Analysis
-
max time kernel
34s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 17:27
Behavioral task
behavioral1
Sample
b7f6cbbe68d2d92b0721408708c37dd5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b7f6cbbe68d2d92b0721408708c37dd5.exe
Resource
win10v2004-20240226-en
General
-
Target
b7f6cbbe68d2d92b0721408708c37dd5.exe
-
Size
126KB
-
MD5
b7f6cbbe68d2d92b0721408708c37dd5
-
SHA1
9ce99e33a1a4e161bb2b6fb99003f79d9778fc59
-
SHA256
529365d7e6520ef2d812fc361a135d910d639a6468d0203fcddf6e0819661832
-
SHA512
a9aec2fe83a9ef871cc3b94ce53c9ec52e1df736847cb4a0f0ecdea36a2d28a637ceb124a812f081ffeac8607e9263312ae203cd2f5a36101f819a93f673f360
-
SSDEEP
3072:dDKERFTYi2rQULKl6hp1fD4JQONLKcvM3/BLBvout2s:FKERFTYi2s6Kl+DbOdDvM35LxoS2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2656 Protect.exe 2544 Protect.exe -
Loads dropped DLL 6 IoCs
pid Process 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 2656 Protect.exe -
resource yara_rule behavioral1/memory/932-0-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/files/0x000c000000013a32-20.dat upx behavioral1/memory/2656-37-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/932-36-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/2544-42-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2656-44-0x0000000000400000-0x0000000000542000-memory.dmp upx behavioral1/memory/2544-46-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2544-48-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2544-51-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2544-56-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProtSys = "C:\\Users\\Admin\\AppData\\Roaming\\Adobee\\Protect.exe" Protect.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ProtSys = "C:\\Users\\Admin\\AppData\\Roaming\\Adobee\\Protect.exe" Protect.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\run32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobee\\Protect.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProtSys = "C:\\Users\\Admin\\AppData\\Roaming\\720347626.exe" Protect.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2656 set thread context of 2544 2656 Protect.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2544 Protect.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2544 Protect.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 2656 Protect.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 932 wrote to memory of 1124 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 28 PID 932 wrote to memory of 1124 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 28 PID 932 wrote to memory of 1124 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 28 PID 932 wrote to memory of 1124 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 28 PID 1124 wrote to memory of 2608 1124 cmd.exe 30 PID 1124 wrote to memory of 2608 1124 cmd.exe 30 PID 1124 wrote to memory of 2608 1124 cmd.exe 30 PID 1124 wrote to memory of 2608 1124 cmd.exe 30 PID 932 wrote to memory of 2656 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 31 PID 932 wrote to memory of 2656 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 31 PID 932 wrote to memory of 2656 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 31 PID 932 wrote to memory of 2656 932 b7f6cbbe68d2d92b0721408708c37dd5.exe 31 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32 PID 2656 wrote to memory of 2544 2656 Protect.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7f6cbbe68d2d92b0721408708c37dd5.exe"C:\Users\Admin\AppData\Local\Temp\b7f6cbbe68d2d92b0721408708c37dd5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BAKhg.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "run32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe" /f3⤵
- Adds Run key to start application
PID:2608
-
-
-
C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe"C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\Adobee\Protect.exeC:\Users\Admin\AppData\Roaming\Adobee\Protect.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD5a18a2abad17b668162699428d77107b8
SHA1153bafd32584d527e7be1233203adc6bff2658a0
SHA256d0c4c5b6a90a9c986028d946c11321b250773da41e64a63f16fa94652e3f3b5f
SHA512f8f26a185b0735c0f0859a8eb03d35a0313062efb080d83569b7620a445be2318c0e594a539719bf88a3ec3417f0d1954137620c2fd83bf9214b89fca8126556
-
Filesize
126KB
MD5b7f6cbbe68d2d92b0721408708c37dd5
SHA19ce99e33a1a4e161bb2b6fb99003f79d9778fc59
SHA256529365d7e6520ef2d812fc361a135d910d639a6468d0203fcddf6e0819661832
SHA512a9aec2fe83a9ef871cc3b94ce53c9ec52e1df736847cb4a0f0ecdea36a2d28a637ceb124a812f081ffeac8607e9263312ae203cd2f5a36101f819a93f673f360