Analysis Overview
SHA256
53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a
Threat Level: Shows suspicious behavior
The file 53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:22
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\FilesED\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTQ\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesED\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesED\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
"C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\FilesED\adobsys.exe
C:\FilesED\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 2b1c4939970719361c8d8c541aac1715 |
| SHA1 | dcbefaf395c95bb0f98da5fa5ff71dcfb7ae8f87 |
| SHA256 | 4f8501466023054165ba422e6301c575cf446b43b4edba9924ed85440fc10202 |
| SHA512 | 8ce6139377d05b9df59885f89e1ac2964d75a0f2654c0e2a782ade927f5be947e97d19f0a9249a933d0f5491ad117315a460aed1c3bc29f167982ba723caa231 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 21d6cf8308bc9f20eef58e143d7dd9d6 |
| SHA1 | 8111efbe7b161d8995b1a95e2359579098e9be88 |
| SHA256 | 2d972578dbfc0abaa167315dd35e36651d4e975b90880a6dfea68e03dcda9ecb |
| SHA512 | 67c7181b2020329ad5af42c447679359cc121a3e7d51f293d97f89e391c53303d68ab5d54635c122389622d15ce5a946e6acac15e3af58012c45e42978c7f0d4 |
C:\FilesED\adobsys.exe
| MD5 | c706ba19dc437b61aa42f807d4e428d9 |
| SHA1 | d554a5ae7dbad3500ef9813ff23d7c5b71d64404 |
| SHA256 | 12f9276a56f044689f8e697353cc275cb9b7e8e4ced91561008ed7532e0200d4 |
| SHA512 | c3081d2d234ef692eb8c2649db79d25d5e6b2432b0455617423a433da7511ef00d433e331dea4d007dc2aa1b9ff21dade7e2dc2025a6e902593344420ad62f9a |
C:\FilesED\adobsys.exe
| MD5 | 27009c11153c08eaa3ca716543923e9b |
| SHA1 | 7d7a79e2423bc8af53e142f7b7d7e4b190c857ef |
| SHA256 | f133a02488857265cf074df309b2fa1ad59fd40cfcee0cc8a2f3de580a76086c |
| SHA512 | 7d615c3760d042cc586b51542a4d76c1fcfc64cd560d7c1b16cc96e5d11deec822aacf443c0fcab56ccebea46a878be52920676eae67510e4048834b2b6fe3dc |
C:\KaVBTQ\bodasys.exe
| MD5 | d428af90faba26430bad2e091cc230a7 |
| SHA1 | 6b14c533413c37448be64c4c86ad7c6e9180e1d9 |
| SHA256 | dbc10beaf06bfcee944e5a97f0fdb8da6e8b61752080f36cccb27a6f29b105a4 |
| SHA512 | 94c7886b0b60fa8ae0efb13ad6acd2492f7ebe565d23644fd702b6b4b695563a497caf5f80f63bc8658852f962eab1f46b9eaa43140507220da7667b984d4adf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6f340f89542f5e905004b4c8c0ad5e57 |
| SHA1 | b635b6bd9f0eb7b890398d2aa4372dbe9c65f0b0 |
| SHA256 | 5624c4294b4951b0c5e82c817f1bf23751f9aca3dedf1198b082caa86f13eccb |
| SHA512 | ae9747de3245d41344e75bffdfa9cc63c8bf538ef956c0b1502a4dcb9f87a15f998fd801ae0e0e824cdc0d3f1135caa908a13c9b6cacdef1dde7b3f2e02b75c9 |
C:\KaVBTQ\bodasys.exe
| MD5 | d80b5b2a5287bee731546d179d0e7e31 |
| SHA1 | 113f5bcbb31c22e1758a0e9fe47732610a5a845a |
| SHA256 | 6f4d176c002e560103da651fb6f2d871058508f7b2afbc190c74b0684911c6cd |
| SHA512 | 4afe4d367594e45685fe873290a3860cc89f744823e8f756bc5987bff3bab142d2982177c42ac66b34e20642ac288bc1999b829003939188428ed2d1ce5f2ad8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:20
Reported
2024-11-09 22:22
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocLU\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLU\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFG\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocLU\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe
"C:\Users\Admin\AppData\Local\Temp\53df61c48554e5dbb981940e0570ee69e246c895df718aba8c7995c02d0a655a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocLU\aoptisys.exe
C:\IntelprocLU\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 28e6ec3920dac9ebe6da4661c81aeed8 |
| SHA1 | ac8090d4e868e436fbdd73c8eb05651dc2bec8c1 |
| SHA256 | 395b098cf81048c9e4a3246f217ae394e55dd5c6b077c1cd355042b35850de3c |
| SHA512 | d049b9bd8c6858cca2b9c957e223bcb272116f64387ba271a0d701d41bbb19adc534a2bf1f828ba68b944b0ce84b68dde6cbbcf33ef6d6e02df405f8b1d21ecd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a50d253f718408011f718d0178033b06 |
| SHA1 | 6495e7ee7acd923b599d501dad0655e5e6137aac |
| SHA256 | 72a203e834f6a79ae1ce9ee03761fcc104c8178a16ca7d354c85d9aedae51652 |
| SHA512 | 9876049cb049e5945acb1109446f84b8c4a465bff42e3c12903b8631f4d447fbfb8a9c7f827bbdff892bb9aa3e712d406450385e80a01c969234772d9609c2f7 |
C:\IntelprocLU\aoptisys.exe
| MD5 | b29a9b77e287e62b9682863711f531c3 |
| SHA1 | 69a17bad287c0079d380e82daddd28cfc4f78342 |
| SHA256 | 61072589846599e9632fc62a5c90998ead8d9d83307665cfa918841997f0c6bc |
| SHA512 | aab49fad0f9ecb9be79a5f2b486618d462402fdae3b19835be966f0ae48b9cb5d337b2fb269e8165a40b42b0888cc008bba051cae5af6d46d5a8e29d6261994d |
C:\GalaxFG\dobdevsys.exe
| MD5 | 4697ca82883e7a70f47e5fac2118fe4e |
| SHA1 | 6b8a443bdad12f52dd3d67d4f29126fa26d74549 |
| SHA256 | 7e7ed846f9e9feee7650e6fd3811570207c71dab7142adf0e2f653f16a04fc60 |
| SHA512 | 3746f33664dd4b0b84accf4cc9d9fd1aacb6afe451515edd8908e0052017ff720dd404e64372016e5e1af2ab80e56f3f7d5db58aff738335e4aa43325c1ffad5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ab600124b994ee9fb1a667217fd9c034 |
| SHA1 | 5fc8cfb48e5005e6a84928a4b6c87c82fdd8e55d |
| SHA256 | 67c9fcb8cc188ce000398979d7680756ce991334652644dfbef5010a3e920e68 |
| SHA512 | bd8d118258d70443e984d95f264074936647a917ba200cfd83b04566bcc5454c3f3c40cc658ab9d7563e39b93f0a74512372b21ec62a49cf24929dc3e2dd8252 |
C:\GalaxFG\dobdevsys.exe
| MD5 | 5426c2bba186c7bfb14c05654e5fc3f0 |
| SHA1 | d432ece5634fe6372153c785828891fd197d9f33 |
| SHA256 | 4407a5f06a88a45538b21ab61b941f0ab491c2ee032b8e0b0d35350185e9b1c6 |
| SHA512 | 7bdb5dce337ae3eefd8d8781d5db3e4e2c45f029f68e1ce4dbecfd5e6211cf4292f8436432110a1bb8874dd9d2ba20043ff36c60fd2389df7b77f1d70b03bd17 |