05a51434ec7bd7ff804978d3edbecd832c22c160c3c0e842737fed9a79fa4d7f72bed7603434e113fde0e4290f |
C:\VidWO\dobaec.exe
| MD5 | e88ff6db972a0cefd871e5f8a7298158 |
| SHA1 | e6b0263b6d3fd069d36d993757bb38c15a6a4a22 |
| SHA256 | 291d14f5e2cb5d8d4e3aea04b3c4460cb8066c08ae5c0f095fbc977fc0c9af4f |
| SHA512 | 8e79e8bea48875db36fc7d02968a34648d59c1b45fe95d6c8e842be39822fd66fb1af720b197fe9d937802ecb9010daf24f393513595c55a2d79741e985a8cbc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2cc66d8c425c0cd9e0e6c89e8e6be0a0 |
| SHA1 | 53daa62d7f3982f11b63cbc6ea794763d0af12c3 |
| SHA256 | 287e1f0ffcf297ea0a4ce32c77efae0f97a5cbe948305259a33a340fd988479b |
| SHA512 | 4b941a2715befef4c705f6d3577f3ac77d11400776b04760529a9f1fd5ec16d42ef2f850371148648da1f40b08c43e98d20c6e4904b672fa161423d8c78c6634 |
C:\VidWO\dobaec.exe
| MD5 | c5d1aa3185a6c0796ee70ad99a75f291 |
| SHA1 | 53b5b0de2f2cea1bfe8a4071b113e0774a0cafbb |
| SHA256 | 00c23bfa409272e62766b2d4c648fd596d0787ea8244d68379288811f6c00d95 |
| SHA512 | 6ab26709492278925524bf5daaf856846ad4cd21bf839e078cd01aa2b04cc78736d2a47e1fb0b01f3d5202e20530a7c9ded4a847cbbb344c0300db3c9490bfc5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:18
Reported
2024-11-13 19:20
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\AdobeIK\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIK\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4Y\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeIK\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\a2da87e635bc6d0321960d5ada24cefa948b1fbe6ff677c708d207014c348fa0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\AdobeIK\devoptiec.exe
C:\AdobeIK\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 20094dbcf70926c518eb19b2b4a8ed5b |
| SHA1 | 7fb9653255c28731490b3ecc1d47f4455d8097fd |
| SHA256 | f48be2ae0a4ff574afddb98d973ba709af44ebb0abd820aa5b404c0d8d2d08fb |
| SHA512 | 186263cfb200d5b2dbec614419459d42b08a6ca0cbdb58246272e81084f52b18c5257cdd9c0e7cff00f425a5a3b9a6388c599e8285c861fc8a71e6b3524cdb06 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 09bc61316af54574e853898d2b0bdbbd |
| SHA1 | 9ed8cb0d8eb21e0b4d6447b4aaf9dac4980d972d |
| SHA256 | c6b130cae6f7ecae870281705f6f063316c8d765435919f285a29e9f8d6d0a95 |
| SHA512 | 884f9e9128ec3f9413d9e8ea9ea9fed1a583f5abe29b018c5c0b6c5031ed6c78af92aff742b6738631f105c63eeac786bc1fab5719dd1a5941db06c881d5c9ba |
C:\AdobeIK\devoptiec.exe
| MD5 | 5bdbb40209c18540182597fa19bccf3b |
| SHA1 | 16c0ca3f0e32c615c6f2b2bea8eb261e4403bdf0 |
| SHA256 | 8c3ff5cbffa67b6b8a7bd9b6c203c9f2aa337522afcd37636a658dab58533275 |
| SHA512 | a154f0151f707e0bfe0cee29d844f314e6952a54167e79d351da524dad280b211b5a4fb37f53c3569475cc333edb54cf3313b5656e9111a1d3fb95e99b0651fd |
C:\Mint4Y\dobasys.exe
| MD5 | 1f998b7ed3034c43c7c95908a28835fb |
| SHA1 | eb6e11e6056c1b2a137196e6d5f0f1919d15d226 |
| SHA256 | 1785e0ab2604d84d81c7b071fd04eb25f47818b2998dcba299052d79c3c4230f |
| SHA512 | 7aad0ff342ff06174ed4f38d3aedc34b2b6ded01c5fe167a4e96989528a63829b6621f1f36f63f5cc00a169eb59bf0b65cbc86e0adc046b1bcdc75793540f0ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ffc4f26a0cde0525bc2d306bd6474d32 |
| SHA1 | 42b8269147567fa141bd4e1f9c7fc4bd13233e0c |
| SHA256 | 885acb1931b0fd9cfb30b2c386118bc712f7163f859175d2bf17c5010a165fe8 |
| SHA512 | 9b6d9c0d850063fa205dc27f586fc234b3d9db92e0418d514a7c0931931e3826cbb02c1546d05f50948e07bc13ff5e4c95d37036976871ef329f855831e1495e |
C:\Mint4Y\dobasys.exe
| MD5 | e52eb734bd60eb7344048c6e14167a47 |
| SHA1 | da3d037dc2ad3b11de435f2169e2ef05be882d92 |
| SHA256 | 7352fd3346d97a1c71c4f8039bbc722d408c6df31f4691c787ec09b990d7a327 |
| SHA512 | 1a4260d656a27b0f59b5433bb0cf85f65c0074126445ba8cadd4b0be7da8a97cc85eb47c5ea2c4a91de605aaaa9d74b1ff2890ca6cddf1064a283270a59216dc |