856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
Size

4.1MB
MD5

73bb1465ada430e1bd62a6b9780edf4a
SHA1

d5e44f50e33ad0a769844319eadcb8f5a0ee990d
SHA256

856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1
SHA512

9d0af0a80952fcc8e39e7964d294810aeaa593a3c02051c878260408d1fcd2c8a067cda1f5a08750613377c668768136edbe792f350b1483c3890d6326ec4c95
SSDEEP

98304:+R0pI/IQlUoMPdmpSp74ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmg5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	adobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK5\\adobec.exe"	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZOA\\boddevsys.exe"	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
3044	adobec.exe
2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3044	2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe	28
PID 2880 wrote to memory of 3044	2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe	28
PID 2880 wrote to memory of 3044	2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe	28
PID 2880 wrote to memory of 3044	2880	856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe	28

C:\Users\Admin\AppData\Local\Temp\856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe
"C:\Users\Admin\AppData\Local\Temp\856a8fffb9e3ae7e61920c00936279fe00537e90092c9fc46369722ef49f0da1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880
- C:\SysDrvK5\adobec.exe
  C:\SysDrvK5\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZOA\boddevsys.exe

Filesize
4.1MB

MD5
3bf0bf5097b3d79bd86833e298ce4497

SHA1
2ebcdfd427b075e841dd22c350ff9ee9f9aec904

SHA256
00d62d5d65eb5f16ab329bf7480847c219640ae19f2bd09d7657dec6bbcdaff2

SHA512
7a372f281016edc66406ecf1cb0ff2df3d21634277e269cec87785d8bdf8c9026b45820e98b5f45c0abd1f5e2335fbb63cf6fa81d82d93febe099757ec09270a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
ce2e039634e0e7ad807193da2d101b7f

SHA1
2fdffa4381f820548fd4cff28c14b2d57418cd0c

SHA256
255372de75a2793f405de0cc633ce2e5ad969717fc860e94c2ef4d35b202d76c

SHA512
75dbe29a0c276a120eb625674f3b2ca23ffe4c6fe071736e7115a5332f8690219f373b21a40f506604ba68170d117deb6e1b8656de67de759303df7da4fd817b

Download Submit
\SysDrvK5\adobec.exe

Filesize
4.1MB

MD5
b40e4bf6dd845bf240cd480f9a270d4b

SHA1
94f5f843e3b75ff31502aeb563501338dc8b4df7

SHA256
c1387d2609ac9b697312e50dc976dba7256dba0c32174bfa1e173d5f743f1526

SHA512
a1d20acf8dbf77acc901010c47c054552dc6a141df2504bafb4c8bddd489d034b1404ac38d1cdeff7e6466ab8ebd2ac1664ed8a7274263366d96660216d9c53c

Download Submit