Analysis Overview
SHA256
ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6
Threat Level: Shows suspicious behavior
The file ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:11
Reported
2024-11-08 23:13
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\Adobe1I\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX4\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1I\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe1I\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
"C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\Adobe1I\adobloc.exe
C:\Adobe1I\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | c91d32c42c1ba68a9e1ec9950ffd6107 |
| SHA1 | 964d0e05b51537a269bc50e66f2fcdfbe71c2a4e |
| SHA256 | cd594a342ca657f1e8758c03c742dcbdf9312259a60787e9f3d51d3a4b1d7b5e |
| SHA512 | 3262b9cba35a1f0e11889f34a08fcbb0503461d6b3ef1f155a61b2112e74180cc259208f1011ad124b248a97a73658ac3be2e571130059834655379d67dd9c8d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 85e39321c47d7405f7efbb1eb1fe96d8 |
| SHA1 | d5ab705c5ed9f7c080f300ad3a143a2a05dc0dd6 |
| SHA256 | 0a0de5433fe2fbab278830783e189310bdff7211305330396422a6fa5194c24f |
| SHA512 | ddd9c87c296f520f652a18bc225507a6c9c6d6e7a9019c2a5840ff9c958a992362bdd3f23e48ec11b254e694f619001f71aadaf62fe1f82bb207b2c09e5d29eb |
C:\Adobe1I\adobloc.exe
| MD5 | 150c7220a6e81d003e665376d6160a17 |
| SHA1 | a12bee8eb2ec75a11dfb469be652439a0c983f07 |
| SHA256 | da993f3470b38a98679d932982d207e26687be77e86df6d9dd90dca50bf6b30c |
| SHA512 | a53d6106c250cefd6c16bd77d9793e38eebeb101378e9a6ad23f7ce33f47255e93921d82b8ed75a59f39b643ecc10db460b148f267704b7b5855ba18d2a18d44 |
C:\GalaxX4\boddevec.exe
| MD5 | b6592563985d86e01142ba780f684a8b |
| SHA1 | f1c2c8931d00b3e75c1a3f4cc0e3730d17c2d43b |
| SHA256 | bca35dade0b17ba7f80d613c5c01671f4841a871b3d571d491ec1cc258d07c41 |
| SHA512 | 2e01fb506808d9bec50accf3688e38da3c4c16c3e8091cb302823f3118190c865cc37299ccab28c88b449da7f74a1814ad77b1f8456a4ffbbd60fc6bbaec224a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a4ad12ebe5ed13752c79b9a8de878f68 |
| SHA1 | 2546f6b4c3fa9e532dd4a2b75f8a77859ce00dcc |
| SHA256 | df7d3e438566cf022ba4ba3c72ba8ec7a8010a6ca6989232c6d986c226e41d37 |
| SHA512 | 90916aa06daf0a0d57e26a0cd2445aece43c768e46aff00a7791d29489bc1c5b54b30d2930ad3e52cc6a4f0337fe973094d42bb50549aa95b1214ba0c0fa7139 |
C:\GalaxX4\boddevec.exe
| MD5 | 52852db9260eff5578ddf35ac7285268 |
| SHA1 | 0f12795c06ad7b9c939290975896c7c2054c7bb9 |
| SHA256 | 0984926d9ed8488d10b2fb112c1cd8206360fb163636848be84956eea86a0762 |
| SHA512 | d7f6ac56795c7f40a62bdf2f4bb78ca200c1de6a6793d17811a7c0f582a6905b314b735aca90f9efb9bb11ae3b08d8a223f9d0b97432c4fbe0f689c0a786a6f9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:11
Reported
2024-11-08 23:13
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\Intelproc0C\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0C\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFJ\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc0C\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe
"C:\Users\Admin\AppData\Local\Temp\ca4a96f110dde187121b9a168aebbf30cfc41be82fbfabf07e5bddaa5178a5b6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\Intelproc0C\abodec.exe
C:\Intelproc0C\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | c0232624eccf5a0bc36028ce53bb47fb |
| SHA1 | 9ad8d80ab3a70f0359f111cffec9d9de96a366ae |
| SHA256 | 1bad22a0db0e2e8bb1534ba397cfb7d34ceb047c6ae182b4ebb4607fccd30386 |
| SHA512 | a9e6b836665f04d759311df6708b5978c6b8ca366c9d3cf739c66266317b4ac9de35c84824fa465ec27a4fc593af3982bf83aff33d52e96e31f79eebe65a69b7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 39713eacbc2efe14b982ea95702aac13 |
| SHA1 | b0a2aa2abe2f00b9613c28e857359586d835b8da |
| SHA256 | 57d91939662c0feba409b5a61e5e24058410b8acb53cc928b6e6a90f2fd536d4 |
| SHA512 | 22ff16f2c4212742f7019f1f80adc49e06c727fea730f615bf26a6aa706f998500cea9d2acb25e85c2d1efac0fa6193b7b8c8746d2c1f2f326be6fbc23e580df |
C:\Intelproc0C\abodec.exe
| MD5 | 5ce46de9d1c8ab23eeb8a98bb0b2232e |
| SHA1 | eb2b026ffaf5a7802065fa5971c5c4495fa6763a |
| SHA256 | 0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0 |
| SHA512 | 173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712 |
C:\Intelproc0C\abodec.exe
| MD5 | 9606761c172809659a6fab791bf9c2c7 |
| SHA1 | 6fcc04080b049fdd3d41f5f8899ed283c0afbd11 |
| SHA256 | 27b9214cb8f6f54b2cceb5a747ff3b00666266bc66d61e818ac5bfd804079355 |
| SHA512 | 5b42cb9ba96ea16441fed47f86e4e6243d2393e1562c11d5fdbd7863a71da020987388f4f7c0b121eac595458d05f3efcd542544880a77830bb5dbeaa5f7de37 |
C:\MintFJ\optidevloc.exe
| MD5 | 34bd8ff991b1427aa83cc59b77d0487f |
| SHA1 | 1775fb0e77f2b1b201917c49e409123372df9167 |
| SHA256 | 8403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec |
| SHA512 | 5ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bfbb71807b5bad38b008c7ebb86a71b6 |
| SHA1 | 32f34ba35eb9080094844aa25711a1e9ff5b3fac |
| SHA256 | 14060741eb5c18868a90e178fcfb3b5786dd458c8f7f03663b5445872a8fc80e |
| SHA512 | 599c2592f5b47c6c2dee40228c67506b0d1df9879cd65e7e35d5a20e4a3a8a81861fcf3668130bd0aa2b83ad4bd2f647c03922a9302968aad0afed0fa4bc00af |
C:\MintFJ\optidevloc.exe
| MD5 | 5488bf8d623322cded444947d41bea06 |
| SHA1 | 06e50fb2d904d2e8c2664c8e66a6862cfaadebdf |
| SHA256 | 4a3f4d8b5e3f35305afd9d8d7939578366143f36087fd791dff20d7880011262 |
| SHA512 | d7d8510a992624c2dba3241db74dd32d5a051adfb5af5efdc94fc8b8ca64640cd275e029759edb802a8a9df227cd46b2bf54dd87956f77572287470bde8862dd |