Analysis Overview
SHA256
72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3
Threat Level: Shows suspicious behavior
The file 72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:43
Reported
2024-11-13 14:45
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrvHK\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHK\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid20\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvHK\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe
"C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrvHK\adobloc.exe
C:\SysDrvHK\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 9f2654638cda8479ccc0ddae87611281 |
| SHA1 | 1e8dc02aff8b2ced7f679afa6b2df8452d07ca18 |
| SHA256 | 6e5c8daa75c4c7e79ff494e62dbe999f057bb3e6b46a40ebec45d6fb92a1b25f |
| SHA512 | 0732a05dcf42164da2eecdd49a8581ebb81ad9f283c602e9cdb9da822fb4e62920b73f2da82e694f9b9bfbc8654d440a7c791bdc13032c1b439f74b40f8bf438 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0207775795ee8e25b31be7f50e31fde8 |
| SHA1 | 5af58fa398534ee704b8f1b4fe708ba135cbda1b |
| SHA256 | 4f36b6eb75f2fe00d9faa8b31bafbf44e8965c61ac6ae21866e3d06997203adc |
| SHA512 | 9066cc2dbed41036cab3cb3f6302a4a6b92764bad9803f0a76a0124a8c7238ce6c1ec7e8dc2656002093fb64ac7f0f4d647b09a21f6524ec0ba968f68cbf1c9d |
C:\SysDrvHK\adobloc.exe
| MD5 | 08ce99659dc792cfa871382def115938 |
| SHA1 | 7c55176fada0f4e66bb3a5faac90d8e1953841d7 |
| SHA256 | ab6f0efe9b31806c9ed50d9140986c8e0725736eb66af7de56491714c48cd9c1 |
| SHA512 | 85b9819be1283f056ab658c14da0df8593d038bee3cef97e3518e31343a6f628e7a24936188ce09e38bdc55c066eda8289072fb0e6c6527a2d3aff4d81e314e0 |
C:\Vid20\dobdevloc.exe
| MD5 | ec9939d32a4c1994068211a6bab5f0dd |
| SHA1 | 5d0c1c3e7b725cea736267ba7253399fab3f1f2d |
| SHA256 | 6429ffb15bdf00c1c15cec5d15d70381750bcf5caf9c9d792a3481a0e82a274c |
| SHA512 | 4631da7408cbe549dfc8cfd994718ae5ee1d82c6a1d431a3034868a81547f28d846e2581e6582fce19d25f47ece75a52b3cdb071df79bc1f9d53f6490da9b764 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f33e378c546ef0b6db387f1a935929fb |
| SHA1 | 86fc073d58295477ab5c6f19058aef8df1b9023d |
| SHA256 | b0d9773ba02924b2e173af6b457e7a023a450a54d82b1d6339104d50fe613e4e |
| SHA512 | c9aaf05cd4d7551df4ac751c99662e724f52cfddb84692aabd02a2bf940fcaaec47490fcd00f97636cc5a4bcf1773a93614184eb26bcae7e79ae5b6621934d07 |
C:\Vid20\dobdevloc.exe
| MD5 | ec2f1e0fff6a28e53c17a02341597171 |
| SHA1 | f3019ec23979bba1a0071266ee1caf0bcb9bcaa7 |
| SHA256 | 247dea074b6548804f5fd5946dded969a04b7086bb9f5d2d0f683fcdf40761d5 |
| SHA512 | c9b30a5b6435872550a741b1128409ead59db49049a764f77acecc4e00183763ba44c625fc10e74fb119ee4f8c80812868acec85aa1c9ed996fd81f7ab0bfc53 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:43
Reported
2024-11-13 14:45
