Analysis Overview
SHA256
9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9
Threat Level: Shows suspicious behavior
The file 9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:22
Reported
2024-10-26 05:24
Platform
win7-20241010-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeXK\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXK\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKZ\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeXK\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe
"C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeXK\xbodsys.exe
C:\AdobeXK\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 6b42923eeff52e056914e2acce6b7f82 |
| SHA1 | 19d2594a12e7b90d1fe82684af6dbdeb8be4a354 |
| SHA256 | b9bc0191ff7a5c35619edbb3fb7da61a60034245e051fb7d2770fc2304fa11e2 |
| SHA512 | def4e5cf9f3cadd6fc201b67b82fbe307ba47ba7a82f54fbba3cdd355d37c734cedbf2fecb7c37fe3db933822e9b20127450e197428e0fa5d62f45d563b4d023 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6ac4a8d78745cc6ea7b5ae94d9cc719b |
| SHA1 | 3a2713a1a417e190b556a8489c97b15eaa75d80a |
| SHA256 | c639ced3fabfbec9fa3a63c27bf3293daeb523ee0202adb31ea7251204da6809 |
| SHA512 | ddbddaa6f9f3d42008af1d8c0a540abf96f8db8d97287f7e53bc928945b571ed95fd298c8a59a7bb129e8145394726267ca32e0417c8e489229d8476799150de |
C:\AdobeXK\xbodsys.exe
| MD5 | 45a9182d4f27fde81d46494a09db2327 |
| SHA1 | 8d32133556bf8b58a53ec374b78b82d9ac667442 |
| SHA256 | 121d9fef61585a23a3ce9a01a2f3dd75303c9e69c3bc541f07be7e37a9a50765 |
| SHA512 | bb695cf4d95d5e4878b75091ed037f3ace6f1d8b04cc0d2f96cbed23ef8367b4e7ea606f0a00675c3af424deb08f4f258da100cab6e415ef71e078adfab6a16d |
C:\MintKZ\optialoc.exe
| MD5 | 6268db22eaa5a1b5440b696d6324d70c |
| SHA1 | abb9d34f537260761b9274fcdaac286f1c18f163 |
| SHA256 | 933d31e6ea4c43b17748c8d79403fd642f13a5a3aa0badda2a4a977fe8cf43f5 |
| SHA512 | ece04d0434ff9e8167c899c688c17f2a349b462f3d7278e3b10dcda1e3070b84d82267e1c58213deb27ef1e8cc87ced8b968cd42b3bf80f269d174e51b681fff |
C:\MintKZ\optialoc.exe
| MD5 | ae346a78043a3555ddb6bcb9b0760468 |
| SHA1 | a6176d07f05933e232a06e51874488c690eb31a0 |
| SHA256 | 9d4dba1de2243d2a0315eedb899556dd7972fb2017e68060896f6976a10105bf |
| SHA512 | 7ca342a0cf8e1bf53122c1951991d05316b489f1fdf0e12f3d859364304c84741b1a36718ebe7a3b3233a4e180b1ad1a07baa73dcc3d62e83e7c331b4d66f3d9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0aef782e71874a302d8e94771b316458 |
| SHA1 | 6512ec0c998ba8ddc06fa2b4d8ce6553ab0dbaad |
| SHA256 | 510c5f27a66fc2f91aa27cc770971287ba34b192ce11ed25a8129d4e0631dcf3 |
| SHA512 | b706b08ab57c8f83f0375c0be82d907df84468d442350e2d285cda6523267a9b749824cceb6a1ee5080f192e717db2293bd9a066a36b2deea7a1c47d5589adb5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:22
Reported
2024-10-26 05:24
