5c9686f7ed95f863e7f2ab4b7114026462c10371e304f757a0936991c424793e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17/09/2023, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77401e4b137377e333cb4346e676cae0_JC.exe
Size

2.6MB
MD5

77401e4b137377e333cb4346e676cae0
SHA1

ad728fd67cd1bcac3cd565d893790afee4fd5d39
SHA256

5c9686f7ed95f863e7f2ab4b7114026462c10371e304f757a0936991c424793e
SHA512

fcabf913af4bfa044b3c88f29d024135413fa2f1de1ab83603fe8cc336a20db2cc50c9ed7164a79233122b81e81ee7b706adf16954f361682cc38ddd192203dc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sr:+R0pI/IQlUoMPdmpSph4+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	adobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2228	77401e4b137377e333cb4346e676cae0_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv0Z\\adobec.exe"	77401e4b137377e333cb4346e676cae0_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQN\\dobxloc.exe"	77401e4b137377e333cb4346e676cae0_JC.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'locabod.exe	adobec.exe
File created	C:\Users\Admin';;,?,':,8492'4.=:>:1?'"49\:B>'?,=?�09@'=:2=,8>'?,=?@;'locabod.exe	77401e4b137377e333cb4346e676cae0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	77401e4b137377e333cb4346e676cae0_JC.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe
1228	adobec.exe
2228	77401e4b137377e333cb4346e676cae0_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1228	2228	77401e4b137377e333cb4346e676cae0_JC.exe	28
PID 2228 wrote to memory of 1228	2228	77401e4b137377e333cb4346e676cae0_JC.exe	28
PID 2228 wrote to memory of 1228	2228	77401e4b137377e333cb4346e676cae0_JC.exe	28
PID 2228 wrote to memory of 1228	2228	77401e4b137377e333cb4346e676cae0_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\77401e4b137377e333cb4346e676cae0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\77401e4b137377e333cb4346e676cae0_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\SysDrv0Z\adobec.exe
  C:\SysDrv0Z\adobec.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv0Z\adobec.exe

Filesize
2.6MB

MD5
37a9b74a427786263325a62030edff41

SHA1
538dec0fcce8361eb2ff40bba3d8b0276af4e220

SHA256
0c6070aed6a8f575f77523f05136f7b7a595ce79a6b75fc3781ade01fa46f5ad

SHA512
77e7e8fd17b727549ae3c742afbf5680d0e1969709aed75f5ce415a8af1c6c86d9522775d38a4552a271a00da551cd17aee29ba6d7128cedb00df1c2ba58bff4

Download Submit
C:\SysDrv0Z\adobec.exe

Filesize
2.6MB

MD5
37a9b74a427786263325a62030edff41

SHA1
538dec0fcce8361eb2ff40bba3d8b0276af4e220

SHA256
0c6070aed6a8f575f77523f05136f7b7a595ce79a6b75fc3781ade01fa46f5ad

SHA512
77e7e8fd17b727549ae3c742afbf5680d0e1969709aed75f5ce415a8af1c6c86d9522775d38a4552a271a00da551cd17aee29ba6d7128cedb00df1c2ba58bff4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
5ecf60808ce005957b08e5928c0b3809

SHA1
75c045478e9776b688a2eb7bf019ca5534552ac0

SHA256
fd42206025e3757a4744d4651aa1756ab424bdb0e0fbbf793f8a79d764de693d

SHA512
c42d3bf00a31353322511b429c58342264f4fb7f5e556d58a65baa8568c238214b2c76f03f3fc055c8c6ed3ac92312a75abe482404fdb2cff31e81565fbafedb

Download Submit
C:\VidQN\dobxloc.exe

Filesize
2.6MB

MD5
015853a5171bad27a5f62a08f28d6201

SHA1
3661f2eaf8067320c98d790c691a6a521eefa43c

SHA256
4a22c06cb1ad4f95a57f19bcc20a25475d896fa755bcbc6cd4e8d963d4db8823

SHA512
3dfdf96886e5dc6a60b566dc9bb8a2f3014e2e89f8ffe7b76420ee6889604197e24d039afd0ce2aedbff902cdc2d98b628bfc578915534c79b8865115221f5d3

Download Submit
C:\VidQN\dobxloc.exe

Filesize
2.6MB

MD5
015853a5171bad27a5f62a08f28d6201

SHA1
3661f2eaf8067320c98d790c691a6a521eefa43c

SHA256
4a22c06cb1ad4f95a57f19bcc20a25475d896fa755bcbc6cd4e8d963d4db8823

SHA512
3dfdf96886e5dc6a60b566dc9bb8a2f3014e2e89f8ffe7b76420ee6889604197e24d039afd0ce2aedbff902cdc2d98b628bfc578915534c79b8865115221f5d3

Download Submit
\SysDrv0Z\adobec.exe

Filesize
2.6MB

MD5
37a9b74a427786263325a62030edff41

SHA1
538dec0fcce8361eb2ff40bba3d8b0276af4e220

SHA256
0c6070aed6a8f575f77523f05136f7b7a595ce79a6b75fc3781ade01fa46f5ad

SHA512
77e7e8fd17b727549ae3c742afbf5680d0e1969709aed75f5ce415a8af1c6c86d9522775d38a4552a271a00da551cd17aee29ba6d7128cedb00df1c2ba58bff4

Download Submit