16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 19:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
Size

2.7MB
MD5

4659b8ad52f99570acd4048d5bbb7a54
SHA1

4dbc684a83e7b2dbb20d0f8d40344524344223e9
SHA256

16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998
SHA512

f827d650ce88a845b81f80dd36c251209c128e6291e3a10e610a648be6d12e2b12fbf23946b561490aa923b623c20f1317638d2394725ebbe21d09f6f909ea93
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBk9w4Sx:+R0pI/IQlUoMPdmpSpK4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2U\\boddevloc.exe"	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2Z\\adobloc.exe"	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2740	adobloc.exe
2740	adobloc.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2740	2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe	86
PID 2652 wrote to memory of 2740	2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe	86
PID 2652 wrote to memory of 2740	2652	16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe	86

C:\Users\Admin\AppData\Local\Temp\16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe
"C:\Users\Admin\AppData\Local\Temp\16880bdf21b5b257cdbe179aaaa37dc762cf31c437792de7170ff50efaf78998.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Files2Z\adobloc.exe
  C:\Files2Z\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files2Z\adobloc.exe

Filesize
2.7MB

MD5
73181dec95b7e4db7e3f1dc3777a1da4

SHA1
793e317e14e609646eb855c9872595cd14d17d8d

SHA256
711eb4e3f1a2ec9a38ea96ebe1ba9fe620f7bd950d423cd3f392a138a8748ccf

SHA512
205ce92dabea0871cc34b96b5f87cc9c8ce05bf8ca9f922bb2c0e4930c75b8c21e0eac31880b94ccbdb69c1c44182a5a32f36e68df437bbf655f174b9a1a6a17

Download Submit
C:\Galax2U\boddevloc.exe

Filesize
2.7MB

MD5
68236ebbb5fc546f52f602d6c519612a

SHA1
27260db2f30aa61eaa2440c3bd38a39cdc3f0965

SHA256
14a88fbaabc34bbcb487856d99d46d9c56e5f678af0f848ffde6fa8d109ca169

SHA512
bc09dd5f2064cf405973188b05b0a00f7fabb0a55d48506119eaf36157a3cca902fa310073e33bb384209bc58b7f614fc35f7c8e76fad60d07e55b098c9097f0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
b0f7a44452eae140c807740599ab9733

SHA1
573c0f2f203f2f9f29588a3e7a6efcec12470855

SHA256
1fa51c6882175a62c93fd18307ed33c6e30d28e1701a1671d3bfc3a526b14f9d

SHA512
f7195d61ca952436148c5fa0f1ce2caa4fe6a18803b7432f2783dedb61ecd15b611facb7a9ae9de2d03a8a27d39d103e4ef1b008b37ff83471db6d4aa3eabb22

Download Submit