Analysis Overview
SHA256
6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23
Threat Level: Shows suspicious behavior
The file 6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:56
Reported
2024-11-08 14:58
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocZ6\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxXS\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ6\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocZ6\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
"C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocZ6\adobec.exe
C:\IntelprocZ6\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 9844cf281abadfda855445b503ced7bf |
| SHA1 | df32396a511e060b3df3dbd32ef9d89a56f1c573 |
| SHA256 | 7790045b61f138815c64302b6a8d3cae62bd652c4e9388d66ac7a3eeb62e45f1 |
| SHA512 | 88717d0c50ddcce5b5265981a6e19e9f012b911770714c6e8c025551a0fde61be1f83a51c1845e50966f67ab8382d50bb29072597714141b36265837cc7544d6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d7a335f972f34c9a127707baa64f6cd0 |
| SHA1 | 1786737e1380bbc2993711b89fba8eaa31ee8d63 |
| SHA256 | 9f2a31b39f22748cf1d5d510fa8feae29c477dcff5ebc12a54c4306b7874f597 |
| SHA512 | 16ce5e53717a6b3bc54698b86da1a3674cb6665228f4648d9306892a5e15fa38ca701e564afa4e84f4750c66041880c822c15bbea06af20f20191ef825afea15 |
C:\IntelprocZ6\adobec.exe
| MD5 | 54164f59540335c05a33967050bdecaa |
| SHA1 | a564fd69c44d5006d55115e1e42a7a220f7dab0d |
| SHA256 | c9b5f92be3df921a7033dd3364ab285b0c51e87b076dfddb40f83515fbb6ec6f |
| SHA512 | 5a491d9d3a0831d4aaeb7f74a2606d09e0437c66fd9e54e4262540cfd6bbf3b00bf2cb931a056369f9ead4fa54df243accbecd16342736f070ee32ee2ed89f4d |
C:\GalaxXS\optidevsys.exe
| MD5 | 9c1b14eaf859a5c8d1197347b5ba1f9e |
| SHA1 | 9478eab83db7c1fb53c9c94947022329c0867665 |
| SHA256 | 7133cc7f5018312aeaf1df1752dd6069c72cb53093cc8fca25aae87bdae82650 |
| SHA512 | 390ef6bd5984bf3be90b09a9a286577982c74b282c6ae5728cda4f98af4c9b4ac84309490aaa7df536e41758af850d0c1e93d84691cabc89ac4bcc84fee5b615 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cf667dabdedcea742fb3481fe8ce27c7 |
| SHA1 | fcc43bd9e31066044376cb15b1528979fecfad13 |
| SHA256 | 28f9ce5b9b5c8fb76937e47fa71da4d3bba1db3a7921b529667e33e651acf879 |
| SHA512 | 0c33b3ca0011cfc80983e24e1709333ef5145eef53dc544f8cc92cbdbaf4d232f9d02bb201a7edabc01189824916d78ca9754fac5a9fae9f1b01f3ae29298cd5 |
C:\GalaxXS\optidevsys.exe
| MD5 | c2c22aad98dc9d4bec0c8f1f518ddfd8 |
| SHA1 | 9a40ab0480bfd4665005e238ffe8d1cbc6c99000 |
| SHA256 | 5657fa62d6474603973e7f543958b005259fb114dda06b5c9e785f102edb5d94 |
| SHA512 | 6c1c89da14b34f8fed64c4339ac093cb155e8af5a012cbc7728cde28ada30d3eab376349d05960dbf545301b3e8503d12f07a6f2cc2fff386d962dcbe8a3bb59 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:56
Reported
2024-11-08 14:58
