Analysis Overview
SHA256
b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3
Threat Level: Shows suspicious behavior
The file b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:15
Reported
2024-11-13 14:17
Platform
win7-20241010-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\FilesZS\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZS\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAE\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesZS\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
"C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\FilesZS\aoptiloc.exe
C:\FilesZS\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | a824cc775fb2e33438a0fa0d103698ce |
| SHA1 | a78a900b6a9e3e30414d071a61ca528bd33b6831 |
| SHA256 | 729ee18e7f3197eec581cc2fc931c4cc4231fea523b0b2fce05203e3a5f8171d |
| SHA512 | 585f14a0a1b0586490de117f5d127c5cadc40191ade13d4bea45943cc2cdc2f9cc5397d1b8bb2667fca3c5d3c63691e71bb708b5de8e81552b2eff3a761ec0c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9e31f4044e3a7375276bc2fd0970ea0b |
| SHA1 | 82c258c503e4cdef9a7f0ed5f7910a22a7093000 |
| SHA256 | 77eab2ac6682f12a8724138d15e914f6a7679f21488200cc5f6c9e279c8e6f19 |
| SHA512 | aaec9160ff3df04e7478743df4089591749ea2a643a7b62ee2a95a401b7ce0f01090004b8396ae8c5f261c7bbaeaac61500f08be1899565716501bf27e7db370 |
C:\FilesZS\aoptiloc.exe
| MD5 | f6a6da1ee10d407961de6dae3c567f92 |
| SHA1 | 69747dabbc830fc934899d2f217cb5e1161ded3e |
| SHA256 | 6b2f8c6d6392c9fa6e25364a1db2f72238e76ad9a050ea7ddf6e735773a3cd2c |
| SHA512 | c84e470de7b77d9fc4598c342ca11938fb4169df7b92ac687922b42d8310317eab2d4ee549d5aa40c301ca8e88368c79e35c9b36cf40396b57209b1e80b461eb |
C:\KaVBAE\dobaec.exe
| MD5 | 00c4f0df4b227cc7266986a17dba423f |
| SHA1 | 072e0d165891e4ad54f3e87dde1b1598365abf2c |
| SHA256 | be8c803c36847fc90b436a44d83c897e5a2d22d7d098db593ca9dac043e4fcbb |
| SHA512 | 796038910aea8e7e2208b7472a64ea886c6a709cd424e726c0e4c506b55fa938ffa5caefc9e3d3115e01b6e5ac16c20fd7a09198b465668aae6086cab8b7a1bd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 565a3f1561d34ab300e1a368c56049e9 |
| SHA1 | e773d968d88dff49415118bf0d9fd5eedea02428 |
| SHA256 | c3fed1e32bea6abc68227122382e445617b643bc2f57ac7067789948c01fe4c7 |
| SHA512 | a8d04403bea2d95cb14849bcf0968d0c9d81a4df4cf86dfeec7faa941761f2df3ce90708526a1b23885fdb04410933ab01c23147a03e41a8ee78cccffc2ddd42 |
C:\KaVBAE\dobaec.exe
| MD5 | ad8cd1de15b4a888ac04a22c14b67a7a |
| SHA1 | 17a04b96d5a33380542549d46f70a4c1502bb376 |
| SHA256 | b8a269491a60c2c60de54ca8b2af2801b7545849d30213592d5886547fcc3e52 |
| SHA512 | 79e650603f997dc90f26ce0e70ab4dcfbae38b7f265c8d86e56af7c943b0625ddbf3e3c798d94d833dad4b10eaafcda1bfc805bd20d160c6735ed56f429337a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:15
Reported
2024-11-13 14:17
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
113s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc7Z\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7Z\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc7Z\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe
"C:\Users\Admin\AppData\Local\Temp\b41e88facda214bea707ec024aa8bbf366b93d4d3eca8258b30d0993b9e9d0b3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\Intelproc7Z\abodsys.exe
C:\Intelproc7Z\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 0f0000172b831455c287c4fc3b93f4aa |
| SHA1 | e556774b87aadac4a76a5e2f2e0e7e42d2d759ee |
| SHA256 | f2d29313a7b33f7fbd9eb6c3559eae872291b7b607a6b808b7d83840c91df8c7 |
| SHA512 | de8b45303bf1ae92787ec3f030433e1e14dccfa82231b8f89bc12b46ab854edfa4013f2f83f433e21f050c0fcc5cf826167c0d7a14eed0cf6f56e48bdc92a201 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d375844367e3f417ed3d7a15e80eb050 |
| SHA1 | 020e6acb873b7b1556136e720fd6d44b02cb5769 |
| SHA256 | d81069b80450fa307fa959ca8164e4ecc9cd3b4c041ee7074fb1fa0292af0295 |
| SHA512 | 37c206f27ea2fbebdca4aa24f21a92e80986c18591d89f0212fe5213d7f8f0420856fe9a12473b26298e40ab525602b2d1291b71a7fc220c32815964216ab2c1 |
C:\Intelproc7Z\abodsys.exe
| MD5 | 250db7c6f417c691769ce23d48f0d886 |
| SHA1 | 27933c5dd12d32aabc758a24ed44185141d7495c |
| SHA256 | 1ed78969f54069a5803df4c5aa2aed55bc3e71afc57fbb03628a9636c3ec6020 |
| SHA512 | a47136aa2539957d868e8b07afbfc546244c36715750eec8eaf4f46d12f9895a78c79fd4a3e8f7f160144ca25c079013483a43f7fa2f99c10f76e9efc7b16778 |
C:\KaVBUX\bodxec.exe
| MD5 | b1a65dc6265439b27cf5a228ec888e14 |
| SHA1 | 8d16e64c078beb23e5ea488966097203debf485e |
| SHA256 | e372887ba607bed8a4e07f0fad47e293845c33acaf1df155f0ebca0bdd69d866 |
| SHA512 | 07e8707017613d528f7060da43c64ca87b395306c94759977e57c2a36039ca4f5dec5058971778e06a31c2487a0e338c37037a0a45ecc066485932545e6d93b7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b8541d68cd4714b1048cbb39e194b092 |
| SHA1 | 129ddd79233f73e96061c0997166b6d4bac063ab |
| SHA256 | c9b2ddc8117c8be0834202a19004cc09e609b09b58d132995e0de61cb423aa7e |
| SHA512 | cf00f51c8bd58af7dac4d8aaf4f72bd860523599b3a580581c614228abe4721e7814b92080dfdcfaa4f8a02d4e5b089e18e49557672dbd57c8cfcae26eb5a2e8 |
C:\KaVBUX\bodxec.exe
| MD5 | b30d44289695511470e4de44dc4f978f |
| SHA1 | 7296e716ed996f4fd6520db130789344ad3e9962 |
| SHA256 | f51abcab5b1461ac5114463fc56aa1babe17efe2c6150f51ec64ce18fa9f0b16 |
| SHA512 | 285fcebbf20dd221a1837b64bbe11499dbd2ee95ddd0d91e8dc02837279dc0c95354ce58236236119ef174f97cb2e834a9d9a074c9839abc7915a57e57b3b95d |