Analysis Overview
SHA256
a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170
Threat Level: Shows suspicious behavior
The file a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 14:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 14:18
Reported
2024-10-21 14:20
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
113s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocMZ\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU6\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMZ\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocMZ\adobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
"C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocMZ\adobloc.exe
C:\IntelprocMZ\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 0a6e07db315c24acce35f0a75d9ddda4 |
| SHA1 | 93e347386406bb80a2c28e97a955f56d9543998e |
| SHA256 | 0bfdc65374ae2d49639779ce2a1baf6fb9a45b5c223377935c4457021499e21c |
| SHA512 | 550d63246a31daea4f56ef05d3ecbc41512ab127f1b23fdc9c7b143b2e497f47f9cbd299f1923cd8565e1ccbaa59228f73846143daa426efb300f259e0db4111 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | eaae9842f6630a4318172d4c3617f9b1 |
| SHA1 | ae7f40df7d36e922f11f78dfa7228b32f1d2c2ec |
| SHA256 | b4f6a3cd039f93f1caa10942d20928d0b35b3a08e76fa4b233590458c82867c4 |
| SHA512 | f111cc3551cc71751f6c5a053be942731f65ab18f78a4f054fd9be761aa0916b77e0eaa715a266f61583e7ec2fdd2660065ef5e818d5063eadf901c971e0178d |
C:\IntelprocMZ\adobloc.exe
| MD5 | cf44ee1af43640718ed150e7f550dcda |
| SHA1 | 09b3ebc9c3af14cb9dd9817be039272c96d58147 |
| SHA256 | 84aad92648f090d03e417dcbbceb68f35c460def6a6d600d297b57b9a88d51f8 |
| SHA512 | 7e5d1a79a324f6e678930cce2a81e74d75bc373a5fe7f3053a3729884be74723217be5b2a239ea11883215fa080b8ec582673f822fa21f962b4b7bebdc4178df |
C:\IntelprocMZ\adobloc.exe
| MD5 | 64d0ad248163ccb0994bdeadd0482bc3 |
| SHA1 | a21e35819cc06d62a9a01a0f921a3d413968206e |
| SHA256 | d3ba4d0bf1b1f4f5d5b13949d63f534000b1f49c5c591ecb36d0191667177c9d |
| SHA512 | 731664ed03b81edb24640249a25e43c3d1e2e7af68a3fcf6f5b5259c2d4f9c55220b735c71a51d813f2305b06a23345149acdc5d7d7cdfba5cf9a34d31bd54ff |
C:\KaVBU6\dobxsys.exe
| MD5 | 0f2c60d681ff6af2886a801e6abed029 |
| SHA1 | 54ae15d55b80bdc2c6046caef21c109e679f4656 |
| SHA256 | 7e6683b502b796d839615ced588115a6282dbc5ff7775edae49a56423af5b6f3 |
| SHA512 | f35b83d48379b7d75b0b8b4411d5bb288a2caf827cf2d898ba55f2e51288c14fd2ca2dfdcd06d5d459f53efd684801fdd14c59879b62f806ad96346d470db61a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e5dafea2155ae91d8de8aff6608cc96b |
| SHA1 | 8cab31bb83b4655d3e7ca36ec2c53ca4c2555d8c |
| SHA256 | 816d941aa1da3f1836fe7042b2519dad2250dda1f506f5980d5b8fb5ed3a1c65 |
| SHA512 | 5ecf2e80ee97f8fe58e3cf4cb76c274116da53275e0624c741c7c9e8b405002847fbbf1ff0e05cdab42072c9d4092900cd67db5195bfc7c67ae984f3ef87f661 |
C:\KaVBU6\dobxsys.exe
| MD5 | f0c1bb84a17da5414f29688a73e29939 |
