31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8

Analysis

max time kernel
149s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
Size

2.7MB
MD5

c9c1192739e4fa9ce9e4c072af376f37
SHA1

5c240e119a4898442076772b293aaa06910deb65
SHA256

31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8
SHA512

576a828c2ac48f4ebc4f9aacf85d912599f32aaa3136cb331945d1fba288b5b265e579a904335393bfb778dca7aaaf7d2114aeff1bd802c2eba5f88a11ba4218
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5044	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC3\\adobloc.exe"	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxG8\\optiasys.exe"	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5044	adobloc.exe
5044	adobloc.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 5044	5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe	88
PID 5012 wrote to memory of 5044	5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe	88
PID 5012 wrote to memory of 5044	5012	31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe	88

C:\Users\Admin\AppData\Local\Temp\31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe
"C:\Users\Admin\AppData\Local\Temp\31ae4b211e6049e64ccc043ac7b6d576823412c37aeacf433e93b73e972bafe8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012
- C:\AdobeC3\adobloc.exe
  C:\AdobeC3\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC3\adobloc.exe

Filesize
2.7MB

MD5
dd72042cca1336af3dc1f8306bbf7c26

SHA1
1ba80e9e1dbcf757e76e188a31fd219c086247ee

SHA256
4ebeca47bcc8c033709fcb15a45e65754108ff71824beb352ae69f644793d79a

SHA512
2b73c81f7de32b4c1867a34c0d06a5be12cc922699260af0064380cbc462ab2ae199a9ef864def7843452bdc3c83cf82578bacba7a70aa2b0ba81cc5fc1e2b51

Download Submit
C:\GalaxG8\optiasys.exe

Filesize
283KB

MD5
789de2d4dcc726daded97150a497e4f7

SHA1
9246fe8173ca61784e09fe09e99d7e8e0ab2acb5

SHA256
611c2ac48024216f59dada360e3f09a6bbf6b20294bccace71d73051c36afdac

SHA512
4d9a4f8a0c377d0ec9762022b8a38bb98a46b61669b655b67bb5b476f4f8d07f8d337de52a8bf051765e673789aa314c9f4574ee3aa8f4ac415116c38b827f53

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
79ddf0b784de858b5d8238b9faf23db4

SHA1
38171cef27bc03e4ed1a446666837190241b0446

SHA256
db293da862570423af8e4d4e74139c362733c7d0145be8d3c8e8f03d3d904cc4

SHA512
700abff6f21b8de84cfda818e0b500e027a13944844661e11480bb9b1fe099da8fcef7ce2c8ddbeef7f94fa19fc7975284a1538267c97de57c2f5d105eb917b6

Download Submit