ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
Size

4.1MB
MD5

e3510c7e962f4acecce188adf9ca29f4
SHA1

b2176d51f565dc8e007da12f585904dcfe3a303e
SHA256

ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab
SHA512

509d79ebdf3c07dfaeac42ee583176987ddc8b8c6b34230343d8c5f18b5c7890842ee30253c70ae8b5a566b5b3b2328ba37c413670a3b80f091d92a0fddec921
SSDEEP

98304:+R0pI/IQlUoMPdmpSpF4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmm5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc32\\adobloc.exe"	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8X\\boddevloc.exe"	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
2608	adobloc.exe
2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2608	2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe	28
PID 2444 wrote to memory of 2608	2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe	28
PID 2444 wrote to memory of 2608	2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe	28
PID 2444 wrote to memory of 2608	2444	ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe	28

C:\Users\Admin\AppData\Local\Temp\ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe
"C:\Users\Admin\AppData\Local\Temp\ba8aa6a06a94e6e99ec91e1b36ebcb88e153babcb917749c5549525196f06bab.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Intelproc32\adobloc.exe
  C:\Intelproc32\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
93772021cddd87dff835dd58b55b0a46

SHA1
4505cde76885f9688d6c4324a2188900ccd274d7

SHA256
6bbe127f14f3415f448051bfed99193b4bf473d7d0d544167858cf5d384a16db

SHA512
035cfcb2e47965fa437d099c8c13948a5accb116675b6becf1e5a96347ca477e0135eecf424c6edce7b876c22327dc6d45689e744ef75f4ea2677dfb507cb4e1

Download Submit
C:\Vid8X\boddevloc.exe

Filesize
4.1MB

MD5
71b25318fb38f4055dfb7bc99daef96b

SHA1
a9024f40d99d7ec4c67201caca6fd6bb55519f87

SHA256
6545d6f8f5d62c580a6938365b63c6042019927aa59711fb783bd7eb05fec6f3

SHA512
4deb8953dff4b7dd1d9ce7cf5afb248ad4b4c74aca675a2a19c50bbb52beba69e5264db381e44890bd7683ea1621ea3543cadbbef5e9ec841bd9b22880b70dcf

Download Submit
\Intelproc32\adobloc.exe

Filesize
4.1MB

MD5
9333b22dc9b380db4f8931e2e95616ff

SHA1
35288231e9330fc5b5422f817db803cd48726e29

SHA256
8c375770f422b90f43ae059b4d805db868a7c2f982ebce74294c1e6ab7924fd4

SHA512
1846d695eccc5ab3409e099c246d49860945a36068a75f759b64cf5f027322ab1c3c0be12d07c48bd65ad78f9e210c726f35da41fa77b9c7a7b234d64c14ba16

Download Submit