| SHA1 | 6bf36d583f661e65639b604ae41fb04d5cde42d7 |
| SHA256 | 5fd2e333bad448c5d4c79a3d9914a8419aa85adf3e88bd59279e4e4854ab7f14 |
| SHA512 | 1e0f781c177585da78013dc54259d995762e7a63afed2e25171be5745692fdab4f4cd6fed53f1f9cacb260b269e29323ef5a6f4b5f7be322fd83f4080d5ffc23 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 14:18
Reported
2024-10-21 14:20
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeMM\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMM\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTA\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeMM\xoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe
"C:\Users\Admin\AppData\Local\Temp\a9f9e41cb9f8920ca1ecdbc3a16bc3f93dcefafc2fb3e8919853b6829f95b170N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeMM\xoptisys.exe
C:\AdobeMM\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 2ccd635014b83816afc3642238523938 |
| SHA1 | 2ef312bc391206cebe620862f865406f66674437 |
| SHA256 | a73f11f47c121c9aca089ce8c6314920b9fe0b83f2de15bd5b5fe8ecda312f29 |
| SHA512 | 163aa5de10a3ce046a2c358cc8a0526f6c27026a9ab5703809b3a7b929d92df7299fc519074e6e3a50b6ba2b44aacf62add9cd3320603d68b8324716a8721189 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bea8c51006da4c19a3434213109453df |
| SHA1 | 86357fd3d1174378763fd4dc6722293ed900183c |
| SHA256 | 72c766ccf6c9bb563f8010c8172a4d01d07270f8d0d136ea8d9a3f7312b5923d |
| SHA512 | b50bbfc832413d46e8ef9fa1f329fb85a24cd31e9659d84abdfba40b242b42d4366312a5c50e8def01efc90a2940c00882c717ef149899479756dfd5cb64ea76 |
C:\AdobeMM\xoptisys.exe
| MD5 | bca4ec2f7ef049849fad13d2cd302039 |
| SHA1 | 016f54cea1fc44df7b96766bde30611952efc346 |
| SHA256 | 6c7a4e54f64ff0511baba1e85178393224728b90191ff748545e427fbf34760b |
| SHA512 | 631bfbc8d0ba6dbf25dbf2a76870dfc981b58c23c27322a039286f80f07842381c2f80ef8c58f90471c8e95806e46c02b29064521f2ffe9a00f09a06b47eb052 |
C:\GalaxTA\dobdevloc.exe
| MD5 | 6810c6c7dc1950a82822bee772c22321 |
| SHA1 | 685f0abedbecd5cd3e322b5784b7cda2d9afd5e0 |
| SHA256 | f9b961b398d3f0a37ccdb2baa586ccd425893441837d0679b8bee0f936136c34 |
| SHA512 | 6be4d2c4b253510923539915ed8fb53b232911fc36060afda19c98e2df83c1d74c21a0b53c5f20c17efe339c66b89a0be1a837cd6468964c8ea22491da4c7122 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 03350d1432556c7e993ecefd8b24a9d5 |
| SHA1 | 23df6d366792c4c3ef10769c544abd53f1eaf9d5 |
| SHA256 | a54cb55440e4481b6e65261c1904e5c6eb9c24e4a4f6af06044972c619165c0c |
| SHA512 | 2e7275468d1f6cf98ad55854fb2f48d5ead27cde0350cd0e0584580c59824ad0f052a5a0ab7399032aa9b90ae771ed8f814a222f1e409b54052df0dc0e0561c3 |
C:\GalaxTA\dobdevloc.exe
| MD5 | ccd73f864170972b977f6f3540c4948e |
| SHA1 | f8fdd665ac873cbc47d09a271a01300ddf2c5dc7 |
| SHA256 | 44811fe55204f79af6d8d2846122f34cb38f9be4d43d8481612c93792a15f0cc |
| SHA512 | 8c60fe0bd91d77151b218e88271bc369d15f91868127680d85ab3204f56f9a93c5078f172779e8f38bedb6d7922e9253033936fb96cf3a694761835e611b371c |