9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 21:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
Size

2.7MB
MD5

4587877d5082f8d4b206a2746d26cf85
SHA1

a5c69efc71ffe3b5c2552f0e6c004568f97800ea
SHA256

9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9
SHA512

4ec8eb48ba19cf49a72e4fc95a11cf94d998f5c3bf0a1181efd17b07704445bf947206b50b3e66c02dfb88c953178b18271131ec7d182bdd5951d4a3c06514b0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Sx:+R0pI/IQlUoMPdmpSpB4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	adobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNR\\adobec.exe"	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6K\\bodaloc.exe"	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
1932	adobec.exe
2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1932	2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe	28
PID 2088 wrote to memory of 1932	2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe	28
PID 2088 wrote to memory of 1932	2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe	28
PID 2088 wrote to memory of 1932	2088	9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe	28

C:\Users\Admin\AppData\Local\Temp\9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe
"C:\Users\Admin\AppData\Local\Temp\9427ed8003c01471a1ef11c4be415ee38be210968b55596caedb19a1cb6794e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088
- C:\AdobeNR\adobec.exe
  C:\AdobeNR\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB6K\bodaloc.exe

Filesize
2.7MB

MD5
38c8d5a5c76424e079a9928cbeda45c7

SHA1
a97feae83bab182909744ebe70c6d1fadda69760

SHA256
41440f07384018b31bee5274f2f5318697847d27a4af92c8a1ccffae772e7db5

SHA512
e63439f5d05705e8a9a2305017e03995271f74f47e4cec1e43075219bb0a55701f884445548e0efe66bc00e59fb6e9f9a9bd5007c66f52770798ffbbebfe891c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
fdfc107e5f0366f3e4766569532f9ea3

SHA1
46c29e3a0e3b9345d677fb5cf467633153334cfb

SHA256
e91ab0e1b527e8fe43e1b63d5bc942ad357deff083fb358d21c3b88c0c377a89

SHA512
4f8d4fac5e9dfb6959a5f1bacfb737c338a937edd20f1831db07223c373c9f8e875a9455d00cdb6d439726fcaf45637edbf404a604be52add692f59e5f12e5a6

Download Submit
C:\Users\Admin��

Filesize
2.7MB

MD5
896f726f8751e3b1597e6a1eb2ebc00c

SHA1
bbdab04bb53d0c8447f287ae54916e455ffae6d9

SHA256
c285d7f28ff1a4af48568655a5cc427019e81638454e9f06991d9ed772f48e5a

SHA512
cf0c381bc90c66cca19e964c8bcabaa1be4d96930977c54e41f0d4e9ca46f48a3f680038d15121630125f425c07cd0220d0abf37baaca3478895b7d57a10840c

Download Submit
\AdobeNR\adobec.exe

Filesize
2.7MB

MD5
ea614f3f1351d617d7c9090c0946a2f4

SHA1
a49944a29e7bc5a06864a503ed451f364450a132

SHA256
7746586597f5018932e20412406bd6f8859badb50749154c69b08d69e9987598

SHA512
7d50af9d95ee30e0cb8625c8df0ff12501b982d919100c848d6ca90016259e58cf71199df176d8b967023f4463fcaaf60b1fa6cae548a6abe4a85f7d1d1456b0

Download Submit