d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
Size

2.7MB
MD5

a292590fc402605f23e452d0d19f9b43
SHA1

8037e896cb8acb229082f9fab3dafbcb1e8e2d31
SHA256

d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d
SHA512

c1701de2199ba29a98e95644a927a3359fe0c294025cdb34a698b2e715cab771bf031f01f4517b55707a57bb736d1baef1c494bec031074b0083135aacf9e9b5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4300	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNM\\adobec.exe"	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKW\\bodasys.exe"	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
4300	adobec.exe
4300	adobec.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4300	212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe	88
PID 212 wrote to memory of 4300	212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe	88
PID 212 wrote to memory of 4300	212	d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe	88

C:\Users\Admin\AppData\Local\Temp\d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe
"C:\Users\Admin\AppData\Local\Temp\d1dfd128a5c4ab7f44bb1dad400fa7266eb2e42d2a97d5961dee1858ee84103d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212
- C:\AdobeNM\adobec.exe
  C:\AdobeNM\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNM\adobec.exe

Filesize
2.7MB

MD5
b1924679d3ced542657af23d4f0822bc

SHA1
ba41c445e6c269537551cd2b478340935a3472c6

SHA256
d7ba5194f8a0c9ea7ff7df43ca7245b2d0704511b6d0f2716d5cd370ae3efb7f

SHA512
51ce103c406b5d992216ba0fbc49ad9c7e2ae908d123680de1106441ba57779b78278c10eb1c274b178241c8c776cfe86bbc8f2cd4081e07316f84986f3d2029

Download Submit
C:\MintKW\bodasys.exe

Filesize
2.7MB

MD5
ea2f7b93cfeb38b33698101f27948424

SHA1
713d88791b9faf365fe552541c3778b6afa236ca

SHA256
1637a60553e046c5b784705e75f57d4bc8039945deaeb40c1637a86824b0e3f6

SHA512
b935fa2a555381c3436636aa6d302c6183d9ca947f918b480539c922b725d78965f77795510fe84268515e31b1c21d068a6636f9c0ac2be505762c476d661b6b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
7b31b5a466a8dd883e125ad6e1a22556

SHA1
5134c24bb7535494fb3074fe76de30763524e104

SHA256
9b02a57cc61bab5a5ab07f9237e6c59903fd3aa6fa7d86dbcaf369ca79351630

SHA512
b695e2698b74aab5a66ab6f865c10480c9e9d33384f4bf80783bd7d6d7d9d61896f409a2ecb5834aab093a0464a325327c94767da60b984f7626222a04677f2a

Download Submit