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\Adobe63\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNC\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe63\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe63\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe
"C:\Users\Admin\AppData\Local\Temp\72b7c3d3a7bfd573ef71cd737524f953a9266e249fc49dea6c2b8a8ebf4ac8d3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\Adobe63\aoptiloc.exe
C:\Adobe63\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 6ad027329e5fb5e7fb6239140e571b24 |
| SHA1 | 9d7fb6730bbe3968724a5a6304bea84d963d02dd |
| SHA256 | 2180da742b3287b9f761b9481542453dddf6195734cf55c8b1d59bf7a7f87794 |
| SHA512 | f4d7fc81f6738e74674f9f503f43312c39fa8ac950a3b1e96cd6b57f9c94eed33a851083c81964c0838a30bf2fb4271a6e029fcab5d50db135833fa8acf36710 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1cd5cbf0b35d74e25d424a6c8078365a |
| SHA1 | 86f35748d9a7373e77401ae4ff6d4be0bc261f1e |
| SHA256 | f1235224206a56dd03cfe206a263c449c1a2f1c7578f0f25a9b4da7dbc0c0b06 |
| SHA512 | 8acc04153938ee4ede48d5613170f427de45e81f9bb07fec9ecb980fd72d6bace41876850635126ef60affecd07d6c6f50e90d5a4058fdeb4631eaf8d3c66f6a |
C:\Adobe63\aoptiloc.exe
| MD5 | 17b398df2ec540a4a99c651e6c79fb0c |
| SHA1 | e84844c0dbc3c2b504427b50b4e5bf0d1131f803 |
| SHA256 | 7d0f37cc24fb3edcb5ddc7ae98ede490bb599fb6b9e0bc5aa1719a4bab03ba04 |
| SHA512 | 353e9bca38e949299279ac1474db632ae08da29f1cfe3e55ea9bcc08ecf7bc252c689454f4d3fe1c0d5920cc1f2700098bd783ad771c0579c1cce540c9d4172d |
C:\Adobe63\aoptiloc.exe
| MD5 | 228a5b45eda7f8431306040bbfbc16b1 |
| SHA1 | 7013d2f44836a46322d1550667d90e1362008f45 |
| SHA256 | cc8b249dc59a4a8d0792913a2743d88c8b21433457c774bc683c6031e004bc25 |
| SHA512 | 3aa2fb7014ca5ec5f01da757988c0b55186e2d85fe2de35067f5a6c03bbf3279644b145926f98d315b341e00d1fa6de26458383175321137d42c3c710485e4fc |
C:\VidNC\optixsys.exe
| MD5 | faf0e2c5605ceb7cc8855dd8d40a8316 |
| SHA1 | 0858a83ec97f61a8d01c62afefc37774df08105e |
| SHA256 | 99562331cc54ff053f6599746044cca2c12e7f6499f679d778ed52ce8b15d4c1 |
| SHA512 | 6cbbbcc5e8a99c92981d496870f975049278fb2bf041f61d72966bc23510fbd282b524ee55e641a22396841c5df369c637002e6bd7ec6aa5ab26c308b80ec28a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c2ce99215d407d8b86b71c159b21eb82 |
| SHA1 | 3c8e5509c4f51cef81fcf8a0d568530aa024710b |
| SHA256 | 743e0780b283267a02067b0870348a2988b319e5275ba82838f9c120e5bd8ffc |
| SHA512 | 74054d006fc32e18dd476fb32fb1e861ba55bbd7fee6fa0a3cb2dd37b2941e0ddf1f7e048cdf2042531d47925daaf90c593e3e239af7a0802a6a4ff8110de9ad |
C:\VidNC\optixsys.exe
| MD5 | c82ba0a03d00b83d539fdb9952393d5e |
| SHA1 | 8e1f5da19b1c4ff9c8cb85c5481f707fd9185d56 |
| SHA256 | ac56d1452ba4378afefc6a13f52d04c94e8d06cd9119da7ae4eabbf77a86c1fd |
| SHA512 | 437b22df0da960d2f712a19575a9451534bc94e0ecf0b93881d4c102d42a0381d55dd29d3bc3385b23f841cce8369c844a853b983562b62bf76146b60070686e |