ab4a72a17f51c517a72586cb5b6b42f4ccc520228992e292c3acc13374f6b004

Analysis

max time kernel
149s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19214e8008da660d4ea2906e0a543985.exe
Size

4.1MB
MD5

19214e8008da660d4ea2906e0a543985
SHA1

bc358b8a093c67cd4d5b11bf27bdc61213bcf293
SHA256

ab4a72a17f51c517a72586cb5b6b42f4ccc520228992e292c3acc13374f6b004
SHA512

10ca5d1b8440e80c7ad1e1d39699dd39d08b1a7a5eeb2717e401e87bfed8660b874d6d1e38eeb3ec2a8bf5da0c1efad577395947a933b02ecc485b4b56861980
SSDEEP

98304:+R0pI/IQlUoMPdmpSpN4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmK5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
920	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYK\\adobsys.exe"	19214e8008da660d4ea2906e0a543985.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintD5\\optidevec.exe"	19214e8008da660d4ea2906e0a543985.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe
920	adobsys.exe
920	adobsys.exe
3488	19214e8008da660d4ea2906e0a543985.exe
3488	19214e8008da660d4ea2906e0a543985.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 920	3488	19214e8008da660d4ea2906e0a543985.exe	88
PID 3488 wrote to memory of 920	3488	19214e8008da660d4ea2906e0a543985.exe	88
PID 3488 wrote to memory of 920	3488	19214e8008da660d4ea2906e0a543985.exe	88

C:\Users\Admin\AppData\Local\Temp\19214e8008da660d4ea2906e0a543985.exe
"C:\Users\Admin\AppData\Local\Temp\19214e8008da660d4ea2906e0a543985.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3488
- C:\IntelprocYK\adobsys.exe
  C:\IntelprocYK\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocYK\adobsys.exe

Filesize
4.1MB

MD5
4da1f2d0c8970d210030904dd173c3d3

SHA1
28b3ca893be4fbefd0fca27a25d172e0776987a6

SHA256
3a275d2a31e5fa746713cc285beb1e29e636862596b2859ce31c5271189335db

SHA512
8a8878c9d88a5722789c41cf5e26ed701182cb4d6be53754e60a997abd935dbd5f0f0c3f395f9ed4ad7794bf667b9730ce755f1f7259cbeaa02c5974006f5c54

Download Submit
C:\MintD5\optidevec.exe

Filesize
4.1MB

MD5
e218ace9a7a935ff1a5096558959b791

SHA1
d90ca838a6623f1c7d96646fcfeda366728e1c44

SHA256
5d996d01d6cec092dbe532ce0b592037dbb5c06d4e64fc920e6157ef46031c16

SHA512
9c9045c3a7d03dc560ac69f49ac2fb1da8415307084f78361a8a8353c4e92411e6e11b850466862e175959e97aac36bf2c75e9f67ef2370d02d05587aff18614

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
e623f7bb233e436717c92f0ca3da1e3b

SHA1
42b1541511942b3d61ac850e8d8510ea7f1145a8

SHA256
a0e64a43e6a329e1189ded986aa5ce6a50353e2a4963a41bd6f67998d2f13a5f

SHA512
7a03b396cdc45602080ade13330bac5c58aa2becc3118d452d98615e6c84def306ec58729e28f089d48631e42da0884ff877a96d5c7f9db3b7c4e1f4d86f9817

Download Submit