6a6d25b59a269e523d2d4d0e47912c992e4373499e89a0bae42d9ce8a7be28ab

Analysis

max time kernel
262s
max time network
319s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854ab0eaafd74df028d3865369114e70_JC.exe
Size

4.1MB
MD5

854ab0eaafd74df028d3865369114e70
SHA1

44a3877986b72a4afc75a29cfb73b36267789b32
SHA256

6a6d25b59a269e523d2d4d0e47912c992e4373499e89a0bae42d9ce8a7be28ab
SHA512

93a5afbdaa7427eb56c41038bab72d99f08f34cf460e27274965491422116019d2642466e839c81781bb1979b8289eeddf145d13cff5ba855e840dff96012fd7
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmk5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	854ab0eaafd74df028d3865369114e70_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMM\\adobloc.exe"	854ab0eaafd74df028d3865369114e70_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ59\\dobaloc.exe"	854ab0eaafd74df028d3865369114e70_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe
2776	854ab0eaafd74df028d3865369114e70_JC.exe
2644	adobloc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2644	2776	854ab0eaafd74df028d3865369114e70_JC.exe	27
PID 2776 wrote to memory of 2644	2776	854ab0eaafd74df028d3865369114e70_JC.exe	27
PID 2776 wrote to memory of 2644	2776	854ab0eaafd74df028d3865369114e70_JC.exe	27
PID 2776 wrote to memory of 2644	2776	854ab0eaafd74df028d3865369114e70_JC.exe	27

C:\Users\Admin\AppData\Local\Temp\854ab0eaafd74df028d3865369114e70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\854ab0eaafd74df028d3865369114e70_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776
- C:\IntelprocMM\adobloc.exe
  C:\IntelprocMM\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocMM\adobloc.exe

Filesize
4.1MB

MD5
b030462f704947f6483f720f6d40b9b9

SHA1
021e59e98814c85d805f0bc79f155202b4fed849

SHA256
d50151e5ff2e30157e63624e63947e19ec7efe560a4aec0dd6413845ceb6410f

SHA512
1943b2e19abbcd34cc0114682ea5aa9c934bd1a822db6cdc732b98ee83b1e0126d03eebd81300e4a55ff0e1badaef1ee3fbfa6b348828d5a0ec9077b1c388a2e

Download Submit
C:\IntelprocMM\adobloc.exe

Filesize
4.1MB

MD5
b030462f704947f6483f720f6d40b9b9

SHA1
021e59e98814c85d805f0bc79f155202b4fed849

SHA256
d50151e5ff2e30157e63624e63947e19ec7efe560a4aec0dd6413845ceb6410f

SHA512
1943b2e19abbcd34cc0114682ea5aa9c934bd1a822db6cdc732b98ee83b1e0126d03eebd81300e4a55ff0e1badaef1ee3fbfa6b348828d5a0ec9077b1c388a2e

Download Submit
C:\IntelprocMM\adobloc.exe

Filesize
4.1MB

MD5
b030462f704947f6483f720f6d40b9b9

SHA1
021e59e98814c85d805f0bc79f155202b4fed849

SHA256
d50151e5ff2e30157e63624e63947e19ec7efe560a4aec0dd6413845ceb6410f

SHA512
1943b2e19abbcd34cc0114682ea5aa9c934bd1a822db6cdc732b98ee83b1e0126d03eebd81300e4a55ff0e1badaef1ee3fbfa6b348828d5a0ec9077b1c388a2e

Download Submit
C:\LabZ59\dobaloc.exe

Filesize
4.1MB

MD5
5990d2cd88fcf5da5bb40ebd2ae765c4

SHA1
2a5be89336352acc9f1942aef4fcd3489b444196

SHA256
258e9bd50d069bb0e669f264364be22f519924e74c2fbedabebde072ef791e50

SHA512
b1ca70f22f77a63b5cdda943825eab4ed19e9812dd47be726e868fb7dbb2e7d87cf6cebcd4f29a299775f81c5bf123c251b2b451836189325f6279cac67679f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
8c30f90eeeda15a87bd193cc50ba3a82

SHA1
6fb2b8c465c51b501d01f9e8ac5b86be7c90a99f

SHA256
a50f0dd8e137a398f1285d4eccd63c1212bc9b717ae011bcd63afb1e5f471991

SHA512
de80be3d30b19b7c7a9ea06d65bea7a6e25c195b1003958907a3ca5f1ac2926c2357032a8792ab4bd48e7354a64dbeb09107201ea1f79bff0bae1b0389b3b2f5

Download Submit
\IntelprocMM\adobloc.exe

Filesize
4.1MB

MD5
b030462f704947f6483f720f6d40b9b9

SHA1
021e59e98814c85d805f0bc79f155202b4fed849

SHA256
d50151e5ff2e30157e63624e63947e19ec7efe560a4aec0dd6413845ceb6410f

SHA512
1943b2e19abbcd34cc0114682ea5aa9c934bd1a822db6cdc732b98ee83b1e0126d03eebd81300e4a55ff0e1badaef1ee3fbfa6b348828d5a0ec9077b1c388a2e

Download Submit