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocVM\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEE\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVM\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocVM\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe
"C:\Users\Admin\AppData\Local\Temp\9ebf6c53243232231fad8357f86c82330208d95de9d4eee2416509279888a1d9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocVM\devbodloc.exe
C:\IntelprocVM\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | aa33e20dbccc93d189ec85ffe57eac5d |
| SHA1 | d73c1209fc6fb349601cc5dd9f334ca757db874e |
| SHA256 | 17ece74e7c05a4d384e217bc683cad874d883d3f05f92930d4c742bdbcd2bf4d |
| SHA512 | f11a5dc6aab69d80c1709fe74bfa425acd5c59cd3d4c48d3eb92e733769739c141f246d7862f480a8221ca8f3ca7b74d0068a9e6f9ec690e16a122e07314f8e5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a595a83ebde3dc9565c215100d986691 |
| SHA1 | 34e3d85b78f52a415ec0a47c24b4c9e7e30012cb |
| SHA256 | 02b34af7460b374e5630b6ca5c5a64586cdba4e95049abf5045e700236684cee |
| SHA512 | f1dd4a8f50a9806670604a660bd0994ff4b336113b6f1c3a1ef7cdb67316c405832c2df6b52c78ad2553ec82f62c88657125778da8f3dd2b61d01064499e1a69 |
C:\IntelprocVM\devbodloc.exe
| MD5 | d9798ab25691785d02a82b74e730c4d5 |
| SHA1 | 548950fe11aea4328abe891a796af5dff837b706 |
| SHA256 | cf5338fc98423ca896f37f1b1d6e772a83d70dec55ade7302770bb59bb67aaa1 |
| SHA512 | b3098ddc971ba4d7df2fc1578b6775350c897a4c7f375807dc9d9e876e4948a8c991e7035e48d655c2181adebaf4975a65fecf125ce766c102d29fcd48ca09d6 |
C:\IntelprocVM\devbodloc.exe
| MD5 | 7a8fae792f6df3e475a5078a57650d94 |
| SHA1 | 8116b06303481a8162cf66d1204a922e3e1e7dcf |
| SHA256 | 3ffcc73b4ac536cfd4ba056d45b65feef6deb44d3cbe8c55f12d42a003ba3b39 |
| SHA512 | e9b3a0539459cce76320b6e868e21a82faf8436ae7d8c092a88fab6b7ac48bb2061ee64dd6aecc7a79294b118cf4188f51383b5c2c6d18c3e9a5bef3ff80b7df |
C:\KaVBEE\optidevsys.exe
| MD5 | 5a64baa364526ff78547e2f5e0b3a933 |
| SHA1 | 66b777f97d1a63128fa3f81f012d7c9c5b9d9748 |
| SHA256 | b2736d64270f5a27f918b6877e268facf974fc8c8e7b5176a953bc656cf848a7 |
| SHA512 | b84cc96b194fcc824b4492cd85fb188643aa726ca2f536e2ff34b1b807742288c76b656e5c32fd8844449b005da7740f285f2bf18dc79eaa5abdecd0f0a1ab5f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 22ef96908025583faed980994726fa5a |
| SHA1 | 7ca3b50f18160db7f12f9bf8785783d0b223423c |
| SHA256 | 760086432c0870a8b34ddf96482c90911e7ef4ece9f15548a900c698a2652a42 |
| SHA512 | adf84926e943fd0f9b3fbea51a566711c40383918e99413b6d77d35aa538ebe5543df15d2fc44622ad708cebc7c13958d73e605082020cb88747981f492a3d08 |
C:\KaVBEE\optidevsys.exe
| MD5 | 1e451452147276f578536847cbaab1a6 |
| SHA1 | f164fd958f67bd88a9658496e80927d237dea13e |
| SHA256 | e317b711a7e58def8cf24f9244826e8cc3c2308ebce384c49ac5c59087382a4b |
| SHA512 | bc5f1bf4d5ac5bfaf662a348f4237fca2fdef30d8542ff1b4c09e1b25719a00f0a523a62eb2344df610bdcb13da9c9b4b5fd9ca783b8809eda5dd04ae3e4cb1a |