Analysis Overview
SHA256
f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225
Threat Level: Likely malicious
The file f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225 was found to be: Likely malicious.
Malicious Activity Summary
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 07:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 07:04
Reported
2024-08-25 07:07
Platform
win7-20240705-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\FilesPC\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGA\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPC\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPC\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
"C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\FilesPC\adobloc.exe
C:\FilesPC\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 84c8993e219aa46574a92ae55d29ba3c |
| SHA1 | 2d9d374addf1f4180085f968dd4350c5a2aaae30 |
| SHA256 | b1571fe5ef2c91e5a7da3304f42f870a918c41b4cb05ab85aaa472e3b2994287 |
| SHA512 | b45486aefa5dcf06599c0a61069343662f0a91774d6ecbdc97d359ee949e81206b05073f8917962bc97d507c11497dd8ee3c1210e5875553e45fe9a9e29bd537 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 206bb4487a335ffd3451228f5d549c0d |
| SHA1 | 8d0fe5b2728e8d9fdb5497a44e2774988250bfb4 |
| SHA256 | 0e016b67b16fa2455aa055451befdae2af6cbedc71fd861237613e41898cb648 |
| SHA512 | 67d69009eec2b68e9d7d9a2e7a969160546ac254f389b1efca11e1ccc5c6499318675a4aa1e820ad4ffe8679884bd8e7d5c932a30d32fa1ba6f23f98f5989626 |
C:\FilesPC\adobloc.exe
| MD5 | 245f9c26a13a8076d49632e1e3bf1bc4 |
| SHA1 | 15b2155ce4ec1d54cadd75e4b9a23a8a9db08fa2 |
| SHA256 | 1df30328e618ca2e31d1be8b719e9afe4c0905c9d0629f666e120f6dc8cfe2c6 |
| SHA512 | 45066ae27457f4f48391171bbc90e49418b38724c05feeb7d52da38ec572ef18a92ed87c72d24e3ec43351142adc4fd7411725cb5f9378782c5ab865c83190c1 |
C:\MintGA\optidevsys.exe
| MD5 | 4691641486cc90e4c53c28b792e96ce0 |
| SHA1 | fe3d100e51eeaa68be7e16720b889098e4c45a55 |
| SHA256 | fd65ff15a510a3923968056bbd79420a74c896ff3a038eb4a7ee63cb60cb4a21 |
| SHA512 | 3af4da33b2876162144e41f5817e6370e71a9ead21a5e06b985c1b9631beaf3583c666586e270dcb00f87acc705446f23567f52de89a09ab899376722887a89a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 79e7cdca22aea32dcc09cccbf277e37d |
| SHA1 | 0cb298b674a3b95277bc9c2528819be51dea4554 |
| SHA256 | b34e886db526b360a53ebd2a05b1954dc4d0864c48eebf55a7ae892f257f8718 |
| SHA512 | 8120bf6d099fa693335b4bbc8607bbec97f02ed8ad378452f8c7e0d66e09709da5cf871d06ee982661c5a02811423c92b80f67c15c41ffcaa1873efe81a797a2 |
C:\MintGA\optidevsys.exe
| MD5 | 3e74ae0601275e9783f4d6f5936f5067 |
| SHA1 | 4b79cebe449054fdc98c974e489066870cb13a04 |
| SHA256 | c2b9d899c2f0f2313861a820b7b2e26c2495c1a3a717dbe2b8f936b51f10ed8f |
| SHA512 | 59ed7c93250773e0858de0646fbc3ad61d2a6696e22b6bcd0efb6964815d0d0545bd1dc410d9b1e4ad87405f6a89f2fa2e6a22e9f3264b057ee4cb3910b3d0d2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 07:04
Reported
2024-08-25 07:07
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrvFL\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFL\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPP\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvFL\abodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe
"C:\Users\Admin\AppData\Local\Temp\f127488b7a4950b14be071d258982cb78db522178597188bdec00b8327e6c225.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrvFL\abodsys.exe
C:\SysDrvFL\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | c9999282d54f79500817c321ae2751ab |
| SHA1 | 59aa01331c46216bed5e75b1e2d23c64a583d26b |
| SHA256 | b9d274974bbceb08fc7bab9eb426cf8ee48a517ae6378ac9a2eff89e0eee8a4c |
| SHA512 | 8562f924731f1a76c956e6ee05a1f9dbc7907aa8a45d7c01784c89331dd6391b62df926dbc7d9ab5821527a62560eea3f04f0ffd2edb2d9b9f8a63d482dd53fd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 03de829a117d0740091a2ddac6acd48c |
| SHA1 | 3a3eab48dafc0588150282ef20d15278aa59a665 |
| SHA256 | 5963e3b19fcc5828a056ad200ebe5d23551975a0db4ec55e15403ad46671ca4f |
| SHA512 | f45dfa706434f64d81256bbcb74bec1b58e0d6769e788e94deb37e13b22e720d6d4089b2510c8b23b6cb2332034fa4a8c5a320cd67edc0036f58f475ba258690 |
C:\SysDrvFL\abodsys.exe
| MD5 | 882b72099260b49de76675836a9a7df8 |
| SHA1 | 5d3c971abf0e9567dbffc7c7ac55a705c500c38c |
| SHA256 | 7363687a6698ead8e3bbe37a48c2572d0bc5c65fa89ed9befd4685998ec371f9 |
| SHA512 | d522b9c10f4c4f19ae1a28fc94ef3d6e9c48f0a5c65c3733f2d3db4ab47bec3025ac9dba2e7c1d3cf60b958f326243bbff8315aeee90ff30aade35bfc38822ac |
C:\LabZPP\dobaloc.exe
| MD5 | 586dc09d5804dc54d44fbabe2f70a2f5 |
| SHA1 | 1b5a9a763950331479ac1c498b03264cda1e5e0e |
| SHA256 | 33712f6263ec98ae8ff353abc33c5a663b2c766cbe5c8a49229dad2fbfb8f079 |
| SHA512 | 54a9d8562e63f9b26ca5680b6e9a17abb896ba1d76fd279957335198bab32efc42361d0585349bd615b1859a022b024d4629234b578a41c99310d0b00c64998a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 93526364e84b625e9a2feb304eebf3f1 |
| SHA1 | a495869c6cba1526a4011f5ddeefb3e19f1a9ffe |
| SHA256 | fadb807a5410c88b92cc7b6994df5a33a4db0841351c1eb7c0be971bb63850d4 |
| SHA512 | 4c6dbe9ab5d51138905ef9f771d77f97069a07d641c0cc69378bae7043d96804d821744b97bdebca7af697090fe974f5feee7097d4072225aef8939ed2185cc5 |
C:\LabZPP\dobaloc.exe
| MD5 | 1107e0ac0ebbd970bbb14fe5eabcd274 |
| SHA1 | 6ed74a3eb3cafe3576a300a3a1f89e929bdd1c0d |
| SHA256 | f8334f4324693f1fbfa1ec9e296a46fff16dc341a763e5b8b66c59075069c209 |
| SHA512 | 6914a82aa49ce211eadf4397e8a619d23e11e462c876433ba9d2ad84fac207e67c7ea6cdf38ebb9828966a6cf4f46311e5797d10ad3efdcfb95b83e1380b113e |