Analysis Overview
SHA256
3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517
Threat Level: Shows suspicious behavior
The file 3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:32
Reported
2024-11-11 23:34
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Adobe27\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe27\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKJ\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe27\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
"C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Adobe27\xdobsys.exe
C:\Adobe27\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | c088e24b0bcb9804bc1788931dc18ecb |
| SHA1 | 86c24e63055c1b74d833e8907a2fb08e1ec9ca2c |
| SHA256 | e3ea10859b68429fc2b9655e4f2e346bbfe195ec4192d77083e3d0007e889902 |
| SHA512 | dcbecddc2149615ca626dd60b966a080d7a795cf9fd38170574d7dda86489bcdb9b8c6562455e52221cbc2989000db2ede7aec673e6446960c2c57f0715c9fd7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a1135c6e0308c2db0588dc361480ff23 |
| SHA1 | 07ee01348b9916af4c2f41103ea6926aa63c334d |
| SHA256 | ac01b57888acbaa66b17994b6ba1628d9ef2b10c4ef83cd0bb22d1468b158d21 |
| SHA512 | 656f78e8d757e8cc99fe08e969eb4ed17105a5a7147eb53a333b8162063a32704b9161b93e55c25657600cec58f6cfb8284690d583296a62f13f25e1f7ad309b |
C:\Adobe27\xdobsys.exe
| MD5 | e1dcebc2290766a1c8e947140b876183 |
| SHA1 | 4c6db1cb0999ea0123a8add18f7343b78b8b9cad |
| SHA256 | 8bf008185a9c70e90e8d0656e0c51c8841c3c8747d6a510e346cb6a180158f09 |
| SHA512 | 7ce86bdffcafe3b9fe3a8c44cc471d600942f3103e010342125ba9ccba3e46a572da64b12e712820d03c0c59ddcceaa89d72bd91b0e36527697c9170fbbc951e |
C:\GalaxKJ\optidevsys.exe
| MD5 | 27a0d70052ebcd0267e5878748ed0d7a |
| SHA1 | 1a47c73bbe6246b372d05b9102183f3e7c5c71df |
| SHA256 | 6455960942b87b99cc771199fb0f661b6c219bdd24a8738ce57df205b009f63b |
| SHA512 | 0f9b6daaade91bf9489b279c4e325dad639e8f207ce2327304ccac36f0722f00d6f1d421b295ab7bfac72b8e24a08f3c2219e8d733de5aaddd6d8f3a7d992784 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 25c91cecff43e10811bfcec772145c87 |
| SHA1 | 7110188f290742ebef687395674e5a35e080059d |
| SHA256 | 445efe35b889125767330c0ec20b200688a9663737e9c67b3a264456ddef53b1 |
| SHA512 | 8b813063d1c91cc15e30fcb35971a83d4e56f0281aa089c2e691dbca6b377ecd773e3e31105d87cb2e93742f3d9103e1e5a99bf850a257c1bd95d0fa52bcc50a |
C:\GalaxKJ\optidevsys.exe
| MD5 | fca093ff6eb73c5b0b9834f5ac203ebc |
| SHA1 | 68fda4fd327e5bdfd2caae85b38f4d68a69320a6 |
| SHA256 | 5124f37d1e685de65bae71f9061fced73ce057ffb3875e959d3577a85dc3f552 |
| SHA512 | 6d44dde9e7130f41929f62cb9172324e3ffb4586c0c22ac913e6c52be2d13188fbd5fd69364243f74e09f4da9e19a0ed0c77ad2acac5e2a1beb6b0e07a912ca9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:32
Reported
2024-11-11 23:34
