Analysis Overview
SHA256
1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc
Threat Level: Shows suspicious behavior
The file 1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:30
Reported
2024-11-13 13:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\Intelproc2K\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2K\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQC\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc2K\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
"C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\Intelproc2K\abodsys.exe
C:\Intelproc2K\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 728bdcea688eeeebaa17592ed50d65d8 |
| SHA1 | 25f56ca18d8fbf4dffdee00309998b8e36d7312a |
| SHA256 | ab662da369ca17d5a6058a25c6c922c898276275076a15ed50a5dc5626fdd7cd |
| SHA512 | ea13cff3149f11a3f6dd64fc2997f561277ecfb67113de5252d0f895a167ff2ea0ef3698f83296bb757f4edcc0888fc02713a4cce92a9acddd2d88b0baa39931 |
C:\Intelproc2K\abodsys.exe
| MD5 | 3d45b0eaee6cd60ad4f5568ac16ef258 |
| SHA1 | d7e11caa9a67cadd55724afe2d1d84adab824cea |
| SHA256 | ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243 |
| SHA512 | 2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 15227b891bc37a79788fd0999d0cc670 |
| SHA1 | d0b663c28a51ea37e8c2e1b5f51270e0ac10031b |
| SHA256 | e78720b0afd818a1a1fd4a7779892bf1099b35be146f1dc5ab2e97a1993c931a |
| SHA512 | 15f5d7dce82991d5c948d5e2c9c83e5c112ac3e689429f4ab6da1af7f6d6b2ea7acfd0c93523cb1bced5f02267ca58f9ab7164044ec60aa4c7776735ab557a98 |
C:\KaVBQC\dobaloc.exe
| MD5 | e29e0121f0682f53e3e8fc1782038fa4 |
| SHA1 | 0f1cf27b969c8e591f60e5c71adfbf7a15d3f477 |
| SHA256 | bc4b66e9bf658f072df4cf4309aab1f49e5cf585187b17693acd10f8ffdc939e |
| SHA512 | 1b16c62cd8bce222b62ca3a193f27dff26289fbf563be95990002f7d0c6e6f97d11104ff195447e6529f3a5e50157e223d054a3eb2b776be27ecf4a6ebe74111 |
C:\Intelproc2K\abodsys.exe
| MD5 | 48e2bc270b37941c5f79c121c0547fc3 |
| SHA1 | e2b6cd60094087690a755eb095f71032ad983fb6 |
| SHA256 | 4aa1660b4fdc54dcd210d80597773349e80f6988d65e0d330db6c8a37df97ff1 |
| SHA512 | db528a4cba8e8d9864d4cb4914c2d7399f6a9b3dec7617f6d80b553ca9715588e67a96c17349e1cb6e64ef50e82857faae782ec7966b55127e0d1d388740afc2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c6992354d2fb73eb86148f192569c7ee |
| SHA1 | fa212fc9c3d595bb5e3ad3c4415ae8142859a12a |
| SHA256 | 0e39d9a2dffbac1b93a90d32470ee707f3617396638058ab65a5ba5b40d4625d |
| SHA512 | f8dfc436f72421895e69750aec20828b04b4459ec3876431179d8f4629046766807e692e93ccfc728c2d8c939a7492b461a4d3eebb8a876b6684cd7453601fca |
C:\KaVBQC\dobaloc.exe
| MD5 | 2873fb57ea06e0913c9b5dde7bd73c2d |
| SHA1 | c2794b886d0f3c44e805ffe343756fd81b5c87ec |
| SHA256 | 08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587 |
| SHA512 | 9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:30
Reported
2024-11-13 13:32
