Analysis Overview
SHA256
f250bacae99b16b1bfc41820d10b9e7d7f8cc33b8c7a60025d9b9717a932cd5e
Threat Level: Shows suspicious behavior
The file f6e5d2403182c1424d4976c7a6d38060N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:17
Reported
2024-08-25 09:19
Platform
win7-20240704-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocOB\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocOB\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFJ\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocOB\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\IntelprocOB\abodsys.exe |
| PID 1820 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\IntelprocOB\abodsys.exe |
| PID 1820 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\IntelprocOB\abodsys.exe |
| PID 1820 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\IntelprocOB\abodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe
"C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe"
C:\IntelprocOB\abodsys.exe
C:\IntelprocOB\abodsys.exe
Network
Files
\IntelprocOB\abodsys.exe
| MD5 | af1f83ef8eb0a6134bdd567ca17fe03c |
| SHA1 | 7f2d5bdc64b22fcf2f75505fb6946ff893afa584 |
| SHA256 | 20b0ae17408ec05f4eb8586a2db1b639bcc2cd0036c5fb92702dc089d5c77ed7 |
| SHA512 | 839ef24a623f2b190f52704fbce37f58e5374c027ae90ac1426fb14dbfc84aa233d2fe6859005b9b00edf45c5c7d387fcab6603c94cc547db65a1028034853a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d7d3931ec274bf0131e97e00991ad272 |
| SHA1 | 1c868f3ebe2c0cd5a9a32808804bf800818e7d96 |
| SHA256 | b19d70ced3efa478352698ece51c6d06f73b6004ec6b5a1b32596bdf27df5aec |
| SHA512 | 90916236a91edc0a45f3d733eb8ee2aede93024f6656676af09f82409d6b4b38d002a4ca8a84fd2474945f8067a10437077037069145e4b7a760c8745d26ed97 |
C:\KaVBFJ\dobdevloc.exe
| MD5 | 676d55289ebe3b95f7296c256f4e82c2 |
| SHA1 | e60fbfe20f6dd5e273a0227788c9737ab9d0dc40 |
| SHA256 | 4867ed928df39dede7eab002d04b85c682bda0ce96a32a6a33727628533d99db |
| SHA512 | f22d87cd5f6b42194b6e873536fa1708a76308c650bbac952cbbe2e1ff6d7ec7e3dd9d2fc548fcde369b32f35c3cf65558db74c57f1b0e0b1ffa1edffbb007db |
C:\KaVBFJ\dobdevloc.exe
| MD5 | ba8bb979d64b3b618a570f6e68fb395d |
| SHA1 | 9cacec60799ed982afa71261ddce9b3393f72215 |
| SHA256 | 894b5788d2e81985a24faec554f9811c4a315d31a9b4fd480949b31dec2ac187 |
| SHA512 | 15856a1e112fa8e801337de7cf5474bc79f1b5c84140848975a4b4c5104998a5c6084248d80305d9296fd0ce8e612cc3ef9a75ce34a61ac0931441ade0f32434 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:17
Reported
2024-08-25 09:19
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Intelproc6F\abodsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6F\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxO6\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc6F\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 872 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\Intelproc6F\abodsys.exe |
| PID 872 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\Intelproc6F\abodsys.exe |
| PID 872 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe | C:\Intelproc6F\abodsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe
"C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe"
C:\Intelproc6F\abodsys.exe
C:\Intelproc6F\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Intelproc6F\abodsys.exe
| MD5 | d940b5f38b207bc9fe2d458e77a81a60 |
| SHA1 | 4015d9a17e1244797e0595b0963df5423573c668 |
| SHA256 | b23a3ca9e9a3ebadda5183f7f76b57a945ec5faba2ce2aa1bb9ba900bd07df25 |
| SHA512 | be4b6af376f17cbcf0b7b21a395a45111c3d88907a56716168f21ea6b1fdc4a7e1dff58874dbdedd48cbb42bc066b250282100e48fe76d9886748a644abba934 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | df1034d2f649dc1b0443e81093c94ba6 |
| SHA1 | 0a9dc5b230f9e6e480a5b852fa826f5584faca24 |
| SHA256 | ed5f8e8528d1d1843db72227eaa22cf00e6787d94ec52bcdb9b18b410d6d9a4e |
| SHA512 | 19be8e36b5316a2a358e5ef206774b234f5abf4880aaf7bf911052e9f62868f8bec61a50e525dfec3d506db3e846e425953ee0424ae92962600fa723e795cc86 |
C:\GalaxO6\optialoc.exe
| MD5 | ec23b1ca16735b9b088034fc8375c3c4 |
| SHA1 | f095886f5229fa0bad58e7c61099b9950b012a22 |
| SHA256 | 69f5cac87295358a8d20af0f65d8e900f010af5e9ef388d12c6cc39989d9716c |
| SHA512 | eff5a57e314115ce526e07bee5af32e17faa9ca8bf57c69900ae9c596772282124cadaeab2033555013813a722d97cb101096ae367daf62fa62a4fd2d45b5e9a |