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesXO\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXO\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHQ\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesXO\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe
"C:\Users\Admin\AppData\Local\Temp\3bdf264dde8847a3d066505cf57a7dea4519b668ebf5de38f0953eda3788a517N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesXO\abodec.exe
C:\FilesXO\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 90d1fe6bb03f4884bdef8e4e6544c6b3 |
| SHA1 | 151e9d98c0ff7e5cdf62c8d15e1a4ebad5cf5411 |
| SHA256 | 997af6b8024e5fd5838839f26a386fc94c77084e03af86255c2423a4c2a61a01 |
| SHA512 | 77849ad7d2550ec585e5608f53fe3861429c5a0739d3f10ce985a30c36ac113163d5870275942cd560aeab85130a42b41735f4c6c334c423bff614f550b52615 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0ad0c4483dbb6d676cef081a941de682 |
| SHA1 | 102e9c3f45c845a2129548d8e43dc7d9f0140acb |
| SHA256 | 3e6fa955e30819ebeea1b7f68cbfce1e24f19c1a3e35b2d7df7d50dcc693519a |
| SHA512 | 1c76b16218dde2cb81dce4705a628201d5e48492a6ddce36629e41d2f820a79bfbaeb9269abf9749cc9c0301a6fe0996abd0f51c0d4dee2d5c38e122f20baa51 |
C:\FilesXO\abodec.exe
| MD5 | a86336805b3d53c18600c251ef3cfa32 |
| SHA1 | 69594cfc6347aa438b9319dfca41704cf4607aa6 |
| SHA256 | 8f668b87e4832b3682e49e6eea02d09a2d52047043f9b41e1307714539fe88e5 |
| SHA512 | 2289aa68a1720b6b54b1913d01bb230aec97ab071f17ff538689c6b271251aa3ed7892701d4e16f229faf7c3ae3b844cdb8bcd576a87134fff3c03d46ec4bc93 |
C:\VidHQ\bodasys.exe
| MD5 | 1a72ea23760a53fcd298811f8e903a80 |
| SHA1 | 8857d8174ae2fedb3f59a5c6df2cdafcf8bfc1c3 |
| SHA256 | 1b793aaa6fc322c6e9c32b4aaeed50766bfb0e26ad7bd4e3fe60a92cbf8a7a11 |
| SHA512 | 9ad32d3e6728e639cf056430ef6eb6262f99733cf47cf8a0f567f8d0cd2a1bafba1ad7c5c7e3ddb1fc4ccc1c81aaae9e506a5b4cce1fbc28221c51c55deade23 |
\FilesXO\abodec.exe
| MD5 | 595d78cf20a7a932ea4079bb6e2f181e |
| SHA1 | d5517e1df1147c80c1277c10d67185f7dd426e11 |
| SHA256 | 816ad71270a368ebcea286f13c45545fec8664284217f82c30c614c859011a0c |
| SHA512 | de64ae27fdba9ae7d51900510060353e500133d063e8625686a038d04b87f9c912fdd51540cfab062fcac2e38a3572f1a9e378a6f9aafcdae9a157b3287a567b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e42fdd1efc1c8a2fd8e7d95dff068e0d |
| SHA1 | 52b048efecde55e45e912f6fbb2a5d94da68f0e9 |
| SHA256 | 2d14cfaf561eb021b843c7e5209f6d37d43eec139cef28988b008f4b156b509b |
| SHA512 | 2020c5524aecd7355aadf472819c9cd894fb46d5e8943b557fe642e99eeeeceff16105c54e98fb8f045438c06835fcb05c95945fed288bf2cb50ff5f0f843b89 |
C:\VidHQ\bodasys.exe
| MD5 | 50f60f5da304121471bd6de42a10b51b |
| SHA1 | fb3c45a40baea1d5ec5ff98a5c33b590fdc0f069 |
| SHA256 | b26b9b995ead3a74352f1de531202e11bd699432a8408e84207fd1b7390bb997 |
| SHA512 | bb03bd4f7a3704fbb05daa0f2cb2d3130c9181d0d28ad6a07757ff6c141f1ae3206b4cf2b6ee08f1cae9325764cc2ca0461c0726938786e117daacfcd6fc5bce |