0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
Size

2.7MB
MD5

a1912da394e2bde3e98c5958f487fb07
SHA1

600a4ee72b06566fb5cc45e2a33fccd4e49c518f
SHA256

0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c
SHA512

0469248a34a4273b697ca0ffa1863587b0ef17b6ca9fc8a985297c87bd956b23c6e7e6ae2e9b529822c2dc39c2b36e012c374417040c334fc8f278d574721960
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBk9w4Sx:+R0pI/IQlUoMPdmpSpu4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7U\\dobdevloc.exe"	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3L\\adobloc.exe"	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
2896	adobloc.exe
2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2896	2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	28
PID 2908 wrote to memory of 2896	2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	28
PID 2908 wrote to memory of 2896	2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	28
PID 2908 wrote to memory of 2896	2908	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	28

C:\Users\Admin\AppData\Local\Temp\0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
"C:\Users\Admin\AppData\Local\Temp\0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Files3L\adobloc.exe
  C:\Files3L\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB7U\dobdevloc.exe

Filesize
2.7MB

MD5
92e4f9f5b31831491abf2ef9667d1181

SHA1
a745398a079c74241ea178d1279493d68502d96d

SHA256
2bf60f5320b15cc73fcf94868b0a82b6f211269531ad4699ccdddbb9df376cf5

SHA512
8c7ade20c6625256f6ff40ae4e7be713bbd162cfb294a0a59f55868f64d69c789e6889893935a76ca619ac95e5d35b59c020787f7defb420e7440d7198a3b4b5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
15df044f53c381fbafc078d0a460641b

SHA1
1582c0e8df15da0f1e99c7f03352e066693534ac

SHA256
48bfec54c26c62ef3344b5665ec30e172f5f728a3c5d0a09107afc14a211d340

SHA512
58a996220b3fc86a0feccc4a95acc4ecb50eab824508fc3487f478eae98998b62578888fbeedfdc4ee7359522ed775f6a62ba5970a65036e0d70efb322ffe699

Download Submit
\Files3L\adobloc.exe

Filesize
2.7MB

MD5
3a4dfc560639c8433d35b6edeb868bec

SHA1
ec0a626dbc5eaa7792dd58126d8e2501b37fb2ef

SHA256
43400065fe6333ec899f13ffa30f42914e6feb9aba5fb2b2ac2c3fdc43cb32a7

SHA512
eeb7c831c2f2dd13ecffdb74f96e4ac5e63090364295fd6c4d8819ca1088f4f581712ae362b1c93d9a86ad6de10f154ffd63b9254c9a7bc0f1a0a773e2d9c041

Download Submit