Analysis Overview
SHA256
9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8
Threat Level: Shows suspicious behavior
The file 9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:12
Reported
2024-11-13 14:14
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvD6\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD6\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid26\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvD6\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
"C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvD6\abodloc.exe
C:\SysDrvD6\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | feab632b01632bd5a299bee40d2a721f |
| SHA1 | 4e48fce3e61aa5c9dd0b2c4a18d7506f72dd9fec |
| SHA256 | 8e9c76dc56465b32585952e351352025d432ad1fe9401ee1975e9462ef6e44b1 |
| SHA512 | a0381625f37786a94634956afa44a7d46e7d79c7992a5b76513354584a374304aca27c47f59fa9b7c0130bb7caae4c8e63fd8d7d75b1c8d5de65998e4042ba4d |
C:\SysDrvD6\abodloc.exe
| MD5 | cf485e8f2dfbbcdc727649b814ce6009 |
| SHA1 | be25bf08941b727811b3c3869724ffe6559b6784 |
| SHA256 | e65bd37d9e10694914b984aba11237f2c81ac295d2376c7c9d367d353a668201 |
| SHA512 | 8713baff7ddc0c7bf215ab2f688541ab163be755964daf625b03e4987ef99ca39ac301c180584d41e21f6fc34bd529c644d3c377aeff18b9b02b8166830898c3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14ddf585d2326b219ca483194e186d24 |
| SHA1 | 0dcca9af7bd1e356efd1cb2a47b17094bfb26bf0 |
| SHA256 | e866141ec4c79f9694641116f0b9a7718334b29efe831dbd569308f94138c5ce |
| SHA512 | fb83205bd3b1c0b95ee78e0d5b97b2c61973a39f48e0a0b16fa0a83313de61f305efa19bb0d8b29f8291aa1583782a3bda1e12c4c777e765c9df408fcf098391 |
C:\Vid26\dobasys.exe
| MD5 | cdd97b53b5ff1c4c91ddadde33a72d19 |
| SHA1 | e874795b48a2225d7a2708576fd4d0606378c736 |
| SHA256 | 438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde |
| SHA512 | e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c95a78b46278919aacf185c0a858b0f |
| SHA1 | c2d8832181787e1b99dcb91b750ee260007cf3e2 |
| SHA256 | f0eb09bac52799129d955c2219ba21ad8d9472c28b4ea71d690b92d357fb4544 |
| SHA512 | eafe67739e42014e3a356485a4dcffd42b491e74e662db4c427e04c027c1648a6e88712ab1476b39d3fcdf92668a7e52b1fbd53f8b107ecf0d490c34da991e13 |
C:\Vid26\dobasys.exe
| MD5 | f2ede176433b9afe7462d3dc28be0984 |
| SHA1 | ebc2199e4be45295205040763d322b96b79b1468 |
| SHA256 | 2551163c11631adf2f126b8cf1b63781a1dcdb3e8dfdb67af0495bcf883e6061 |
| SHA512 | 088e4b7cfb59dd6a90dad69cd2719578d328f76d9ff64406692a519873883c494754bd95e94808f24f68506a52df4f9e948ae4242a54082ede2bfd4415d637bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:12
Reported
2024-11-13 14:14
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Files0R\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0R\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidL7\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0R\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe
"C:\Users\Admin\AppData\Local\Temp\9cc32d347c08457c52a4a80e06b07671c700b991c7138ecfea3858ff30c578e8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Files0R\adobsys.exe
C:\Files0R\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 781c42328e2c2fed6f7470e97cba5943 |
| SHA1 | 4f2387353191f2ece1fc67dfaf6121ebd746e0dd |
| SHA256 | 30676b9e8990db248e6ae094db842349630d542f8f6f2039ed0c146ba1153141 |
| SHA512 | 8847457f185d993cb705b75b9bf86248824294c78efdf038bcea927a2d4fc59c6744307762750dd13bea45c2d8708fe3e87821e3741da224eb35206cf3717763 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0c0dc5e12fafb304dcd76ccf4fcd7238 |
| SHA1 | c3333e6702751274de7ede790ab6d9c3e688f0d8 |
| SHA256 | 5c3735d81ea829a5f3b933eabe2a998bf02e72d2b11a659bba3cf4898a02bc8a |
| SHA512 | 7fb5221d4a870276bd80c2e7db8463faf66de17ce0e54279d6056cc2c8681240c3aa61e8a0b7e548ba7e117a781f6419decb4c1f1e567849b34efc0464d037c3 |
C:\Files0R\adobsys.exe
| MD5 | c2b58e7bd0d9d36929797d78aa1d3e51 |
| SHA1 | 8fc011635fc3980b8429b2956954a84ef4f62f48 |
| SHA256 | d5277dd43fac6b920dc73e189c8ce3c2b5d25215f887f88a07155db345eeb18c |
| SHA512 | 78c62f3f40b38eb2f380b786661968a0da8840a04924336873b4f4aceba9dd3bd8652ebb78ce9ba2b6128880c6d2ac12c784def607e382a7ede8e458ed4932e0 |
C:\Files0R\adobsys.exe
| MD5 | 677e096abc8e82cce2a74a1ada368d92 |
| SHA1 | 8b6e8e61957ef509e0240dc8f91c6424109a68e7 |
| SHA256 | 8971bb77810412ddcfc1bfbe09c1d2453fe8f21ab85f9146a8690a15cdca0524 |
| SHA512 | 8b317dcbf9cf0fdf31fcd4af49e5e06b804dcc24ec79a7d2cd3cf77e4b3aec0be27a595e7059908fded2f1102259530bf034eae49ccfea1388377913112fd6b0 |
C:\VidL7\boddevec.exe
| MD5 | fcac57f8ad53da02b17acc60d77dbb62 |
| SHA1 | 4db37a2c0fecbddeb7e9c84e420bebfac4df31be |
| SHA256 | 05191c49a3161915c767653cf98b2693c5b920754bdcc7e12b7f57ef981f4eee |
| SHA512 | 584223c9cae89214c4b7dd3269b2849b0d3fd271f7d34336feb7815ae39de7ac264f098cc8c22c98edacf6312041b61a7443fdd61a75b2092c9257e59e443ea5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 004371e12c948fec34974e95bd688d46 |
| SHA1 | 3826df4de88709460340c4a47bbafbac6ac00f02 |
| SHA256 | 95a16037791bd0f0ee3985f05eaf80482cf5f29d0c09e67daf091fab0c90f5df |
| SHA512 | d14d4253a4a5137a9b03be50205456d5e2fe3ab93b2128eeaf764d9b753ce0301259c51848e0929b6b74e85bca502098173b72604d4c3b242d366aeba62e6767 |
C:\VidL7\boddevec.exe
| MD5 | 1103a1233cf4354ab24809e2a75fb092 |
| SHA1 | 53d1c1a8047a0e6df8ffcbd9a53f957425b38184 |
| SHA256 | 5c266924b93a17be44cc534922f2331bfbd50c3c402b246533b08b42cda49e76 |
| SHA512 | fcea43e709eccc3941d258b142fca144a402aaab6ce5acbf0a58c7637c8c2ca8f45d21a6fdf808def9630e8d497a254c953af0a471a955eda7b8033ad85f9538 |