Analysis Overview
SHA256
ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3
Threat Level: Shows suspicious behavior
The file ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:32
Reported
2024-06-04 01:34
Platform
win7-20240220-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\FilesIQ\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIQ\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxL3\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe
"C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\FilesIQ\aoptisys.exe
C:\FilesIQ\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 3c6342435e52694daf2392c9ecd5f6a7 |
| SHA1 | e2541534431de76bc95f52229ba9fedc325bb2d6 |
| SHA256 | d9ecb951ea07b6dafa57148e635da98b66261d554f03ef65a950a54d13be597a |
| SHA512 | 4d0045e11c8445810ec1b410e87dd5992e388e8d4da003144d91d46e18be4785665a22623f365eb79e46d78c3821525b6048a5906ecde0f1cfc136a3adb459f5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4743736aef681b13d3770ffe7df2715a |
| SHA1 | 9a0db3d9a3b08ba3d6870c060e1f9aa3c690bdd1 |
| SHA256 | 306168ac6427455b4a2555709e0b8cd53bb88b47a919aa8615cdb182103bdd39 |
| SHA512 | 4db2e1bad7719ab1d075e945e7d7cbe7b30fc96b5ef679c5c4a716a15873b757ab9ad966a11b4dc8f39f9cb3540447b0e8a35480391a7b73976f8ee2925d7b27 |
C:\FilesIQ\aoptisys.exe
| MD5 | 4b8fd7697177c070e7bc50e473f14aa6 |
| SHA1 | 84ec20b3b87a7e74ea161e401cd7e96c250ff0a8 |
| SHA256 | 171118cd3a47a1878170f8d44569667297da5c59a5cf704372f9b3beef7080b3 |
| SHA512 | a4aeba62bb15aade8d3af6c3042b3d6c5d145b5a6eb05358f03258c4c3d1e1e76c52d0619d31362db0da8b6ab3588397df7fb0df5f04086eef11df89656dffd5 |
C:\GalaxL3\boddevsys.exe
| MD5 | e8f2e6b91839d91cbb51c8405a939bf3 |
| SHA1 | ff1b54d84f3ced452c46030d99a8a63edf4d07b6 |
| SHA256 | a320ca179806b0bf4423b3981be6d74f24fa7b883338da3f7e177ded6c80dadf |
| SHA512 | f184a3420b752c7564dea95504888c6ea98007e46a70430ee0b6467f030c99e6ec4403b84768ddf4925c3a6ef028ed718a010171cb498c01c5ab8e3ccda4ba02 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | af7d27ddb639b250cf976af3a0bdb91c |
| SHA1 | 234dd03793232a5838b36e74a79ebdfa20a215a7 |
| SHA256 | ab5ecd63f56e93411b081a9dfba0e761b79ea0f22f8b71e9267ea55ecbe55d39 |
| SHA512 | 5c593329d37e3118741ff204a897b437af21abce2edae4cea479f843ad9a030a8204dddf7af2c86ce616ed4a7bdbaac29d3f9c593ce5a7977d6ed137cbe34454 |
C:\GalaxL3\boddevsys.exe
| MD5 | 714102a6e0bffdd88d0d69f133045e1f |
| SHA1 | b0d81be436673047286f436dc4e1d46fd260074c |
| SHA256 | d098d1f73ef3a978abe626ba7b39e11465c6883430433bea53642f8acd751295 |
| SHA512 | 696366d9780faa7b226f927521d3f7a96e996e5e8e8de0885b566e2670b6d1e9ea7c1fbcd0b96d7fa119efa0c9965b43c5e304a6549173b2a81fcedf423098d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:32
Reported
2024-06-04 01:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\AdobeFS\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMR\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFS\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe
"C:\Users\Admin\AppData\Local\Temp\ae4b4bf5a731540ff9c71fb0f27dcee6c43e802be1366b5af86b7cdcc313c8e3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\AdobeFS\adobloc.exe
C:\AdobeFS\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 30cb6a8b2b0a8c51d384d6b3acbab240 |
| SHA1 | 1baaca8c975ad9aa7cc613cd06ce7f07c1a4a6b1 |
| SHA256 | 2fd3223d43467d36e53cd8d860123f198e70213190cfddd5ef329eaf6f8e1ccf |
| SHA512 | 2ae9e9765040bdd276d5bcb735fb56903631d8ed3a0470d7d54d8100de04d928314f6b16b1cd4c765eae7287ab1ca5ff743d44a7a8a0d9950a5026ed3e7ca1f3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0ac5496c0f5065894058f4b60d98a7c0 |
| SHA1 | 5aa9ada5dffc34bff55e68e35e49084c77a6b8b6 |
| SHA256 | 02c59313328eb0640eb4a13c7daa9c4e72d34afb67d2f8d336423c4b1f308c6b |
| SHA512 | e139d1630dbb9ff5c857281f971644ffda12375f29c5ab10a1089fdd40bf3aed67b877ce88d54c0352dbb1ddf4e5fd8cf0fc52a58ecd92d78824cfaec934f85a |
C:\AdobeFS\adobloc.exe
| MD5 | 16b1c5febb60bf7de1c5b0db0fc2b225 |
| SHA1 | 0f1a3add2208bba9ed7783022aa52564f21db525 |
| SHA256 | 411b4b2d3b67be98b83bdb80c0d766300ec5cb05938aa34ddb2c5cbda8404a2a |
| SHA512 | 05d53096924822c3acab830d8d81549d32b7b28e1afd7896bd454626ab55184e80df04fd1743adedf0f0b437487c2511c186025ff38ab999a3a240a3d4f0d83f |
C:\VidMR\boddevloc.exe
| MD5 | 184f716dc1ac1a539cf94166b17d2d86 |
| SHA1 | 9c6f84399a89cfe37ec44b418ac7e7dc310bdc77 |
| SHA256 | 6dea99e22c9371b569e3cd9034120d44982e8edfbd4a86a2e529f0151ebda0c2 |
| SHA512 | 6ae7eb98037fbd48f83cbc03425714773ec480330214c2e5448de5fb6ef27e4d7f87357850d1d4ddf267519ad3651e754c84cdbbbeaa364d06123e2d188fee6c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8cffa05aaf1057fa9aa2f6a0f65b3915 |
| SHA1 | d13a4b481fddafa6b9931239b7a8064c273aab39 |
| SHA256 | 4bd838e321d2fa8b09a749c0eeb63140b2182dc37b1b4cc046cc17f14edeac5e |
| SHA512 | cc4bc71915cd63ad933255cf9c597d0f57f5d1feb6557f7ce1d3dbbadc30cb20d70436c948b8b02c98bb2efc7fea6c876ecc1289902339674666f7b58228b250 |
C:\VidMR\boddevloc.exe
| MD5 | d0e939ba321d008bfc074597fe5dc6c6 |
| SHA1 | 08b328944f1af2d0cbac050268441be37f44383e |
| SHA256 | dfe59444fb5fac31501d34b08fed3f5eafdd78741a9a55c3777dab3ccd504372 |
| SHA512 | c9b93e8975ab622e148e46397c9225ed29b6b12d025d5f3af703aad07dea93de64d4c4f547fe60399d00596a8c3bf676868b6762d6644efdac7c1a2005d2911c |