Analysis Overview
SHA256
5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2
Threat Level: Shows suspicious behavior
The file 5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:31
Reported
2024-11-08 22:33
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeIJ\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIJ\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidH3\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeIJ\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
"C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeIJ\abodsys.exe
C:\AdobeIJ\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | c07b9cf2d93c17de9d7b5c5205504915 |
| SHA1 | c00f7c3149d51544f6f6bd9b523ca564749c6800 |
| SHA256 | bfc76d427682f31e30cbfc80cad15f6d8efe991db5ba5db312e0d654b0f37d68 |
| SHA512 | e48ade98a36821d1819797aaaf45feea876ada59836612dccc295e7108a2e80f895ced403bd6e3b42c9317d2475bebd766cd756d461e597f219214876cc2b28e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ec23fd78a0ff407a5424d43ac152b3db |
| SHA1 | 9c1139e7be79ad3ba98cc84710a2780c9770292a |
| SHA256 | ec7e5c059b5df06d5385bee862c365bc7ae5e5b1f873e099b9073675af639711 |
| SHA512 | 287770f1023c989a9dfec272602153729c936789a36e8a2ce792d32e0088b9ac4d32bd8524d94915030c6b06b2dbe137fb88d2d8145cb8184189b9ed6a158be7 |
C:\AdobeIJ\abodsys.exe
| MD5 | 0407f06098d6a9dad3830dcd9d1839d2 |
| SHA1 | cdd5dc1352c2b1efd29d19ee5832cbe5f99374a6 |
| SHA256 | 07fc5974f0c21868898ce347f3e7392b8cc00e6f5a6e89432462ebea46f39ecc |
| SHA512 | 97a51c1cc5669cb49736f7a72525b5807eaabc014bd54859f6bbfcb3fcd7b50f79abcaaf222d41fae5aa256a18a452af56799ba893664b62aec50530b2ffbb44 |
C:\VidH3\dobasys.exe
| MD5 | b6d8bb080ffc30e8bc4c2a14f4d227dc |
| SHA1 | 5fb48f98295a1738289f3d7c467c4249aa3a1271 |
| SHA256 | a2c14847e80126752a6d847148d6c8f246e994464a824c7e83c6d638d6270771 |
| SHA512 | c31901974c58016fa55358e9ae39923f83471648b6a1ff18c3e18e8ad65814dd9f0eb4220c716f14fe95268c09104a7e91e947a391d740e353024956dd951432 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e4b0a200b6d697eca857e2ba41547062 |
| SHA1 | 8ea6b02866d1c2d63bace93665a99e0efa6407ed |
| SHA256 | c47f0f603207962bfe07dda571a90d318b65a87f53a5815589896aac1ffd50e5 |
| SHA512 | c56439f7e8f0f2ea50016a55fb088e56aa565bfb81fce8b9c6129f8def1bdc301fc74819c9a73804a450ad24479c51fe2aee5e05efd3ceecb95f174c4e86ddef |
C:\VidH3\dobasys.exe
| MD5 | 32a12fffb91f7574b7ee8257bb2bfa1c |
| SHA1 | 075b0199d5d34bd0f32b99f622a41afa192da49f |
| SHA256 | aa469563aee02de6f0826682e8c80a753f93fa9f27258b766d0bb8d9def92eb9 |
| SHA512 | 429e56ff041f0aee29dfe6fd5dde029e04e2fa09555414974a9a9c4a771756483739fea06de6a5f6372e7f4f5b12fb15e2c638f5d236076d83c59049ba7cf5c2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:31
Reported
2024-11-08 22:33
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\Files9Z\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9Z\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK3\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files9Z\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe
"C:\Users\Admin\AppData\Local\Temp\5aca92a69af33bf041ee0d4b73e11096c904e129091f27de647d22e1d802cbc2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\Files9Z\adobloc.exe
C:\Files9Z\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 91ff049977cfedcd8a11e95b641b73ae |
| SHA1 | c560a627a4bc4a35ea8b6c47749faf819c4cf615 |
| SHA256 | 63e05b02d2a6a89f56b127bf8ff8b438cafea637c21cdc03786b50f400306482 |
| SHA512 | 9f89ecebc29418b95f8a13c779fedabb2bb0818233cbd6e46fab9cc765fb33414e5f24e1f5ef16b730baa3ac8c97bc2b749d255f317e0a6f3c3f03d615dd318f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0a816590c9f3757763af7e920b2e0835 |
| SHA1 | 82620a2bf429e6952fd463e26267b8f9cefd1155 |
| SHA256 | 1c5abc3641d6956a45ff7e55d55e81fea309256899b96c414f3d11af02b4b969 |
| SHA512 | 4633c440d83fb77c92ad1e57d7c17f5c33523dab851d80555270d9979784f940a573b309eb884eca6f22f7b7e932f2e571b0dc9eb2a1917206b63c01fe7d6edc |
C:\Files9Z\adobloc.exe
| MD5 | ffdc4ff2abd3e19c131d1a2d301c1289 |
| SHA1 | c0f0b291ca6b2cc549bc38ecfea6ef649ee3da1e |
| SHA256 | 73445eee3c9f1327d056f8519d92bef33ccda6a00807d0d75dd471e3201781fe |
| SHA512 | 211b260129247031284402411da259cab5c92d36b12b39478f909910730028d7b04b76798784be24f71c88fcf40f0fda84c8738ec5a767a7c566c9ba9951ce56 |
C:\LabZK3\boddevloc.exe
| MD5 | 2eb391968816d7122b3af25b8833ca50 |
| SHA1 | 35e3f80179a4b4f26754984f58abf1eb9760b2f1 |
| SHA256 | 78f68dfffed0b3717f863171d14c5b19eeb02cb7a876eaca714a0a4e233d0d54 |
| SHA512 | 4c1e8c6c1853a07fc2b26a2afc4ccc88448e9d3208c330f6a6fd8c9c877f5566996fd95b4787af1d2731acf2b8c6ced1fb08f42fdc04384544614f42d49728e2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 93f460237f451e4ccf701c52fba40e30 |
| SHA1 | 31f0433907e768fcb2c397c965b0814b7fbf98ab |
| SHA256 | 6172a5e8d0853619ca11eb56a33345dd8bee711ee728eb82912d6e3e5daa1ef5 |
| SHA512 | d31496d79a970a0d6c9bf581f1a77f330a638c4d55e3ade2c14048e08e0e2c6d0288c1800122fd827a115b751fbf85bdab054682d9eb88be6fb73bc6ab60e477 |
C:\LabZK3\boddevloc.exe
| MD5 | 3bacadc52901f954dce0a5446166fe93 |
| SHA1 | b29f3d30a741a100e701927a676863b496bbb044 |
| SHA256 | 33fd825e2c21dedd19b54fa868bee99e9f0d3bc4c72817d4fdf1c70c208a874e |
| SHA512 | f7e6cf5b363867db10e21159bea60b6a41bce944d0c18bfeb50587530c4c2348eca8a4ead244d178c3bf56997c6351f3d19bd2aa88a0ee51f76643d306d5fffe |