Analysis Overview
SHA256
6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad
Threat Level: Shows suspicious behavior
The file 6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:38
Reported
2024-11-12 16:40
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\FilesY5\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesY5\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRN\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesY5\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
"C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\FilesY5\adobec.exe
C:\FilesY5\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 66dfc3049629a01c730729943495b47d |
| SHA1 | a52eef5f8f088c6c214ef94911083a20368be253 |
| SHA256 | 0b4eecf4faeb67e9567c8ef2e4950646d3652c60f90086bd0fbc1ca58b7782a9 |
| SHA512 | 58bab0041208be7922c3d8eb052881e1520348eda2ad3de3357e6a7163a3b76bf868ee85e08567309e84e6fc47d7a128c51c376375413d7e283c9bbc7d760c41 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c53c40e59294e1e2eed5f658a4d1a8c8 |
| SHA1 | 02ab5f6caee6d6b196d27d9331260d713b4d42c5 |
| SHA256 | 07237624a0ed0a4cfa5041fb55f5e28858a82f6118ea298666b4576396825dbf |
| SHA512 | 36c72f11e91424224a8b1cbf97fcfb320e6175476465d1d64e6c0acdd157ca7ccf342779687b79bc40bc98dee4db8e0b7ca246e415e67129c62e74aec544c148 |
C:\FilesY5\adobec.exe
| MD5 | 3b42f40ce641136c286e451de1180057 |
| SHA1 | 3841dfd4b3380d4f288634a411e5e805b3a22f84 |
| SHA256 | 66e851d96fb939a9f2beddeaa5ad8b9e454f1af5d44b4e39457dedb0adedecf0 |
| SHA512 | 1351f736ea3b7d0d42f49d425708ade5b8f20933854d9b5e005c34d3e3485e4310201ddd06aae3ec470a90a87ea67009a4ff81a5fc75c61a36594bfebcc00be5 |
C:\KaVBRN\dobxsys.exe
| MD5 | 6d80315fe7e3c391a78b8ab4cd8b59b8 |
| SHA1 | 0b8289fef5c26d21bb35e9f7391d444e882626d4 |
| SHA256 | 1212f7f989e54d3a4dd5b1f7c141bf1af080f9ecbdd95459e4e5be4fc14ea070 |
| SHA512 | 7de1e06636217651c75cc111e39aca96752a447479cd89c60328f56ea27d187dcf60f71f0d8605a5a6f0455a149ab4c564964c8265305bfec228744c9f368bb5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 927dc9d0edfbb129bd2142d325e7d16b |
| SHA1 | bc2cab6df3cb0f0c127e7b42a4323a15d9d6bd2b |
| SHA256 | 1a4bbb9de5c9c982a22032dbe7ebbb424f70eed95a86b93f5a6bbf6d2906b8e3 |
| SHA512 | 8862633c57d03ea6c44f57b4a7632a3d8af14b7072c8f79455dc21ac7df0c6d3652afc2f76c873ddd37a5b6c24ad71b835077026bf2fd7b4d5967e3e2bd0884a |
C:\KaVBRN\dobxsys.exe
| MD5 | 2430594276154b359e82593045abe164 |
| SHA1 | de7f5d38e61b4c9e56a2b4bd1c4b147f3615a4c9 |
| SHA256 | 864c7c837a86d6d0a9ad0cd1c30127932441abe822487bd2eb29369419153e1e |
| SHA512 | 3217cbbf1343fe965b7c1196aa313515330d63c5b64194a9d33fadf860400d788f1da78ad6e74ee00aa6fe12c4648d991733f33521d7636c29f10b9bda154af4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:38
Reported
2024-11-12 16:40
