63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
Size

2.7MB
MD5

6380b5b3247b760f7a65af875c44b78e
SHA1

2f1ad6b1ea68945218b5c42d39f6776e2ea9aea6
SHA256

63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6
SHA512

d1fed846c08e20d51b6e71be09da5f7868574ce2078c612da08460589cd0006bfda71ce0202801edf145679d2570bd248dfba6b1e963cb338195ff9b9c5dbd74
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxI7\\dobdevec.exe"	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8N\\adobec.exe"	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
2340	adobec.exe
2340	adobec.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2340	548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe	85
PID 548 wrote to memory of 2340	548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe	85
PID 548 wrote to memory of 2340	548	63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe	85

C:\Users\Admin\AppData\Local\Temp\63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe
"C:\Users\Admin\AppData\Local\Temp\63a1321a1d81b0d3a7589752c4457222980146453251340e2267a25ccf6b68e6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:548
- C:\Files8N\adobec.exe
  C:\Files8N\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files8N\adobec.exe

Filesize
2.7MB

MD5
b6c9632b7851454c0987399b0412282d

SHA1
bfdb2936b80b8e3f1a52ef9297e3811ca30a97c7

SHA256
ad951fe54e4b9005264dc4a41850517ca28b6955c8bc14ce82c4e1d6325ad265

SHA512
2294c640c30e5df516b3c29884d75be839871862504ff58f113dccf2074ff74192b85f9d7773a93bb5fbf69b27341381ecdb3a25460de6c44f2c3f5ccf3732d5

Download Submit
C:\GalaxI7\dobdevec.exe

Filesize
2.7MB

MD5
141ebad1da3be5b21b1e4d74d679ebdc

SHA1
5a3cc5b085e937cf482c679d0d2a2b5f300b0933

SHA256
893a1f10bcf2b76272966d480beffce24ef9c9b4aa26d08bafd8aef135646c01

SHA512
9ac119fa870ea0a9b89e0a844d76ac4ae52033755eba59ad4234dbe46ad454e41687e915c9f01bdf4684f12e9578c94c7e45a7559abdfc1c2f52491c92504242

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
d5cf0653b0213224d42c863c1aa8b4c0

SHA1
16bc404d886e6f02da3ca747fc8e2098ffc007b5

SHA256
02bc24fe80a1f3c7b943380e4b1350d32d89720c659977d43b3d911729557fbc

SHA512
96b02857f2566c442fef462a91ec63d282764f3219287ce335dc0d5afe806da90b8516aaa9b7c437fcf782c0c4bbae28a3aa943c13451df8fc90f50967a118d2

Download Submit