Analysis Overview
SHA256
f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6
Threat Level: Shows suspicious behavior
The file f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:24
Reported
2024-06-03 05:27
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Intelproc6P\abodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6P\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVH\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5048 wrote to memory of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\Intelproc6P\abodsys.exe |
| PID 5048 wrote to memory of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\Intelproc6P\abodsys.exe |
| PID 5048 wrote to memory of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\Intelproc6P\abodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe
"C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe"
C:\Intelproc6P\abodsys.exe
C:\Intelproc6P\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Intelproc6P\abodsys.exe
| MD5 | 3f05fb9c73e78736b72bd1996b9e0a38 |
| SHA1 | a86592086699dc09c695167dac45e50cd85f767c |
| SHA256 | e0c556f1ef00620750589dd813415141a95c2211596911e7e3eefb285f043bf5 |
| SHA512 | e38a8cfc2275295aa50701423454add908f6a6fcaeecac4d4b133d65429a7158f98a79e857d00aef7d069bd18d896c29fe2bb77bcdafff3b9da402760d8657fd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 49a0fefe73781a959690e59d98e44a54 |
| SHA1 | 4224b23e36ade7111c18a44cbab329d07c7cafb0 |
| SHA256 | 8a9f4ae8aa2acf91717af26f5c0ceadbf6614f7c097be28a3baa37a3c73ad813 |
| SHA512 | 043e19c8f62560a7331cede294098ff0475380efa58b85b2562867fa55e5f1a7355a63444dab2fa99f03b1e7af06adc5edea111f03a0d8aeaf0a6730201c3042 |
C:\GalaxVH\dobaloc.exe
| MD5 | 56e0df0e2bcb48ac5c58d5bedef090ef |
| SHA1 | c5e53124ac4cdfe2764261aaac10feac0dad51da |
| SHA256 | 3c58c9e0d1e96a3f6d88d88d862b7e4c2f10986eaefb0eee96ac517c0bee1dbf |
| SHA512 | 754643458d437202d019ecf670788c0aa6d486940949cfb4880982120a4cb0e0cb838e2ee2fc4f6c2e99c1c4378683fb55f6b8dcd1f9fba059c38ec128b703d3 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:24
Reported
2024-06-03 05:27
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocKV\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKV\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWX\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2432 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\IntelprocKV\adobsys.exe |
| PID 2432 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\IntelprocKV\adobsys.exe |
| PID 2432 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\IntelprocKV\adobsys.exe |
| PID 2432 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe | C:\IntelprocKV\adobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe
"C:\Users\Admin\AppData\Local\Temp\f0478d0528f6fd61dd326329541eeb5466d17807c997944450f5c321a25d1df6.exe"
C:\IntelprocKV\adobsys.exe
C:\IntelprocKV\adobsys.exe
Network
Files
\IntelprocKV\adobsys.exe
| MD5 | 12299e311813afea4c8dafebe44bae8e |
| SHA1 | 26c1fe2760060fc1d7772e26311d25a4a213c473 |
| SHA256 | 4a2ec9428e0e3c1cc73b43ff636b34c06ff001115656b75d42549377335d8389 |
| SHA512 | 5f7ad2846d8e5cdc3b1643bdf71fe891e4d06104b7ed4d9a863b11c40396b5c7ca28140fc67afa8c7d4b3568234dd56bdd3a2662d1f6a9e642f591813b0afa78 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 56a22226ddb339944000d0e802281d55 |
| SHA1 | 219bbc3be5c906618a9eb3d5babe2fcfa8d978c4 |
| SHA256 | 253a47c309ca942c391a8e12e0b5e2d545309d07a657652a2ee013ad2faa273b |
| SHA512 | cfecc542bd1e96ca3fb174de51bd55e857226bf273e77d029c53cd9eb2a20fc271dd51859dbc48dba03205e149b0303f1f09104ff2e65d58db5e08bc7c105c50 |
C:\LabZWX\bodxec.exe
| MD5 | d39ce99a9fd10e231f72e55ea26baab1 |
| SHA1 | b55a23ad71a64416b1195d43c91cf3b1f25fd2be |
| SHA256 | 966781116360fe68ef316ff5addb774fcde25da98020380d7b819ee2e84bd0d8 |
| SHA512 | 4d049979da67253f251015193380b041f0e279bf9cf4ee9449d9fbb6996ccb859103d7406b2a8c719caddaf2f4182e0ac2e72289459f1eb657134f3d38289967 |