Analysis Overview
SHA256
db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799
Threat Level: Shows suspicious behavior
The file db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win7-20241010-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeKB\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKB\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidH0\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeKB\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe
"C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeKB\devdobsys.exe
C:\AdobeKB\devdobsys.exe
Network
Files
C:\AdobeKB\devdobsys.exe
| MD5 | 970bfb79af023d3fa07ffeb8fad989ac |
| SHA1 | 4eec5c5f96c0c2c58b4a21d68d304bff7bcaf028 |
| SHA256 | 21a50a0f33155a671078566e20d9409cd66b7fa2094b012c8b617f967875d317 |
| SHA512 | edbb02f1b4577f4eee76af81336ba0b25a60802253ed7cc81368106ccaa95d7ac37f3b343cb079ee998d7c3f8d73b8c817132fa54e13f4db54e1ce315526279c |
C:\VidH0\bodaloc.exe
| MD5 | ba0624af64306916817fbd917d291386 |
| SHA1 | 169484ddab55a6691aa7e9281a76fffc2234b6e9 |
| SHA256 | 97cb7f3e43c2ce781086fc77460c9e203201066404957a6948807b6bd8a117c0 |
| SHA512 | 4b31dcf56c1dfc7222a66afc08446ae35b209071df7caacaebda721df57d4e39bf4cbdfce8cdc95ea920f47692568ed0ceee053f05581ba212f7bdc24ae3b14a |
C:\AdobeKB\devdobsys.exe
| MD5 | eea4aa3d13cff294fb9de101050d3b95 |
| SHA1 | 8be9253d0215e54c585f56eadb2280278a3ef3fa |
| SHA256 | 4bfbd1374923be20f98b58ddc780be3cd5a3714124580ccf4631700f056077a5 |
| SHA512 | 8793ab23bc508ea67a7d382f851f692b10c6141d6a08aea34676af615c93c597ab6a7bab354d52cfa7c84c568a31eee4521a37ed280aa9a5c1a200be1d176b44 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 8e27b55fed57392cefa4035356466dc2 |
| SHA1 | da18bda3f362baacb0f5f72d648bed4efe1baa05 |
| SHA256 | 1107e4a71a1cd57e59bc46ac3a9668842eb85e231d39f916efaffc6a1926f734 |
| SHA512 | 828ef9b5188ed892f2af968b04c5b5e292b4717ce73f61d1c64bcbfde7865849acbdb82c2a4a08280ded22de3a1410055491eff659d483abeed7a8ada5d36998 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b95e10ffd8fbd1d33eb01efca510bd90 |
| SHA1 | 54ff80dc576dc799753794f4c5b5e6798e949e52 |
| SHA256 | fb00f12786065394213ebd2e6ab9a6d3ada04f99de4784a05fef0dc883da1be1 |
| SHA512 | 80d556c3b9765d4d5ae273a6b99c269a2381d61b48d4b9c918658b06d55896d1da9417f6dd82743db2d35fb81a5eee3c3ceab28681429e18b914a1f41563bb51 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 993c66695e25f47cb825e18c519d7d94 |
| SHA1 | cd9188a61d4f8454a9c1103d91de89ea822d3bb5 |
| SHA256 | 14cd4ee689b22201f3a3db4143c61b1f65cc56fec9a5a7f2886abde6fdf57edd |
| SHA512 | c78ef79e5ba18f62a57ca0d65c20c41ee1031f0f3d66c1f6f2740a90ca2a1e8e98758fa931e6c1c3e67c7968071cabbfd48d1a36656a9d67074fc30db684a5a2 |
C:\VidH0\bodaloc.exe
| MD5 | 3ed10a70753691a2328014efd83cf34c |
| SHA1 | 72525c3088c63f640a933f7cfe72f6ca026a68b3 |
| SHA256 | 63165b62d0768817493e1be0992eb2c3d530b5b74836695478c28c6d8cdac3b3 |
