Analysis Overview
SHA256
7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1d
Threat Level: Shows suspicious behavior
The file 7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:26
Reported
2024-10-26 05:28
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Files9P\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9P\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGE\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files9P\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe
"C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Files9P\adobloc.exe
C:\Files9P\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 99506fb0271e69476688cb284b126763 |
| SHA1 | 7eecf2b18298f1a13db1c2ace8ec02ab61d988db |
| SHA256 | 30838d4782aab0a9905e8fb7d2f32f3a2b9691ccaa02b7a32f6c911713981d73 |
| SHA512 | 5f1dcf465108fc7b650b7a19d9cce7602c8dc14e3e1db2e1a05af0d00c5caa9300caaea88de2cec717c7296e4b1b801558990b0c82b5ec0c9f7c2c7682318e5f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 416080194a50c1cf4925157d258591d2 |
| SHA1 | fde7d2c284444a7f0d45202ec832fdd3a3b3507d |
| SHA256 | a8896b19543ee949c180294883a178583d818271fa1463bd5734430a6299be1b |
| SHA512 | 8b18f6323e191c4815f23034de011c407ea54549c9876e94ad847d965db3c7b061c68d2c1b989c8bea73497648873a54e3683703ef6e5729743a29514d267e59 |
C:\Files9P\adobloc.exe
| MD5 | 58864b5842e1213b72e59c6abcaaff84 |
| SHA1 | bc53b28481336524feb31b72956b00689c824b10 |
| SHA256 | d7402eb43c63ad15659df80d88f6525ff634bb18e5bd68132ff8d8e849315ee0 |
| SHA512 | 561ed65ed2d8ffbe21f4e64d248b71854fc662f92d6a748856cff24f8dda1d99f7793dc052848ac0be9239290d82432d0a8610b0303c11c8ab6871870d466adb |
C:\LabZGE\optiasys.exe
| MD5 | c34d340b93c81683bd15c173cdd16f99 |
| SHA1 | b659c6bfefd67da0b048db8571855610c41e13d2 |
| SHA256 | fc3f7951c1cbd03215dd1768487e0f00dff55a4c953b4f4feaa192ba951274d9 |
| SHA512 | 8a971d8d08d563b9fc8a4eb502d6788b9184465dcb42d163cf457cc565a973cb1885be57151eef0f89cb82a3de0e5622983fd2d1d4d8bb1b8a7c5fb2cc163c80 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e7bdd64762866c9b890dfaa14d9dd7af |
| SHA1 | e1ba091b10a813c2e2b1109e27b3c6531e7c05dd |
| SHA256 | 47f5d00a44b7ced07048513155e9e3cbac99a3768f3b76541b13e1ca77e2ccc7 |
| SHA512 | def2939890ed7e647a6cf6268c0e311e73bcb71685e920cfd2955891b950106e51e94deb9e3ed2ae0af33b650ab045eeb66ab6fb8fab70950633317face86b44 |
C:\LabZGE\optiasys.exe
| MD5 | a95880acba4ef3f5f9f02c6e8395b623 |
| SHA1 | a028c918467237267a21e3ece91ea318cbba4da1 |
| SHA256 | a566342d7c49cd7db4bce985ffb05095df69871640186fe54b2b0b05cff20a27 |
| SHA512 | 57fc3409641d20632a8105b92b22a95ac01c1b72a1b05eaaf0ed19da88bc19095196698240fc0c48284848dd50c5b9308510eb0177634dfd4828a86b5de0cf8d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:26
Reported
2024-10-26 05:28
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\AdobeYE\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYE\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxU5\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeYE\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe
"C:\Users\Admin\AppData\Local\Temp\7caef929308f7077dd60062d5e4f7fab4f1b9d737fd4b3c7026266fad1d47e1dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\AdobeYE\abodsys.exe
C:\AdobeYE\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 1f90355ad71ad057023c50824331be3e |
| SHA1 | a647e338bfc6b2d635de9c430de71aee1a9b3f3c |
| SHA256 | f43c0c2f5487d10ffc29cb7b6321e0a8734de0a8945c47a53acbed8910ffe19c |
| SHA512 | d16edfa4ff1c63c51b38f4dd045a5f1544e8305bacd8571da27e017a91133efa6a3f6da89534ce5bf2bcabe38d26cd0cc524d38ac0ef0e05f62e629caaf4e0b9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c02da7af6538d6a4d7a7fcc569c93501 |
| SHA1 | ee6cb91037202611e8384b8a70487514f8b35f44 |
| SHA256 | d155594916dcf0a4da4b10f70937c700cd4ec7a0a468f35c5458f1fc39e411a8 |
| SHA512 | 7b1000b706c221df8977765bc11dd1e300e427e316dfa0ce1a439db52c4c39a34f5652b48e0f63f30968715fb4435301382e253147734b6d380b31cf634145fb |
C:\AdobeYE\abodsys.exe
| MD5 | 6a8907210d6406adccbf3b169b062702 |
| SHA1 | e94c0ebbe1cecaa0a12d274dbb838c505bb699e8 |
| SHA256 | 7c2a76fb7b10d89a5fd0544659d5a8ea89325bdef371e60d1a42e290c3af66c5 |
| SHA512 | 04e32a9975ab1ddfff2fb28dbea6d27af47a91cedd662e1a9c8ea9a0c83459f87b5510258ae1dc5e9d31640fae4fd61b07d453b3a95f876b9688a0c9c64f5076 |
C:\AdobeYE\abodsys.exe
| MD5 | c49509a2a6c4467c950d6a43d7be7952 |
| SHA1 | 1ed200b64d51282d454afa08f4b7fa94603e19a1 |
| SHA256 | 48f88f6c32f3e8cc6389b9749b34ba524838d29ab4e2490b38e1849f7cf38667 |
| SHA512 | 0b2c29170d8a2563ce8718b4708d70e984c74490f87479c378ba1a06b8adccd8f04cfacd5239759a45b4fb15cf9421ab700c2b925861fc23561077420924ed1b |
C:\GalaxU5\dobxloc.exe
| MD5 | b23c82bd23ebf7749e12fbb1bc5b17a3 |
| SHA1 | b571fd2de2d7b20f7d5726e39ad10e8a725f25ea |
| SHA256 | 2546c5389d887f776e6b0fb053d880dd700d51bdee0e7c15e95431065d3ba10a |
| SHA512 | c9d66244c57de3dd9f0a17ee11c34f0d35fd9dc7095002982d1d40eef6dae38d4a2fe1609aaeff85411210347b06f903aacc5e800ef5866b7a8f1338c0ef1449 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e3a26e107a5413ba6a3822a831446bd4 |
| SHA1 | e694403425d057b6262f7ac31dd885466d1d4b22 |
| SHA256 | 2d9f1fb392f0618581deab8350b8c93a5ccf30daf563c6fbda59edec32fb49d0 |
| SHA512 | 2daee6498ae42cb47c81c2f41bcfe024d282b15d4e97aed3eee31a532692af19153cee42d2850d4f95ec24b5244ad62599578c6947a263e9905a0f735a0d9001 |
C:\GalaxU5\dobxloc.exe
| MD5 | 2ba13eda6c2587782cf20c6cce7ea21d |
| SHA1 | 4e4513ebd0d636e4b957fceed97faa69065325b8 |
| SHA256 | 4cfb0116d989b53a08fba224253523dbf6c0c03787b08c5bdd649ca570328b30 |
| SHA512 | 80c62570763df2868154a209faaf010283bb21cd12a94a170293316eb75c103599a9b85ee7260834f452365a02ded421210a14b887d70c7b195b9fb5b5c950da |