Analysis Overview
SHA256
921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d
Threat Level: Shows suspicious behavior
The file 921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:16
Reported
2024-06-04 00:18
Platform
win7-20240221-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\AdobeTN\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTN\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZN9\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
"C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\AdobeTN\abodloc.exe
C:\AdobeTN\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 629d20ca24d7ce9efbc01469e7aac3be |
| SHA1 | 1369227bc1e0b951dbd2e11fed2be193f1ccd9ee |
| SHA256 | 24d0f43a381c1eaa0dc2a821738982753a3882cfddd4b58935a014a8a62b2d84 |
| SHA512 | 254f7328b8a47de90fc80aadceb79b4fe7f814906fb93b62e72b84bb6617742d29d3a7ff70eaa2af04c2831f6c9c7418eae3a2458f3edc9b962a6cbaa13ce9fd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0a6940abb8c4b928ae79930eaa0e920c |
| SHA1 | 1051245de4f6778b6dfd598fbc79d42c76c99366 |
| SHA256 | cdb565e608853f589933073e9803e1aed1a464f8ab2523fbd9118edcc935c388 |
| SHA512 | f1f2920d5c3c6d3ef36472603bb58795464deecfac141f3ebd82d5c6f7d66d76aa07bbe833795a1e8f8fd8e8ba90b3c8dc26a97fff284c7a8abe251f91365115 |
C:\AdobeTN\abodloc.exe
| MD5 | 8ac3266f49c64040c712c10fc234c62f |
| SHA1 | 7e8e28c6cc34379dc2340090a3cae4aa5cb3b017 |
| SHA256 | 58963c6000ddf5f43015834126faeeddc22046492ad23ab5dba6f201da9f7d65 |
| SHA512 | d6abcbb842d9d1f686729b3b49c99b4b3195b3237a50bd265ffc881d66c92c120b42200a4e13070cfed1f2cc5905949742678a05ec0797401495eb2e4e10f38e |
C:\LabZN9\optidevec.exe
| MD5 | a11f76255b9ca6234bfd6aa66474643d |
| SHA1 | e3cc3fe2e8e1a624e3288e828320a33d91a8d733 |
| SHA256 | 2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6 |
| SHA512 | 5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 684aa04252a9a110fe80d069dc598804 |
| SHA1 | 6be7db7e9e7bc03f9dc84508cd8b3b756626a0e1 |
| SHA256 | 1166674a2b3e1d233e73481a797faa9f62ff8fe6ec825e34586ca527c9edfb09 |
| SHA512 | a739ddbcd21ab94f5d9018c8bed2de84febd0f4885558cec6dbcc694ca892f84a5b8ddcbbabdf76bb2166e8c6328da014896bc0bfe8b1c32260ecb41aef56cf0 |
C:\LabZN9\optidevec.exe
| MD5 | 57b7a8c2696bdf520d0f67ec94999e80 |
| SHA1 | 23193cc5ecafb03d3105652c63d52ee8471d22a9 |
| SHA256 | 22db315a118f6a5505dfcc74d0dbfee8c6d1ccce5e4ba303feb64583d8d282f8 |
| SHA512 | 82eabe55726f3c2e31738392a10fda92aef9d6c0b8d019b508e199126d6f576951fd031ce7e1a1019ce18724265f381faa0403a6c3880177472e7df20998fdbe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:16
Reported
2024-06-04 00:18
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Adobe8Y\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8Y\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEQ\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe
"C:\Users\Admin\AppData\Local\Temp\921c561419f63cbd57370c02a88185e0325930344f1b42f125a5706014f0a60d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Adobe8Y\aoptisys.exe
C:\Adobe8Y\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | b8d48d99a340f2cb7ca0fcc6631547ca |
| SHA1 | e8a1f78f07c6e569de45bc23e35ed921729fec30 |
| SHA256 | 8aaa7d2df4e3df7a988cc0f6e973bbb3dc196e086e3d50f49a50c4f14cc031dc |
| SHA512 | 4bdadde970417d91df37ee80fbb8b4d0ce80f3528617cf281b1a6f5300eeacd78c936c1a077ef4147597a5118c3c7349c35368db27c6cfcb5916dab7bf0f2e85 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 297b332f8b054711989abe75574a965f |
| SHA1 | ac81589c42e8f8a771a0122df6a8743c446c7e88 |
| SHA256 | f16dd6f5847a16d53e3d14827c2d2ef2bd5d314b551f8437233fc35277a3d133 |
| SHA512 | 34e38e8e3d4abc0ded9334ce97536599249016331d64d3893f4eb675194217a2620e51c0f6310771c82316907ebe88428c0c49fd29dbcd2362db7352c836cc98 |
C:\Adobe8Y\aoptisys.exe
| MD5 | a5a15541ec157e6f374dee7a2df1ef66 |
| SHA1 | 143fc139c109670d653ef9a5d5030e471f537f60 |
| SHA256 | 191b3149356b644438ec74ab6638f910f7cec8a5edfacd491936482d17105bb2 |
| SHA512 | f811b26c5bab7fca1fa1b583a818f28ad926d5a29026df58a74ee0a7ca126e2b7eb24007e9381a4fc2b700b55171990be3145c91b2372e837632cd827995b72e |
C:\LabZEQ\optiasys.exe
| MD5 | 3b04baaa0077bf5f637736bad50dbdc3 |
| SHA1 | 93fcccfa45ed679c6dbc0ae9f2d9232cd9f138c0 |
| SHA256 | 362c4581c8b54d3d1d84cf0bc43d3e8b0416910cafb4df8b1905e245406547a2 |
| SHA512 | c4fedd9c3db33a983bd629c047a976f534527fc2062a352245c70bbe4f36a93828d5524f01a144eeca82a5bad7bb04617ab63053bddb0a8131c33c04b82adf13 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9ae30b057b99bdf9266ab5df90f26207 |
| SHA1 | 7f3f11eebd84602f8ca4a36d9e54fa2f49b42139 |
| SHA256 | 93f9207c0abbac64bd37122ef69d68ea0f54ae9aefa0732bc31864cf9925c27c |
| SHA512 | 63ae93fab8a173d9ecdbcf7d90331e452e5dd49fab38163f02af33626012db53f875bc9766e0588678fd983c71a383474b9a9ac7f24bb0104d5e9dee311276ff |
C:\LabZEQ\optiasys.exe
| MD5 | f8651c2de1f960cbb34b41821705e9e3 |
| SHA1 | 95c0dd987fcd99d1d83a9edd71f133b28d933049 |
| SHA256 | 0ee497104812bdd5a87de0c0cef7c6709662ae719c03971a245775857ccf4f34 |
| SHA512 | 5ebde0c9e5604485476f6cdce6b6e3fe8a8bc79f033d1d36845f3ec3b34f598b4e517288ed6dc75a083d3c61e7656272b49ba772f5f3c60f5b22a7ac4048be60 |