| SHA512 | 737398f8abfc657df9e15a58fccfc2dd2406c310c1d99b1ce06f0943b492d5adcddfc6eae8fc168b9efa48778c5af62ab4144fed5200ca090067d7e08646cf79 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocX7\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocX7\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB49\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocX7\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe
"C:\Users\Admin\AppData\Local\Temp\db4925b0173c00af9afc3af23a6d85445dcab9b88c78f900aed2c90044377799N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocX7\abodec.exe
C:\IntelprocX7\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 0dc2fbd3e82e2c497f70e5a5857724df |
| SHA1 | cf40daa9974362f428d09659f4966bda6844303c |
| SHA256 | 3b8c017cc8c07ee1a87dfe83ac7e2b26083ce8345b9927e768d0f593464fa208 |
| SHA512 | 835f1dac32e6c2f38de8efb1ad0f41368cb10002b48e94ac5d6e51adcca89b8610ac8aa53dd67f953af197324ea9696e179c73fe8a78c89341e280042b053568 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fc8ae9dfef8da365e22d69c327d83811 |
| SHA1 | 8a72e8c848bfea837af52d93f6d864252242c048 |
| SHA256 | ead42f3c32631d74dcc81fdc223b7a1608b228567d523cfee16b95bae052f42e |
| SHA512 | 327578299d43e745d448cfdf94b516009e484ae63cb2131eff8225e86de6cf678308d05d457e8b711817bc1b76d4e3327d40de8824393b1a40318428144835c5 |
C:\IntelprocX7\abodec.exe
| MD5 | 23dbd138e782285e2ba269be9b089f63 |
| SHA1 | 13ae2e03739bc053242405e959d0dd391cd35429 |
| SHA256 | 19bc0ad902a346d2d97efebbe34dface7c5032f218124ddb1cf1d8728551e2ad |
| SHA512 | 4ee656581f43dcd1b453c70bb746ab148d749d5cec841853effa34c1d2bc292e8686eed31d303a54c128fc0a1d171727cb23e765b59e1194813f1542b253f7f0 |
C:\IntelprocX7\abodec.exe
| MD5 | 272dccf3ada3b8a4360d07fca2a0c1af |
| SHA1 | d55ad282c0a46cc17b6ed57640ab4407307c204a |
| SHA256 | 9398224abbe3db3937c6b2da1c0efbd2947b0ecdb797459ed0aa41f189009138 |
| SHA512 | 88a06f748080b10d00cf567ac41a502d753b847f5e4b27486919cc71670de43e42858c77246fe702ba4ecc0e53109960c0eec7fc53c9d389c51980af2f38eb63 |
C:\KaVB49\dobaloc.exe
| MD5 | 60d1e3805fca3ce0155ed4e70f38e74e |
| SHA1 | aa91a5f0afe975e9c1b54743316b2f292a52dd56 |
| SHA256 | 19a40f4b874e9ab8f7a01e52a945117e4dda6192e86c3e2b4bbdf400e819edc1 |
| SHA512 | 2a381b12cbddf35bbc9672496de2e63b48bbc5df0fac07949667bb715a319ed6a575888a16d79ea809fc14b09d721da712e8cde10905916a56387c654bf83fbb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | df080ba4a3cd0180d0d6a65c8cb9a991 |
| SHA1 | f62559e7c72820c9f78ab30d6dc91dd78ca3809b |
| SHA256 | 7d23df28cff611e5974be334234e1ab8a956da334c540a920403f74f3da5cee4 |
| SHA512 | fbec0750d82d00ddb382192f38c5d9d761105877ff033454776e6f7757957feefae51948ea7a0778df1b1ebe1d1c8318d93500afaf7a67c1159dbd80196a7fd1 |
C:\KaVB49\dobaloc.exe
| MD5 | 599b0b2f9f2da8bc29f5569525423ac3 |
| SHA1 | 4c5129a6edf2cf5847e1675b8c1f5e06b0b3af09 |
| SHA256 | fe25927970427bf64c0195b7a52fb4db0371585744c8cb0ecb406e97ac07b8f8 |
| SHA512 | fba26d52e55a7e833b5b5c753348f62f53a29f1647f1871a5643bda6f98cbae81b300ec7d48cf517f92e33e795b38f102220f1dc74cab20d51afdfa9831fca8f |