54e37f2f47abe3223ef2bd7b52682a722ffe7d3332a92e2100d50af7524e1c65

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90cedea672b29d7be5985dc58c146a98_JC.exe
Size

4.1MB
MD5

90cedea672b29d7be5985dc58c146a98
SHA1

5595668ff089b9cd693f8a9a80027b579d6c34f7
SHA256

54e37f2f47abe3223ef2bd7b52682a722ffe7d3332a92e2100d50af7524e1c65
SHA512

caf3a55a30c7b7064d941e07cd38ad6aca880b2f041914e338a26e7248cc000270367a612164b8bc63468cce306c06d19bff186c1d04f09e1566ccfe1cad4ede
SSDEEP

98304:+R0pI/IQlUoMPdmpSpg4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm/5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	90cedea672b29d7be5985dc58c146a98_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJE\\bodaloc.exe"	90cedea672b29d7be5985dc58c146a98_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ4\\adobsys.exe"	90cedea672b29d7be5985dc58c146a98_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe
2240	90cedea672b29d7be5985dc58c146a98_JC.exe
2748	adobsys.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2748	2240	90cedea672b29d7be5985dc58c146a98_JC.exe	28
PID 2240 wrote to memory of 2748	2240	90cedea672b29d7be5985dc58c146a98_JC.exe	28
PID 2240 wrote to memory of 2748	2240	90cedea672b29d7be5985dc58c146a98_JC.exe	28
PID 2240 wrote to memory of 2748	2240	90cedea672b29d7be5985dc58c146a98_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\90cedea672b29d7be5985dc58c146a98_JC.exe
"C:\Users\Admin\AppData\Local\Temp\90cedea672b29d7be5985dc58c146a98_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\AdobeQ4\adobsys.exe
  C:\AdobeQ4\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeQ4\adobsys.exe

Filesize
4.1MB

MD5
fa214bcbf18db77a799870afdc63b08e

SHA1
880817b8028596c5c61bd28d5270819647883239

SHA256
c535a3f8cef510a50fb3f883af4662d6da89e4d5680500a78c0a9377bc35cccd

SHA512
9fc3a31f655a69ee64a9d56f29e13bc0cbab418f342dc568a0f6c3d29d930d56b319ede9691115ae8c15360f63d296f256cea9a4c9fba7d7f686d72aa7b19472

Download Submit
C:\AdobeQ4\adobsys.exe

Filesize
4.1MB

MD5
fa214bcbf18db77a799870afdc63b08e

SHA1
880817b8028596c5c61bd28d5270819647883239

SHA256
c535a3f8cef510a50fb3f883af4662d6da89e4d5680500a78c0a9377bc35cccd

SHA512
9fc3a31f655a69ee64a9d56f29e13bc0cbab418f342dc568a0f6c3d29d930d56b319ede9691115ae8c15360f63d296f256cea9a4c9fba7d7f686d72aa7b19472

Download Submit
C:\GalaxJE\bodaloc.exe

Filesize
432KB

MD5
37dc048cd9134e8786ee5f70827e4fca

SHA1
474233e857873d22f4a1d43d5234f2bf7d22e979

SHA256
71c4a9297e2a6e11e80799e118234d7a47f8d96aeca8162fdc92233f55134f8c

SHA512
cfae8f6055dd076ecc424d9ca9e18c7142b9de202873c4a2f742ee4b03f2ce9f3153e1bd41edc88866add7cc776fb16bcc1f24b5f921ebbbc8e26c5e8fea09a8

Download Submit
C:\GalaxJE\bodaloc.exe

Filesize
4.1MB

MD5
dee06ed30b14f4fd46d39f7f71af8be0

SHA1
81ee44f3664e6d3ea04c893749c6ce42738fee11

SHA256
ceae570291a8995fb612138a28e43acdbd46741c19e842fb13c50375737e69fc

SHA512
330f74b656dbfb2cc9c398450703a0ba35ed6666bd2ca71a8e4249accf84069448a1b1d641c794365a296cde28ee6dde5ae37de7c7a64f58d6df8963e245c1a2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
f37dd828e95231e51068398f070b6ac6

SHA1
58d22f99929af6501596a65b40e979cef1acc8ed

SHA256
9eaf000bf1025ee56d817c330cb74de397669386abb5d00504649e8af5ffcec9

SHA512
8b693769020a5e3f48644c21a2d12adae41d31cff2b201852f89cdb74a21afbd66e6af8f6f49097c2f5087dd12edb596794dd597dc5c4af94eb7c29f514656b8

Download Submit
\AdobeQ4\adobsys.exe

Filesize
4.1MB

MD5
fa214bcbf18db77a799870afdc63b08e

SHA1
880817b8028596c5c61bd28d5270819647883239

SHA256
c535a3f8cef510a50fb3f883af4662d6da89e4d5680500a78c0a9377bc35cccd

SHA512
9fc3a31f655a69ee64a9d56f29e13bc0cbab418f342dc568a0f6c3d29d930d56b319ede9691115ae8c15360f63d296f256cea9a4c9fba7d7f686d72aa7b19472

Download Submit