fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
Size

2.7MB
MD5

8e5027e9f752201299b79b654e2c29ab
SHA1

99802ac78e3c388e599c8350ccdc83d54850601b
SHA256

fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a
SHA512

c01f52586b21d9c3c136f320e3b5310cfb878f1547a4f1c4155085c6be3b17013f19d309a349d6e949799b4bfe6dccb1522fadb0f78602c2182d4a9aafbb9fee
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpY4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1592	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO4\\adobsys.exe"	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWF\\optialoc.exe"	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
1592	adobsys.exe
1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1592	1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe	28
PID 1560 wrote to memory of 1592	1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe	28
PID 1560 wrote to memory of 1592	1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe	28
PID 1560 wrote to memory of 1592	1560	fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe	28

C:\Users\Admin\AppData\Local\Temp\fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe
"C:\Users\Admin\AppData\Local\Temp\fdeb922481b5b954f2937cabbcd48b6ccc634ed720788bfb7b341bb7e2f41d1a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560
- C:\UserDotO4\adobsys.exe
  C:\UserDotO4\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
8120c24f9cf54e4d59ab56bb506a1f38

SHA1
6ef64da5564ba4c6cfb87c01bee13c140223697d

SHA256
d84f4caf539a622a6d2b5431627add7c1b724dc7adc3d4c137ace8262a859650

SHA512
685950d8b6ddfe7de6eb040050103ccd76d786e63f8fb9272189b10e9b29157ebad6968ea1f3a4b054f34cb9d320fc24ba9f9f6d3d664ccee319ea6bf397755b

Download Submit
C:\VidWF\optialoc.exe

Filesize
2.7MB

MD5
55008860ab87350fcf007cd5d2102606

SHA1
363b244214cf31f8f294bd2dc44b36f2b1c6df1a

SHA256
777bc783a01213beae723ac34bd0541059d5ea48af007466886cbf0ec81f2009

SHA512
645d459fb2657c4c0e8c4420cd1b110631f976a111d72089891ee6b0013823703c54271c97fff15fcbe9ea36952367523b6ee603ecfcca70181219afdad0d7cd

Download Submit
\UserDotO4\adobsys.exe

Filesize
2.7MB

MD5
a5c75ec512b92a4f1e7b2120321e3f78

SHA1
67a7542a14c474aede99be19656c1b792faabe8b

SHA256
4c2168efab3af2122d06feb1e2d262e3984a8ad004e53052df7de579bf944015

SHA512
4aa13edb8e9896ed2cc98d6901be8afeed93c9d324bdfab9ff8b1a5328709e7ff9d6e0db30587ce1e434a5f9844c4fc369c6e6b01493a7ec35e43357105b0e31

Download Submit