Analysis Overview
SHA256
7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669e
Threat Level: Shows suspicious behavior
The file 7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:42
Reported
2024-11-08 23:45
Platform
win7-20241023-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\Intelproc2Y\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7V\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2Y\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc2Y\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
"C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\Intelproc2Y\adobsys.exe
C:\Intelproc2Y\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 09042e04e99e6076eaa3109d0b005671 |
| SHA1 | 5b71eeaefb4c1107f60c4329203b44d118cbf7f9 |
| SHA256 | 0896899e652ca86fd8afb5a69a5fe14aca20511e5a1c2f47336f7dca32e1d50d |
| SHA512 | 4f6df733a611a6ddaf177a3e11581f9e072f2d6764837e2bddcb2698f608176089fe05c07ba6ff34092c376f9bbf461464584b8dbaf3801d0c6d5874fc2c6d02 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e004ed3fba0a97eeec58449d65991f23 |
| SHA1 | 4226e8f789cdb8b59a0b9c0b9860f58b0ee034c7 |
| SHA256 | eab32e48110becce1fe49a8203460b0a0ace14234a9338affa37c25bf3a74570 |
| SHA512 | afd799ba9e5f188c4f241053caeaff949a8e94fc42fc8b4becb71b13b4728fde6b69052607f8f8ef10b9c2c3b6a823319fa902e474f9f052fbc6b5c3f5f3d656 |
C:\Intelproc2Y\adobsys.exe
| MD5 | 20d82bd8981eb049c3df6ede779e0124 |
| SHA1 | 7c3216eea78b92135ece40ed9e0a69b8767e0287 |
| SHA256 | b852f575ddd0d25dfe886292aeeacc0dfb0e74f47e35547beaf7a2247c3aae75 |
| SHA512 | e63ac5337404b07aa40f99dd4b8c39f5c9b4a7731b26a1d9be13f9660641a89ecedd9963085376cafaa7e4e9f85f45dd439d5fe63b28b8498b6492cd95682dd7 |
C:\KaVB7V\bodasys.exe
| MD5 | 499bc390d017444ed7fc5ac767289e17 |
| SHA1 | f8abafccf3511ac7c9a59594b20a0b88e7fbdd43 |
| SHA256 | 0e383e46e12a000f7f63aa1ae425aa36a16ef17ac2520deb278704dbedf43f9a |
| SHA512 | 2b215412015f0b74421b66ea2891b25260aaa65c56eef11cf0b295ed9bd6786352a20bae2697cb4f8ba4a47ceac42ab3b27b698f9d0c275036e51a65cfc459d1 |
C:\KaVB7V\bodasys.exe
| MD5 | 68009a794ab84fea20e7a21a5345b259 |
| SHA1 | 5cc5318ed073246644b33bafc38178f8bc175424 |
| SHA256 | ce1ec465fa9b0f1af4d7a35c54759970e0c815a36d5427de8323983f87a33449 |
| SHA512 | 1ffdfd1109c36912ed728a39f0d8a2a73b55aacc6f1e567c053f60d2ce2588669ae6afb95af37c0f04d4acae92b476bd8e4881c8a3cfbdb1d0c8559f719ea719 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4c4f9e4453297191c0089d70fb977aa0 |
| SHA1 | 2e0213ffa1e76bc7eb6155deae22ccf094e90691 |
| SHA256 | 86408a6e7ffa37ad5f43b314b820d483ef1d99745cb7775b1979032ffb03da45 |
| SHA512 | 1f97cd51d464fa6d647521d80c9e95e492cd8bbf8614287a98c32de5d527c9cda803ff48c32cede01c3f3a90616fb7648a41b58a1d716cd14addd85e5132f734 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:42
Reported
2024-11-08 23:45
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\FilesLP\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLP\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesLP\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe
"C:\Users\Admin\AppData\Local\Temp\7f16b1c680a76c5f1539c6c973e2f44f3e47efbfa3958a5a6430da2f28fe669eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\FilesLP\aoptiec.exe
C:\FilesLP\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 54ba8af696b4db17e7af57520e727ba1 |
| SHA1 | e01c304fd9b10163e4bce796a726ba77d9eff5e9 |
| SHA256 | 3ce830128c69c546ab58edacfb2eed984e3fd23ae1066e0637dfe03d5af2e582 |
| SHA512 | ea0dfbf4c6c229f10e901140d24b96db642eff8ed9aede2ba25fc721f689273cf2201ca5430d5168212e2e6563bbe549d4e13fff716f57a9177021311f2a2eb6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aa3f16674f48107bfb82601a00466419 |
| SHA1 | 74928858aa9f2b4d3774de5de2ae1fd78c2d315a |
| SHA256 | dab8a10a8d0e6dc07a4b5ddab897f0225825bb08da1b01b2a43dd3e14730b293 |
| SHA512 | f876cb95bb53038add7a174b9f455d1aa60b88138bd74d72947c983f01b7b79603d4043826b93f800779df4319ffff6cabbba755c1fe92a17195df4622ded479 |
C:\FilesLP\aoptiec.exe
| MD5 | 889d9cc2e0795de5a973596d8debe55b |
| SHA1 | 0505657360388ab374bb5391692219e6af122135 |
| SHA256 | aa7111683340d91ee135dcd92bccbe7961975e76da6763de2eacdac09520af37 |
| SHA512 | 1f609f393e2d4403add193a47c119eb9dbd835bb66706ce6100f9bfecd50e74217cb2175e3340487d62c64b5791054540fd65894a93f3ed47154ec7ac612f7dd |
C:\KaVBFC\optialoc.exe
| MD5 | d008e09b09f2375c991323ff142c7801 |
| SHA1 | 0b4ac89a019bd9e83f5309c417cb18cfe5c7a39a |
| SHA256 | e126794bd35ebcb33c483c8de7d7b0cc113c7c42d147b29f9e4725ff9b7e6849 |
| SHA512 | 6a892be4295d6a877693e19a5a4dfb3c286ce9cba13ba6bab21cd85abb9b33934a41264566a3ef481c4a9c2e80c139fd0994afa6780509aab6fe555be66a455d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b82fbc0bb660c0ed3400a39120e5ab36 |
| SHA1 | 8505638b8fd345d76a1feca0e5e840a7436c0e74 |
| SHA256 | 54db3406ca61f225f05ba9404f032e7c3b3522cfde4700e222e419e29fdcea35 |
| SHA512 | 3663662f1a61f67648b5587f5bc672883bc7df0a3909b17b8323db9afd470e3d99dcd0d65dc5d75e04b6c8fd1d83b6e756e93316728b623cf32f918d442cf1e6 |
C:\KaVBFC\optialoc.exe
| MD5 | 9262cab29eba6c8ec58cf55dd510774f |
| SHA1 | 9c109088d1dc40745dede1654950cf3c14a07d0e |
| SHA256 | e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945 |
| SHA512 | 2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004 |