Analysis Overview
SHA256
73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36
Threat Level: Shows suspicious behavior
The file 73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:33
Reported
2024-10-26 00:35
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocUN\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUN\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5W\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocUN\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe
"C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocUN\devbodloc.exe
C:\IntelprocUN\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 2c6cf476fe2a2253446f12208aa77c36 |
| SHA1 | 65a645c46310de97d2c5f1bd9e402c69814b5c2d |
| SHA256 | 3fcf1bd38e6292ddbe8b5eed8b1860bd5cada79ad2755f765bc74f313c22c432 |
| SHA512 | df7ba7341863953825fb054af16c1e9e2202150c30b96d7b3c9abfed14499e13c6a1eb6cfe2f43e1f63c6de6e6060c4435ef504a361ebd0b9c46fd8309f5a3c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e29343010ddf29e0b0eea2b4e4f5a1eb |
| SHA1 | 78ac805128c245b702650fc98d1d254e66d96e9f |
| SHA256 | cb30b8953ed15e39006a34bd651a722ec160a588155f50b50680a8b71952031f |
| SHA512 | 56d0e1bfdb37cae24a7c994f03792b32ba7f5d545c4cd26647fdcc591f37a8ab0b47a40bc3877ca79e3d1705d884205fa9d05fc8b3d7ff1326bad67573313455 |
C:\IntelprocUN\devbodloc.exe
| MD5 | 84c3a9ef71c6c32cc10faa7a3122fe8d |
| SHA1 | 44094cadec949c065d4321a4cb7bb4c11cd999f9 |
| SHA256 | de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b |
| SHA512 | f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a |
C:\KaVB5W\optiasys.exe
| MD5 | b2854e0eb5f6aa217aac7c1bc6afcf96 |
| SHA1 | 4f63513c03cd85091a738984b42ccf289b1aa417 |
| SHA256 | 27314664f3f61280601ddbac2014cc237f5c7d8c89b1dabd03152a70f2c31dfa |
| SHA512 | 1dc471a75fef296c75ca90a01905896ae32e5111044e1a13213e761c8e3b5c992ab664e517a4811125a2cf64d9d903afa4ad904bf18e3935931246fd5bcf135c |
\IntelprocUN\devbodloc.exe
| MD5 | de5e06841abf847343efeb25047cfec5 |
| SHA1 | a24efee1ca203525a135923363e8e6cae0ef4991 |
| SHA256 | d2333ec42ce6341173d10e09fb4b1601427cb76672c2d656f92fed457c25d9f6 |
| SHA512 | ccb54b5131b10a1372d43c416940ee91d2ee135dc7782d3ee7f8291e4f2f831b94adcbfc9b16c8cddcb5c50ca545c9334b7a884e598dad1ba58ae41955d4f4c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 40c5f23c105455ac8f4dcbb95656839e |
| SHA1 | f3cb7c01fa6958f438ff93df032202f977117db9 |
| SHA256 | 771e31a68bc287cfd89a4385911c694c1adb03536e97c6fa8cb7b8879c3643fe |
| SHA512 | cbbeb41c4531f31fa3bd273f1012793e91b9afda576eba9c45fc8b6614f2d91bdd67b3659e0bb987c20668dfa808ced391077808007f55024b7ccf16aa771022 |
C:\KaVB5W\optiasys.exe
| MD5 | 0954949997fb5f9ea4c397511c7ee7ac |
| SHA1 | 23d9b75ac62fd94a0148294a16e4d540a3c943fe |
| SHA256 | c53e1900da5ad2bfb6f4db93c135090d7f8fcc36896977d223c08d423d6c2a39 |
| SHA512 | 32ccdf8329e25dc56bf19d150f83d34dc126672e09bdeda1dadaaf338eac24b83a64f2e4beedf634cc6940105ae90196306304ffcb9bef36a18b5112344e9d8e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:33
Reported
2024-10-26 00:35
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Intelproc8A\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8A\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAY\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc8A\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe
"C:\Users\Admin\AppData\Local\Temp\73058aa981a955e040940677c38bd3145e3162a4ca9182efb15f3822bdae4b36N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Intelproc8A\abodec.exe
C:\Intelproc8A\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 260a6e1471d47f9fb83f0e470b4e6a72 |
| SHA1 | 9694f76c1657d75e4310d89655aac234f5a33d69 |
| SHA256 | 63eb40cd19c11c9a86cb6c47859643e0d42487783d6b2d6206a2cd706ee228f3 |
| SHA512 | 137bf89533efcded0ba32861755b4a3b4974670b1abf51ab403882ef891b21797f7ba751ab9888e4a64a60200846e00f0d9d67df828cca89367f86b3f518243b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3021fc6cf8fc95e3b759b1a4bdfd5415 |
| SHA1 | 37f10a70fc1e2362dd386ed2b9c76dc3bda6c124 |
| SHA256 | fb77e6c2759f9f6062866b8276dff445a9faba631608eff75c755214dc17f755 |
| SHA512 | 4cb89ccc6444bfc320628f83184cfa1528a5391a783eee3301a83086a95881896ff5fbfabb1971c5cc42f8d0343e1b748a883d5277ae40d64ed2db864ed09a5f |
C:\Intelproc8A\abodec.exe
| MD5 | c44a0f026b2c21ef48ef18ffc170a181 |
| SHA1 | a4814177c790e966fbf61e9155db42670fa8e864 |
| SHA256 | bff6e293b5e76d57dbb61159069addb304eb43a8677a597aea7030aed5781a83 |
| SHA512 | 30a3d933c10cbf1e4f3df21ea44e00ea6f2532634510b9bad4f3d57157551e1846415d75dfcfeea36d94f3c0b4599a03a55839e190e79c62a966db9d8334c78b |
C:\VidAY\dobaec.exe
| MD5 | 4152a2d7ccc135e09c402f0b08e6361b |
| SHA1 | 8f12fdeb55a6ecdef00218171e8a0bf312041d4e |
| SHA256 | bff6b24eaaf7d2fc48b05335a1010f72e62c9afc616fdc48bf0ec2909266a5ec |
| SHA512 | 58ebff68ff10526d6b10bd87a7fd41999858eec2caffd2784e996309f68a291a297f308fdb3df877b7ef494665cb0a91b6761f5959eef1c3fda66c23c32413d6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | de169059d63173a479a4efe76853d905 |
| SHA1 | fe86741bbf3d34bd8cdd3e9d1441d68082ce970f |
| SHA256 | ff9c67b4ceafba3f29b1d819e049cfc3ce5d93c6c4977233e6f294b378a9b481 |
| SHA512 | f5170c0e859710edafd1e81ec0e373e98a1b0431d24cf6250967ef53e3f10dd58edcc04df6947db300c1577ce147bf35abb3b6fcce8f57d5dc5c9b11728b6456 |
C:\VidAY\dobaec.exe
| MD5 | 8ca4a42539c09ab3ca5fb7449911d1e9 |
| SHA1 | 79b918f5b3602ab8f28de3d66ccf368dd4176d30 |
| SHA256 | ec465267ff7dfc847712944f4f2df21d92d386a77650ee2e2136ef4ad6db5e26 |
| SHA512 | ab15558be7c2032393ec70db18c57dbb58ca9aeb6e3c19bc9437b21216940cf9807753fde3ffeb0107376e4aa766fedad239d92de158ceb50fd4a79635dfb492 |