Analysis Overview
SHA256
9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb
Threat Level: Shows suspicious behavior
The file 9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:17
Reported
2024-11-13 20:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\FilesA3\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesA3\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidM2\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesA3\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
"C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\FilesA3\abodec.exe
C:\FilesA3\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | afc6bdc1eaae4b337ab9b1e085817643 |
| SHA1 | 8443ec339aed6cf38128f4fe873f5860c8536106 |
| SHA256 | 201731fc485f4d19d6a6bad77e08cad1b2bbd90d6216119b7a0b33fd9e2365ac |
| SHA512 | f7e517603bd9ebeb3928c4eef9e5b764811c239f8c886a9e0fd4bdfe884d5257d967d01eeea53c7300b5acea36dbf511b4e0e23fa5f239354717b0d82550b617 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8c610cd2b35c12835561c889daeebd5c |
| SHA1 | a1e5b91cabd4d98e6e743994f5f7d674d5e5799f |
| SHA256 | a6f00d03fee5065eed46f67b7c9a2693564a49a22860a2329942893bb3a35658 |
| SHA512 | 8df3300205afeccfc0ef205b2e67256d23d76fceb2d0114a10f180a32eefd8457ed56096a6a3d91e4972906053ffefed33dd5f0f967ef214d5cb87f75f7b95dd |
C:\FilesA3\abodec.exe
| MD5 | 0bff6a8bffb6b865fbe4908d666b07ee |
| SHA1 | 5e176ff62c86ebbdaab5e545079308f50395f3f6 |
| SHA256 | 1eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855 |
| SHA512 | 6a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e |
C:\VidM2\dobaloc.exe
| MD5 | 75391c55397dcf2fb66511ca0ced7d9d |
| SHA1 | 44748bdad55bfe6e4737f0c5773d553f0b147f8c |
| SHA256 | 6dd6eb6910674b58e1dbc95ef28172ad543500a01111509c373ea0a7d72439b1 |
| SHA512 | 01ddec563de678a0bd819caf9c87cbb98ffcf400eec9f0dfc83b065644b38732cba4404dae173f58cbb6b52f6c184fd63f71c7af575839dcd119ad8b8b145d71 |
\FilesA3\abodec.exe
| MD5 | e95537f0c5b92d503ff2d34bf38c5bd9 |
| SHA1 | 52364b0057bea242c7d372e3dda99d0477776881 |
| SHA256 | 7bb09a67a7c7315927c523a7403ad7cbf49d3996ff5c6920fe60e88d8740f1cb |
| SHA512 | b8c018157d918abae25d4ba64301e9b5d622530d979d41e729c879953fd1d06286c209c5707f2ac93c5d8ea9fe961dd984b39c9b8304006d180da9a4128cbaed |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e6647934d5ac0d39f49581aa09b7baac |
| SHA1 | 6616f3b3c99d1b0a1db5e83cc9f5163cec61d4a1 |
| SHA256 | 8e0086ceef0944fd9e00d9c4172084774a77d15eebae04ac98f00807dd57f3a7 |
| SHA512 | 580a17c261504667b9022662e7fd90bd6b33cbaafe7a54b2c06f40898ff2d7ffc08143e1a277314de1d5574d5b361697bfa9fd5508c2954d81357455956450c5 |
C:\VidM2\dobaloc.exe
| MD5 | 6746f55a50529721cb8630ad83781e43 |
| SHA1 | 245c1db4f90a798f34d37ac4583265a8968c1dbe |
| SHA256 | 16e22a66dea9f478c918b274282d8481f86f2b32a73abb8cc7e970c848c681e6 |
| SHA512 | a2340f4ef24fc6266713d311f5836ab3f9bc8c14b05cdb5bf8735aa6a11fd6b54d08826a6ff6ce46dcc1aa9862fc121ad0a779aacebdf667e75b9b6bf7810a80 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:17
