da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
Size

2.6MB
MD5

69fef277e5238f136fe1813245d6bfb1
SHA1

121bc4cb4b24dba194628e88cae756adc74e7195
SHA256

da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81
SHA512

e8666b7409f4fe7a53ee40e13709b679da354758abf2ab1104cc24cf8a94e3ca5f227c79c34a1c357f05b4ce5649a8d2ee31aaae9893a0c8c4b8026ec74b00a9
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4S:+R0pI/IQlUoMPdmpSph4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2124	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1M\\adobec.exe"	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintO4\\dobdevsys.exe"	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
2124	adobec.exe
2124	adobec.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2124	3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe	86
PID 3196 wrote to memory of 2124	3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe	86
PID 3196 wrote to memory of 2124	3196	da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe	86

C:\Users\Admin\AppData\Local\Temp\da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe
"C:\Users\Admin\AppData\Local\Temp\da125bf9caba49184611feec3d4bdb445244131cf56d50b931006758a48b2e81.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Adobe1M\adobec.exe
  C:\Adobe1M\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe1M\adobec.exe

Filesize
2.6MB

MD5
6eb5b0a1a3fb595961f8942ed2876e28

SHA1
b070a8a8acd1e83ed28c899865ad6a1b22b2b1fd

SHA256
006bb54d5af9faf5802e61515e60b04a9f67d1a57cf14bbe5744891747cf8960

SHA512
cf2664c7558dc8cc8d333c959021ed820d2f9d199662bd8acafd3535e01d5493a78be7f951f34eef0aeab62732047ac2ec4e4f0233549132a7258d07161c240a

Download Submit
C:\MintO4\dobdevsys.exe

Filesize
115KB

MD5
eb98c319ea3e9bb1603e36eddaa9d165

SHA1
46e22b5edac348baa4cea5f99ec8820e46738b1b

SHA256
d94c789340c9b3951048a1433fcb962e07277aec440767ca4cca633d1897e749

SHA512
32ab57255955beb24b6bc4ef6cb084474131f0d80f94051d51574c6a3100d6af8af9dde7eb0bb457cd4abfe30087d59ad7f6ffb9fbcb051208f4b2e0fd1e9466

Download Submit
C:\MintO4\dobdevsys.exe

Filesize
2.6MB

MD5
5546d89e2c859e319bd9a28c2bb5676e

SHA1
80eaa2bd400635fe24d1d8de5466598b68fb2f48

SHA256
bf412303ed63027b87e0955ef328ad983b6f8fcdc060d0106d1a197232096609

SHA512
bda3c1582cb789bd1694b22daf27fbb3960051f57fa7880607d1b8922f296ba1f88157799886e6fd01a27abbe9af074f45bfa7b9f3d7e11b7db987a2a74699ab

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
6eae187827dcc63e3c65fafb39a95c5a

SHA1
06415c691dacfb1dcfc0725fb2b32a5e654b1326

SHA256
7c9091f8ca9cc33ee069c362c2aa0b229e5489defb6ca461933c91c28c5d4f9f

SHA512
03a49cd876b7ef91e46575418c35f2421e6e43dd0c94a0da3970b35b98f7de129f74a9f0e55e4077dc1617a3fc15f2b9db4190bbd562743f6e59b2aa5ab9a01f

Download Submit