Analysis Overview
SHA256
ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4ab
Threat Level: Shows suspicious behavior
The file ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:57
Reported
2024-10-25 22:59
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeCK\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCK\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRX\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeCK\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe
"C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeCK\devdobloc.exe
C:\AdobeCK\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 4cb2228d5b9ac6c912920e875ff4844e |
| SHA1 | 261e470ed83b7da2f037b412ac419bb28b6936bc |
| SHA256 | 183715256214302e14985c5e36f4d5a11c2552797252689ea6ec3bcbec105709 |
| SHA512 | afd98d8acd2708096be6a3f052069a90c0e544995a468e51936529b9a85bb56b98e804182cf4b59c1bced7b85038ea4a74849c4a64e517dfed84924f51900a15 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3686e8827de676b8739b1694f0ec19a0 |
| SHA1 | 94a53fc34d396f9f4305bce02f4045a6601dd156 |
| SHA256 | 275e7f70e4c1418e805abfc167f3064e3600f386c34eb61a8bb0331780b7e24c |
| SHA512 | 847f5c17f678562337a56d603eb578b304555a33038284859ac8081350485bb94a6bd06307e327a5a17641d33d472342a8fdc2489f2a588ff4ab45f0e4f28056 |
C:\AdobeCK\devdobloc.exe
| MD5 | aebb075379002759711382bf85f30378 |
| SHA1 | 4202dd09d890c635165cb858ace3b80b71a64ed3 |
| SHA256 | 93d11f0d1d46f48f964c486f547b44af61f975f830bef00c470bb988b84e211b |
| SHA512 | 180147c159785cd89a05f95200ecf25330f180e0017556c349670f2fe279ef9541a84997161e3c320fd5f88578b561efe133a899d404d479ee5bbd6472519a8c |
C:\MintRX\optidevec.exe
| MD5 | a8d28057204e1523ba8953bc00255709 |
| SHA1 | b09538f104a01848062564e438afa9d2024d1670 |
| SHA256 | 9c73ba5dc44c4bb7e8cfe8b77a39bb26fd2f91012ab56178f72f619a8ac321fd |
| SHA512 | 4d014500baa3863a43958ac0434e0385753d3a4451e2e64374f1b6d345ea0c3fdd084f3ac939ab9ec647f39f444520b1613fa0ec0f0d41ea7d15932a299a51e2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 83c54870922665e4e33962bdebc13325 |
| SHA1 | edb8da2ec2bf2dd664749f3f320b2ea8f059eb0e |
| SHA256 | aa4777e2f2ec0d800cb082dd4ce1f2f91486bba4bbc7f6bdc831cb98511b051a |
| SHA512 | 161ab0c42aa6eca9f9164b247853dfeb9075968e9545aa508dfea800fa04e15e570b4c84d70df3719cdb4d2f1e788cf93b6c733814201cb59167850e961d7d1f |
C:\MintRX\optidevec.exe
| MD5 | 6d786f209a5e0ca8b434b22f06ff61f0 |
| SHA1 | 6164717981e08107069bb4be6c74ca0cddd212b9 |
| SHA256 | 5a32d041ed3791b3420b0eac9cc12f2076b8b5397d7faa7c11d5f1c4590b0295 |
| SHA512 | 67178ad7c1fa36a1a96954c68495cf9a80a55ca697db5e43ba1e184b35b6db7bb7879d6f8f9e70551ec330c9b8454dfb3b3543ea38274092a12095e92386f579 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:57
Reported
2024-10-25 23:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvNY\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNY\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6B\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvNY\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe
"C:\Users\Admin\AppData\Local\Temp\ebafc31993d2b41d19d88765f3103765cca4a693f1b312f909910ee13aabf4abN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvNY\aoptisys.exe
C:\SysDrvNY\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 88414fe1d38738b79a3b103e5d15602d |
| SHA1 | 305246c6cbaa0038e08f954ae172da1bdb0f6a62 |
| SHA256 | f4c1bbe9f9203fb2346ac7d3325cf529caa0120180b56e244e3ffda51d188fa6 |
| SHA512 | ae8e345483c30bb7fb21cb486a1a4429cfa2712ac8c2b4657e0d8b97a7cf5df8a0feabb9bdb7f893597199e9402bc801adc619daf57942cf01dbfc8c3e76d609 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b3fae06a3c5806b829a3ab0c6b80ee19 |
| SHA1 | deba0ac1d3ba71ec830c59f357a413aca68b9614 |
| SHA256 | fab7962a4021e208443f7e9e44a2b5a599f06c242fdba529b76c45a652e631d1 |
| SHA512 | b526f22df12cb48f57127c428d885a4f1254004ca37ab7c9d11f71a9fca0e886538c9e888c16cd81083b6905a3405a1bab7ce2d27ba966b4c5d5750bb604f7fe |
C:\SysDrvNY\aoptisys.exe
| MD5 | 06804175c8bdaa92d8ab8a03c949fafe |
| SHA1 | 617a9970b7b1e265a2289e352a58eda44cec6ed9 |
| SHA256 | 927b1ad6c1f9f4fe93191f712f13775a8f10c62f30ea8e1b1996565c61f7caf3 |
| SHA512 | ed05de1cf5ba572e6727be6ce65a8131d829eaa6995304131b31a4e0f6c37cb7827d79a13d9fbcf2cabb11943ff9f5f3c3df8b673dadef7cd48efd466f777505 |
C:\Vid6B\optidevsys.exe
| MD5 | 3fed280bff2f29f2ade2c844a9a3e4fc |
| SHA1 | 9bfc999cd84fb0177c6b2b1597898235caac3e88 |
| SHA256 | 81b058ceaed9fa93d371fa940c2b120e83cb9e5a1f606e187965ef9abbfc0f09 |
| SHA512 | 04cc68a37a8379a367498253cda71b872bffe3d3e045c586a8fd9d212a47dea1ea8f88a8170cb4ff364ac3149ae235916f4b0211240859f36b09df3456f71a4d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c17db1fb9cad79e7b39484bf19d688fe |
| SHA1 | 557471f22271c05fadac41c8be5c4b1456e1edd4 |
| SHA256 | ca92270ac6ffb6a95b370664be281f0c3f44e8cbe3c40f3290b524632ad237d8 |
| SHA512 | ba23f6e383d6295445da6ba410e6e7ce9511093d8081c314a927a7d7d0d9c7d5c3bdebeee76529104ccd32833747f4178a0feddfae758e8dcc5b26f845ad87be |
C:\Vid6B\optidevsys.exe
| MD5 | e9fc947013ea2406ea5f049a41d2540b |
| SHA1 | 43b6054f3f7561e13dbb5c725e9f55eae8a846bd |
| SHA256 | f2ee4f8a0cb4bdc9ddfb0ab80d86267e76edea15af3e5b643692898efc1c3022 |
| SHA512 | 192ef39fef3a185ffb0a6b15f4a07acb35c7012f99bb1084cd6b1f97cc5dbbdbd8970740df92ff7260ffafe9848005a14727495bf9b60651eadbae37a3d12622 |