Reported
2024-11-13 20:19
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Adobe4D\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4D\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB77\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe4D\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe
"C:\Users\Admin\AppData\Local\Temp\9adb3855f70a497650d50ed4bcdf88ee22c4b4423dc52b7d999ad5923859acfb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Adobe4D\xoptiec.exe
C:\Adobe4D\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 98eb220642e5a499c5f2b23051be2e77 |
| SHA1 | 2266582c1cd6422d9a17a1d99a008422a58e75aa |
| SHA256 | a5b23cff7e84baee95e355b0b5340fd61e32043cc8a7e4b6a19c4475418983eb |
| SHA512 | ee7599e51357f340a1795febc45b7bedc2e66893192c7507d28ac450e38926e2935e8c5022301b0153bb6a323edd26753524504ca54f8f9dbd6434cbb0aaa98c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f1313b234f2682e17991eb2f33ba6a85 |
| SHA1 | af54a47211bdcbdf1d7e27ae7c49f8906ecc9f77 |
| SHA256 | ed86aa7a87388e97e47f333d86c319f8a4e2085f565c026a9a54dc713dd5a1e1 |
| SHA512 | 8563e01b718187376dc0c96107149f5966e26c1d76cb70e67de6e69bc6c9936bada5bfa9e7ce71e2b786178f217c11b227d447112b428b962f78539720592027 |
C:\Adobe4D\xoptiec.exe
| MD5 | 242c8dad2306d53c6b1522ab817d23f9 |
| SHA1 | b28e46550e49ec5a46dbf72442ce63c219bd9107 |
| SHA256 | 9b16b1e801685cf9e5336997661c79310d8a2ae94c51a7cd0569cb288d13e8ed |
| SHA512 | cb5045ac76ccb50adca545529ad70b835f56f46c0a004ea5d82d138b0ed0bc6c048400a6c250c9574ef92f56b29d480a7259444fcf74d286faee4068f20b0847 |
C:\Adobe4D\xoptiec.exe
| MD5 | df0af801915a1784bd2983b075525861 |
| SHA1 | 660602660d30aed027d2127cf05fa4770ed9743a |
| SHA256 | a85e8540fcd0aaa5fa9d25dae9688d4376c5b0f32b20ddc6f17468d3edd8de66 |
| SHA512 | 2b88a72c0b1ebbcb8ef22ceafdc276048db608fa7b6d4f50e2b97318e19fb8848480a5a688c6b7fdde2faa5d0cd821b9e3a48b14b4a91ce3265cd51196999d9d |
C:\KaVB77\optixsys.exe
| MD5 | f86d6968f53f7fe034234b796d99f704 |
| SHA1 | 79f99e8b77c247ebc4422bfc86b92a113f81a5fd |
| SHA256 | c82e9ca90165f9f3b7f63270e14613676292fd9a9479cfd209feb7907dbe0523 |
| SHA512 | 3bdc1a28dcc9611bf0bc1a780cdffb02c31a0e1a2aae2459605e72d57d84655f1d15fcb92cb3d38691dbe9518e61454c13f58413cffe5a91ec6044ba1fc69134 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e9d9fe5f6375b0a4e1283c182fac34bd |
| SHA1 | 6c93c2fe53c736c288fad644938c092e8b9d8fc6 |
| SHA256 | 992cb1960f6a6098c49c129d3e22eb8b638b8f8172be1df6771182c657008132 |
| SHA512 | 0bd2a3d3c5bad19571b180244961f19f1d33dbea20e7b943fd4f62c066d73d74f10b97d3eefcd28efae896b8cb9e4cb9c8eae67fcda924b61de1e9bb672bab4b |
C:\KaVB77\optixsys.exe
| MD5 | 0af0e820773626260223358f2f455307 |
| SHA1 | a636ab00a1d19cbddf959c39ef69f5dc89b67a59 |
| SHA256 | 027af904f0e6813bd344cfa688b4a5fada28abad596788a7f7a14b6a82c3a43b |
| SHA512 | fe33bee623d80102fb3408aaf24239ce2214859de1f567a838c5eb28a1070dc07ab02a592d246b69f8c0bcedfbb2616d681791ec9b26bed9486f773ea6531ac0 |