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvUS\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUS\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3O\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvUS\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe
"C:\Users\Admin\AppData\Local\Temp\1ebb0bd34fecd9ad65fcf03ce3ad0e33182a35cdba67bc2055faaa1a7f2cb6bc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrvUS\adobloc.exe
C:\SysDrvUS\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | a659272f7cb6c6fc86ac0b1f17bab79c |
| SHA1 | 0ad51457949d222c4e1ad90db10061ee776d1351 |
| SHA256 | e4adb1d8d7f7f4b8aad71e03eee538c2afe16800012dc05d83c2ceb294800805 |
| SHA512 | ed3fb4410417833473e8bce9efcde4501d88757ba95e20478b986c557992b6cb6c8f5b0d25ba984077eaaeb040db1816fd8a1b3404d122824eb5747abec820f8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | feb535f55ce5c65a5c424547164f9fb1 |
| SHA1 | b4f141e34534a6bbf7093391c7ab9eaca5df1a93 |
| SHA256 | a2a9be8cd6a38d61b9dc73290a8be34eb85ead56843841cf75bca44d5c83fd04 |
| SHA512 | 10e399d33bae128118eb73fba0e11360d20c6cc7dc16cc83667c09dd053e9e5beae330cc7fb6219a58a7c4e5627a41812f9ebffc48a2f452605eade7f2df61ff |
C:\SysDrvUS\adobloc.exe
| MD5 | 6043dd9cd5c6b338d047dd7e2e16b5fb |
| SHA1 | 4547ce34bc9dca5f4f36c00a1d2bae02f98ddc0c |
| SHA256 | bade16afc7e71cb128baf089c0675b5cc414abdf58b4efa6d8abd5e4b19c843f |
| SHA512 | 54bcbeb430fcfdc433ddb2d3b6f96223b8371563e4b278c44759868fa1684feae074b425952503f724cd1356b8dc6b11c6f3a833cf225d529fb7c3f5a6c41ca5 |
C:\SysDrvUS\adobloc.exe
| MD5 | 300d3e87ec0c87eeacae342a007f1372 |
| SHA1 | 8519d557d2a13193505d04fe5b8d7c0d75701e91 |
| SHA256 | d1455fd5471ddf7053b1f713a6694b278fe16e5cdf0977c26f7c718050aa494f |
| SHA512 | c78837ad9fc8b0427d62d1be4aa1458df1f4d42339657d59920c38215f9b2c00f127bc89905c39889090a7c3bba82c701135faee57597fb90035125dfe763a0c |
C:\Mint3O\dobaloc.exe
| MD5 | 1b91b320db05ed7bd8446440dc1fe864 |
| SHA1 | f03dd0f0982725cb145df8ae53c78e7c1814a38c |
| SHA256 | c71731811d4117d109eb550e79b53772c4db1a05134b8c257b8210e55ccb11c2 |
| SHA512 | 8634786bba669a1a2ab5c07bb6e6da0e1b89ca5e1afe7ff3676b93e091b7f06091f69734aa1f766ea99c124e0662c0dc9a3cccfd385903c24ca945d7c0010ef9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 422b25f47efab423615db7ad016e2c7c |
| SHA1 | 3f29a9fc192a1f9d82eccbff0f853f6459482877 |
| SHA256 | b570292331de687d7f638e71aa2c61ec1cc121448dce4100d09ba0cf787e15c6 |
| SHA512 | cb502c52dec2e26faed2b91e08aaf68f885c577502a5f261e324fbec9d69a7efabbe4a4d01b8090d7c28429a39acc428e7317df09286f996f1626654bda28945 |
C:\Mint3O\dobaloc.exe
| MD5 | e8451cfb74382c321402065f87d84364 |
| SHA1 | fcaecce9c3817fd433d750c5190307d3a5818e6b |
| SHA256 | 380f86d2899edd011ce19c6e4aeb638d8e5488edf22a8bd5fd6bb51fe2603472 |
| SHA512 | 6f4ccca17db3a08b805b12b2a42bc34433fb177e72f3f5bfe1c0e4a9541a761aebb8e5653b53e3b0ef69ec7ff64c8a7478dcfb7906ed8deefea93d3a596fb82a |