Analysis Overview
SHA256
1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37
Threat Level: Shows suspicious behavior
The file 1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:48
Reported
2024-11-13 14:50
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\IntelprocO9\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPE\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocO9\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocO9\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe
"C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\IntelprocO9\abodloc.exe
C:\IntelprocO9\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 5b90964dbcbbfaa3e07d3037621973c4 |
| SHA1 | 1c5da4cbd9cf359fcfd5e7091a85dc45a8fac7a9 |
| SHA256 | 2b530d477aedf7fd44379d3442279e98c0d9ae3c599f53de692a5cfb39a3322a |
| SHA512 | 719e644a2cad290b55cad4b07304ef1a168b85e287dc9b10332a14af949dd0981597d1655773980d4e7faa93f9a43e739e7a5dc029d9e55f129a7d9c022cb995 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | de6c8debaf81d3a87b91e2dc7c2f0ae2 |
| SHA1 | a53a3761bfd06bdd637f90759f443e1f9221a1e6 |
| SHA256 | d1d7c41605eff27a592f5a6ed04d48df1a9b84f5290f0d31bee1e646bc02fcca |
| SHA512 | a4177c0670eb089f073c35a4e70a2082bcfc1d1d39ccbfc83c7cf0358588de17e92b19ccc691459d5bc8a6e7b444af6b3932a4ac04cad066c0fe538e6e2273ed |
C:\IntelprocO9\abodloc.exe
| MD5 | 6382c2c7392852432cd753810e2c8e6f |
| SHA1 | 6a453cdcca9483eaef62f96e39c15b428b7ef71d |
| SHA256 | bb508218e7bdba8ce6b98873cbe6786653c31bdff35e530597b45acf765e84d0 |
| SHA512 | 623e6ec29e0317aad6ab381e507651b9499196241451866a66e6df2a2adaaf2c500fa01075f66458e7bb1bd64cb553bdb79810fad9e34b72adde0808809b1971 |
C:\IntelprocO9\abodloc.exe
| MD5 | 331376f932743f1fdaae5fae0546d4c8 |
| SHA1 | 591fdf64acefa917899b6b1face9838950befa51 |
| SHA256 | e75434c831318babccee3a4d4a88f8ce77dea7179191913c216a687bac4ff1a0 |
| SHA512 | 8a4d7b0b03a8907e0cea12dc276abe7a372512214f5efa54a357c990feeaf42a8ef865f570d52340cc4c6002666450214c9c9ccda27e8207c8edc74e63b3b7b7 |
C:\GalaxPE\dobxsys.exe
| MD5 | 755f26f7c1f045d38e2bc007f6c03d00 |
| SHA1 | f09cfebeab86b4e9aa75f2e439e2013fc2e1dad6 |
| SHA256 | e0b31f038f867bd5be48765b27fecbc9007c93227b6dd06cbf6ee277127e97cb |
| SHA512 | 22fc8cb94ff53b34bf1b076909cd4f61d9f99b0cbf6de02c3dfbae7a8ad0d9c1070c5fa37f531de8d9876c6e798521e0441ec92f3a159ab2a1222dd25ed831b2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e0198a3ed5da18830a7818459493fe53 |
| SHA1 | ce55e943d46fb048836e4bde7b0dbdeef8d4fb10 |
| SHA256 | 851e5bc6d2ef4b26eaf9008087dff9ba77ab6a9dfd256323903727163271918e |
| SHA512 | 01913f9f4bb2a34470a98a9f6cfcba299e1f3101318245b9b07834ce8e7bb48bff2f09e5d51b87f6154bbe37632d8eff0526a45a4f25647c4ab9e16f840386a7 |
C:\GalaxPE\dobxsys.exe
| MD5 | 069c7d5ebc20ead441519fc2807acdfc |
| SHA1 | 94eb49acfddc6450c4810d85271299b49f964a2a |
| SHA256 | af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f |
| SHA512 | 91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:48
Reported
2024-11-13 14:50
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\FilesHF\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHF\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIR\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesHF\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe
"C:\Users\Admin\AppData\Local\Temp\1797cf797dbfaecdf61be370c534e579c9d9c7809286bbda0acbb5db171c3d37.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\FilesHF\abodec.exe
C:\FilesHF\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 348a47ae6b36f52538f2068ac147c7e7 |
| SHA1 | 43dba4fdd5156876e85079ff0cbb143c381b614b |
| SHA256 | e2e214fe502cf6bb005d3ddd3d0f6fc2efe3d75972ac61148ff25099ac3f2806 |
| SHA512 | 2485af7afebce5a2bc9d298c721ad8227c4c721a27bab84349260cf7b911068c0edbe9149b34e2425c2d682818ff9ff87c18b0d977d9bd114a35809ba5d964d2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f67162cee797e0c192bb538c18daacb8 |
| SHA1 | f4db6df621b1daa2950857f70f4155d8d96c2109 |
| SHA256 | 56702f77579ad102662c6d142abfb8448afe8e5d4445018cd7eaf5b988ba68aa |
| SHA512 | 2a2be40bb08d656bc1eedc130b4283ea0c3d5102f62f92201bf1b3257fde610a8d69d828b2be3e9db297f873d099df30aa4dd188dd0a687d1fc06f3d80167ddd |
C:\MintIR\bodaec.exe
| MD5 | d990025c28f7eff6ac8892939022aae3 |
| SHA1 | 5cb089ee521e50125abbdd696f2250b0456fa98a |
| SHA256 | e289ea0f99bb3b825c6be9078d57a8a9b939315d84a2503e64d031d0c4cb8f1c |
| SHA512 | 453c01ce42677372aefd6c18b3f06489327b3b9a41f220e8f6350a2b7f22c7852b05c8a703a8853a7de6dcb6dda0240655bb827770ce313c749690685d450b51 |
C:\FilesHF\abodec.exe
| MD5 | 6c4ef9bb71c352ae62980284a40fe971 |
| SHA1 | 858c7d639fe6fb5da3c8f41cfa5546c833691f60 |
| SHA256 | e301dda454324512280cf4d32968e639f87eb88a7c9035c6e4bd901bfd01156a |
| SHA512 | 08da1d4a6515ec823d9094592d2ab43b532011a56369fc27e8dc0e99456f450b57d9ca1e41592e016924a83555a1c06bc69ab6ec9057b2e69dd10431ce3382cb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7fd7736776018882738772f9c81e0b2a |
| SHA1 | f9b41bd1545fb216c1dbe442cd9662dec6c1e4c6 |
| SHA256 | b36539f5cdb8ae83cb4d990676a6fcf31fed4e847b1fa8c80272a73c834e77ca |
| SHA512 | d3584f9777926943b0c5284b597f23b0787b3e1d9ddb91f73645a37a974756300d932508cd99a6aced090f256d2df98b797b0b35d8362ea39997fb6daea79914 |
C:\MintIR\bodaec.exe
| MD5 | bb187cd94d505850dee7577b7f486467 |
| SHA1 | d4c31fd0cc887db39be0c9d19dd3461b198ed90b |
| SHA256 | 99439059a9814b37b1da0cb3bbdcf748c1f9bb09ff1a15222659aa9998431799 |
| SHA512 | 7b696d04be88a6cf625ed36a18422bf7d031aac9deb707c673d1c3763119b8e77bfd9950656283a91c269af59271d96fb90fbbfefef4e54b7d95a38e61a3832b |