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\IntelprocWL\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWL\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPB\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocWL\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe
"C:\Users\Admin\AppData\Local\Temp\6f9146e2e1546e87fb15b9b7fa484ce26edafb5c56e0f69693188763d45924ad.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\IntelprocWL\xdobsys.exe
C:\IntelprocWL\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 419c7169a885e87686c37b477ea9ac1d |
| SHA1 | 5d5b4e53954b992041a6f49b67a172543ff6b489 |
| SHA256 | 4fba313e1bceb6098be4ccbbe50c20968e0635445313d4198bfb378e33048ad1 |
| SHA512 | 7d78bd9c8985a5999a02fdb7481be84a5ca71f47794abb977fcedeeb5906561a42ff4e5a002f45541730fa2b28d8bafb181a237bfd564adbb24e3f147190d7dd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 76eb5a6fb713225a47057587faf260ce |
| SHA1 | 0bf3b56d76f20480d7e9f38038674e9a95aee680 |
| SHA256 | 3b76711d13874200b5ded274615b80f5fdb6b3510622a80bb74075c0255ee597 |
| SHA512 | 776bbb292d4adfb61797027c0ab889afaf40c4b0b08cda441dd75ffd14c101d4712cd7898ac31568a50360d91f9f5252663e99063f2f205db0621cfd5bfd3bf9 |
C:\IntelprocWL\xdobsys.exe
| MD5 | 57ca0f3f1db9afd72993aa5c289db931 |
| SHA1 | 2be1093a25d6d00e147f36e007513d34357bec5a |
| SHA256 | 663c55c6ed835acb3cb23c22575996d1f17bed0d990dee29b570e959f06eb7b2 |
| SHA512 | 4f8ebee6a2b0d1e51c4d0ce305750fc46ea2e39b6bdfdb89bbebfbf8d69a02f735904d46ae27c4d48c10d655aef006016c96fe543bd9d6374bfd6e2c09d3d439 |
C:\IntelprocWL\xdobsys.exe
| MD5 | e50d179addc86cefa500130add0d024b |
| SHA1 | 7eb8c829ae8dec31101f74da5108da31ef252072 |
| SHA256 | 65f05f87ba32c672c39896d1e425c32129f7118b66182a43b076dd175316ad4b |
| SHA512 | 6514e2826f8f784ee0f12e29b4486aedbcdc2d5ff47f1fd5248621ef44c71d2d1f0312320366609db9f55d11386265fced8858ecf8a7eff7bc907d2523a8cceb |
C:\GalaxPB\bodasys.exe
| MD5 | 95a736837ca062a591640e8becbe0c44 |
| SHA1 | de887b853f6d80b71321396e8fba7930559c9a6c |
| SHA256 | 39eb57fb7b1cf44c0581579accee8db93077f7b4bbbe827bd79e1574a8a48c4b |
| SHA512 | 3bb5b58bcfbae0bc9ca471e354547c737df99db4d1f55b9e72ad983e6008c6e8659738ee65f5fea0336a222f61c00f448f1c90ec17b86b4f0c07e50c1e913944 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 70315d5b3ea3762df6a01a103ffca412 |
| SHA1 | b59290fd651249307519a235fcc42f370fc963d1 |
| SHA256 | c488d3ccdd7163a58b1bf63cdc3afeda228426ed2b4cc48c16f84f91680f08d2 |
| SHA512 | 26cc6c506d381705ea5116974fd4e9e70ce7a0cbae97d80582e2181cc6c098b5d255f1c30441d3110f230caf3414b03cbd7504a89c3274ef55d931988c2ecd98 |
C:\GalaxPB\bodasys.exe
| MD5 | 18007fbdf320bc6433879ee1e6062efe |
| SHA1 | 1916ca5471b14af8392cdab02e54514f81662c04 |
| SHA256 | 41748c737808f72d280d15e3776940ce148b5c49c950317e52f6455dfd33bbac |
| SHA512 | 8acb9fe7a99788ef2e36d3938da6da2bd020b56e203a13a38eabead888dc2597afae0a01f3f4bea17359b7f8c660021129291d524f11f72f537744c39bc19515 |