827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
Size

2.7MB
MD5

8b1c3511b87070a70f82e7ee0c6b3163
SHA1

f8c7206a4fe543c872c933806d7a0979f757a9d2
SHA256

827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef
SHA512

9cbf6ccd20e8fa2ca05611c434ca40a474f023c8b6d81f810d62333614031d498479987ca5d00ba300df84016cdccf8bec665c9aaea8fecc1d55aa269990ce7b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBk9w4Sx:+R0pI/IQlUoMPdmpSpu4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	adobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY8\\adobec.exe"	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV4\\optiaec.exe"	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
1980	adobec.exe
1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1980	1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe	28
PID 1736 wrote to memory of 1980	1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe	28
PID 1736 wrote to memory of 1980	1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe	28
PID 1736 wrote to memory of 1980	1736	827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe	28

C:\Users\Admin\AppData\Local\Temp\827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe
"C:\Users\Admin\AppData\Local\Temp\827ae34ac60def097323ccf49a89d396079b39696aa36b5ada59023c0e5f25ef.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\AdobeY8\adobec.exe
  C:\AdobeY8\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxV4\optiaec.exe

Filesize
2.7MB

MD5
cbfd8da6d4eb7b0cb3b5f85ff0c413fe

SHA1
0e4076fbd098d6ce5ec89e09c9f16a5af37c8064

SHA256
522c0be0a0654021c8872366e22a4d82442e4215e56f63dab14fe19255e24bbe

SHA512
150625c92bb733a0be37b124e5bbf2d662ab7c830f3b147f63e6bd8e174132318e2a03197fdbbf760bb0f3867a4d5c58afbda329c5147f8907fab14dde1a0ce9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
ef3e27bd6f6834d4f62575a1cb90e7d7

SHA1
2de95093644b03005e8fdf1e3b06b07184f36af5

SHA256
7e9b80b02837763ca2a5e6181a0f722969e3c02a1bb67c6758b45012f974d5f1

SHA512
12dd8e86a49cfbfc31098345664adb84d0a1e5009d47a9c48fa247cddfed0efff257a345274cc1ed1969b980923574c841855993ecceb9c11fae44c59e1a18b3

Download Submit
\AdobeY8\adobec.exe

Filesize
2.7MB

MD5
7842713bb272e55268e1febd6d57045e

SHA1
5656cb7b78eff69b9d83deb504cce5087b93acc8

SHA256
1b69f306bd17e527925569007c3a172a7d51ffca768f57ee32bd47b26bc6e683

SHA512
e44ac8bbf71fb56384ca14e82c0d4ef5dd69a36565143ae9742d5fa80355a601ad5fdabf7ca878fe5a9907704d6270dd81da28b661bd82975657aaa1979ba064

Download Submit