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Intelproc8A\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8A\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAY\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc8A\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe
"C:\Users\Admin\AppData\Local\Temp\6af52aeb00bd367cb423d1176e3240be5f2fa065a5d5a3370baf852bba59ed23N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Intelproc8A\abodec.exe
C:\Intelproc8A\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 467bef1383199eea710c217e8e57ad4f |
| SHA1 | 21faaf7e32f555e55014e91b4b9a2fce1bce441b |
| SHA256 | 17034150504b931a0d57b166c581a5c418ae169b587c96b1803e5946fb401d13 |
| SHA512 | dab74dc1105f4b4ef56763820ebc502e5f170f81c5a71e9a6fbf0069ef2a8ee407e45cb564e27378efdd4123616cd774049e6f28ebdb0501ec57644afa8513d3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3021fc6cf8fc95e3b759b1a4bdfd5415 |
| SHA1 | 37f10a70fc1e2362dd386ed2b9c76dc3bda6c124 |
| SHA256 | fb77e6c2759f9f6062866b8276dff445a9faba631608eff75c755214dc17f755 |
| SHA512 | 4cb89ccc6444bfc320628f83184cfa1528a5391a783eee3301a83086a95881896ff5fbfabb1971c5cc42f8d0343e1b748a883d5277ae40d64ed2db864ed09a5f |
C:\Intelproc8A\abodec.exe
| MD5 | e573bd162c4d54879610c0e99707fdb5 |
| SHA1 | 05b8abef898e170a73851cd05cf916dd3b7756ab |
| SHA256 | ac9ef65265e3d49b86741fd7f3059af1c3928778d8d9488f7ad2e54b665a5ceb |
| SHA512 | 8178500d06d2f9b0adf987cfed0a4becb8409939b024339acc8805c534d1376b84185ed9f9e7b1450a5ad9b4e520029f9e89d5e257bbb23f4aad084548936c66 |
C:\Intelproc8A\abodec.exe
| MD5 | 6697a5129a0672d29ef88229004e0222 |
| SHA1 | ef72c3251ff5eff95fe923d607a66a6cc49a7a34 |
| SHA256 | 88eb9a1882838809ec7f2e869fc77be97c69d45851c0e3ae9abf8032ad6124c9 |
| SHA512 | a7ef3f3982c45feeee3c8a1f957e8992e5d274ca9c81a23fcf518bb9c9b12069e607becc25d1cf41a72a6ca72e2dd44709b3c0a863d0058f5f351654c4fb3938 |
C:\VidAY\dobaec.exe
| MD5 | 7ec70bd93cb66bc2fba6e5cb45afd693 |
| SHA1 | 9537ff0398b4862936dab2514e7ad2bb22e7d2d6 |
| SHA256 | 4aad5282a3673bc7f255658c183f9a3f6c401f185a1c292dde46ffd8231b2a20 |
| SHA512 | 914a2c508ce5006ed8eac6ec5141c969a557f8d9e63f772620609dbf4d56862bc9843c2d61c07a00cab6b6622aab671a90301b1b5c79978be48c8d4c3edabed9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | de169059d63173a479a4efe76853d905 |
| SHA1 | fe86741bbf3d34bd8cdd3e9d1441d68082ce970f |
| SHA256 | ff9c67b4ceafba3f29b1d819e049cfc3ce5d93c6c4977233e6f294b378a9b481 |
| SHA512 | f5170c0e859710edafd1e81ec0e373e98a1b0431d24cf6250967ef53e3f10dd58edcc04df6947db300c1577ce147bf35abb3b6fcce8f57d5dc5c9b11728b6456 |
C:\VidAY\dobaec.exe
| MD5 | 85d694a3758666506acf6f461d49ae44 |
| SHA1 | 6c8364f254275ef356239e3329d87e3b4e338020 |
| SHA256 | e1147d982f7c55e1bfaba3eb6965c54d3edfacb4e9e1f93f9aa24f557b9780c9 |
| SHA512 | 2d619d45775be3ab54b7d87c3f94129db319dce8b3b36f0c94d3e6a2a385377022c81c06a67ecf84f2b6088aeb1931bf12ccdd8980cc5476eea27bd5e244aea8 |