85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
Size

4.1MB
MD5

fb7578361cb2052da97c195feb5a5232
SHA1

39896d87576febc3924ffdd2be544644d4052b11
SHA256

85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852
SHA512

b93dbfcda4f4c4ed49e2e81f219bee564a277e3c0fc464f17a4ff85991baea05e5dadcc0c76f7ce47acd4658994b16e5eb4f6b5f0b927fecaa394f32d3ffefde
SSDEEP

98304:+R0pI/IQlUoMPdmpSpO4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmF5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2188	adobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeS3\\adobec.exe"	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint89\\optidevsys.exe"	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
2188	adobec.exe
1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2188	1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	28
PID 1244 wrote to memory of 2188	1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	28
PID 1244 wrote to memory of 2188	1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	28
PID 1244 wrote to memory of 2188	1244	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	28

C:\Users\Admin\AppData\Local\Temp\85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
"C:\Users\Admin\AppData\Local\Temp\85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244
- C:\AdobeS3\adobec.exe
  C:\AdobeS3\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint89\optidevsys.exe

Filesize
4.1MB

MD5
5ca8b1a2b0093b1102dff23bd8ea553f

SHA1
900434d9e34c8f75744102b347d2bd108a55e5c4

SHA256
aa865d243eebd1959674d4e524861db2ce22f800e54922cd96d560966bb16dea

SHA512
45853bfe88b543312352b756c9bce309f759a763ec22217933b51310e72a44eac741dfb8f07f9bd2c1bd38966aa949959f9b5fc9512218c274280d8959ba2f1b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
06d7d8b104616a0be2a8dfb228c72d18

SHA1
cc1f958c607b4a8d59b6750e0eb6aa6153779ae6

SHA256
134e4a87a9d291df51df28b2bb3fe83db25dcd889af96a955eae37f8f6194c6a

SHA512
b255b8451eca4cc0ecc1d0e811a8677e4d49d8b8c2cd2198ad93b6e287cbf047f2c2006cbd65e7464ea2a5b4a0c24ade244610ff8791a0739c58b8912e6eef1e

Download Submit
\AdobeS3\adobec.exe

Filesize
4.1MB

MD5
04d3a07c594376be93c2de9426785cc2

SHA1
f79aeecfba8868fe353e5e2f8defaec1b2487e24

SHA256
66695cd3f701fdcd483107da4cd74ac2012e60dece11704217760a61ef1df518

SHA512
dcb99d7d4d5f20c0831eff3c915cf07586effc70d1ba440b140d111306629c969bc03a3caf97c4330c6148fe62d89b5a9efc686f13f161ff7af1418acb9c62a6

Download Submit