Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:43
Static task
static1
Behavioral task
behavioral1
Sample
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe
Resource
win10v2004-20240508-en
General
-
Target
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe
-
Size
2.7MB
-
MD5
273e642d4691f49f50fa86fb22dd37dc
-
SHA1
cc1a05ad460a2468866c039c823c1a0ad05287b2
-
SHA256
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e
-
SHA512
08f954cb4adcfa38c31e705a86cf69c9819bdedb0c81e855b51d435da2febc5f0d6e47d02855c49c2c96932b79875b5d0ad2bc226bac0411979a4274d4750d62
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpp4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
adobsys.exepid process 1952 adobsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGD\\adobsys.exe" ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYY\\bodxec.exe" ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exeadobsys.exepid process 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 1952 adobsys.exe 1952 adobsys.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exedescription pid process target process PID 2724 wrote to memory of 1952 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe adobsys.exe PID 2724 wrote to memory of 1952 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe adobsys.exe PID 2724 wrote to memory of 1952 2724 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe adobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe"C:\Users\Admin\AppData\Local\Temp\ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\AdobeGD\adobsys.exeC:\AdobeGD\adobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AdobeGD\adobsys.exeFilesize
2.7MB
MD5da660db5713bdc29afb1554fc7267fc9
SHA1acd4df641ab2f74a1bc00f772d6a559a77c4ef58
SHA2563cd12b65f87a650866f7188bdb0bb54ac7052a1d06150a22528dab93febc8a51
SHA51296a2898cebcd1c8c28bb1c7b38757347a38f8330c35dd6f0b4b80b9ec0d56f198f7605948ed064be4fd034b2581e49afac2abed6180738feca3b6de99279ad00
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
199B
MD5620fe0900427e4b3c99c20ee40872f10
SHA1dc0b37972e4e16eba2f2c79e8f2cbe6407a7dfc9
SHA25606f4b63555b1a7f9cb8db6ff15c457dddbb87e56598ce77ac443bf93b53b7fde
SHA5122764a61c0d1db1ced833b29158be6bf607e29762d5f3cad9087e397c68fd96c4cf1eff4366427c0032bee5965927a19c12cdadb79e4f4d51fccaa9dfb56db65a
-
C:\VidYY\bodxec.exeFilesize
2.7MB
MD50eedd9105e5275ddb3a954ae32824e46
SHA1400a18d32897ae11128b3143ef9c6a4080c7eef3
SHA256d2dc5ad9328d5577a182c7cc6e3d8375a90626806628a4363da21894cddeeebe
SHA5127e511c75f62e36b75057df3d1ece997f214f577fc965a08e3e1b222542ba384326e40fa6c7034c62df5b576d3aefc03d9e23b5ac1d7b1600e339e306a8846384