3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
Size

4.1MB
MD5

eb443297a4ab5ee4254979d753d2537e
SHA1

aa0b8de91b370ead1d7900320b129fe8c7bdfd2e
SHA256

3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc
SHA512

505939806080bc14a5482cfd25d204e22d5c955c6a7a9bf95e2afa18e8771570d953f81f4681677e4d144378c1c646180b3dd8bcdae11c2b8e05e97334052ad4
SSDEEP

98304:+R0pI/IQlUoMPdmpSpf4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmc5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1200	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8V\\adobloc.exe"	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6Q\\optiasys.exe"	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
1200	adobloc.exe
2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1200	2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe	28
PID 2156 wrote to memory of 1200	2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe	28
PID 2156 wrote to memory of 1200	2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe	28
PID 2156 wrote to memory of 1200	2156	3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe	28

C:\Users\Admin\AppData\Local\Temp\3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe
"C:\Users\Admin\AppData\Local\Temp\3f26f7c25579dacc2caed27c953d6b060c36ba89ac425d3bee286d7091d9cebc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Intelproc8V\adobloc.exe
  C:\Intelproc8V\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
b1c57c1956a8396c93ea0c5b471ba496

SHA1
7c3e087bf9c37c5d95bf48464da49f12a3cc3be4

SHA256
6ce6a42415a520166c46c7f73aada9110284a88c00d1e32ee90a915d30c8a4e6

SHA512
851027ccea4462f62e3553b823ed22ec479235339805eb409c5fa40371ac9302a47f884ac7d1737403dbbbfd61db24b4b6d0e6ccbba1cc0f6c63ca9f1374e964

Download Submit
C:\Vid6Q\optiasys.exe

Filesize
4.1MB

MD5
e793eca831f3ac02722408b7a0d380c1

SHA1
083edb744fc451d8270ae2ff4c640f28454c5bf8

SHA256
a28b78a778f23b073279224122d4dbf7296ff332046ad0801f1d75f2d9cd5db6

SHA512
255114728f37d367c32f779d503bf14497e182be49a40bdd22701f89bcb64182c6d5a279f5a4340f93d80af189a8a038063df406f9dc9fe386703f1b5b3dbbfd

Download Submit
\Intelproc8V\adobloc.exe

Filesize
4.1MB

MD5
b9cf3ed039cc68c94c05f90903e25c53

SHA1
2fde58387ae2edf93093ebee882664944632f81d

SHA256
ed34e0290677cec9907ac751c757183d3c176a0362bf7ca2770da047111c39e6

SHA512
82324161ed68fac060e4c8db78cf46534be3e22c6bd8263c6c0775e06b6823eb93f8a8c57812d6411c6d4bce3451678d4fe1cddc4e1ef7456afbd9b5720f61fb

Download Submit