9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 01:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
Size

4.1MB
MD5

70f25fa50930e26dc67fcd583f552ac2
SHA1

7c8bfe11778fe57c6e21020993aafd32b766871b
SHA256

9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f
SHA512

f7a9e856f5bf8b59119eaf0a1b7ab246eda0ac1a253b9318ba65fa104588032677c79e571ac74ecac532a47df5ef3cf39555daf046ee591f931a434b82ded777
SSDEEP

98304:+R0pI/IQlUoMPdmpSpl4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdma5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1988	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF4\\adobloc.exe"	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPZ\\optidevloc.exe"	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
1988	adobloc.exe
1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1988	1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe	28
PID 1688 wrote to memory of 1988	1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe	28
PID 1688 wrote to memory of 1988	1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe	28
PID 1688 wrote to memory of 1988	1688	9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe	28

C:\Users\Admin\AppData\Local\Temp\9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe
"C:\Users\Admin\AppData\Local\Temp\9ed4726278bfe2739ac882cbaf132c233b1e4f73b2710a17eda2d90a3e272c0f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\SysDrvF4\adobloc.exe
  C:\SysDrvF4\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintPZ\optidevloc.exe

Filesize
4.1MB

MD5
f30d51627394e47b88b06b409ce101dd

SHA1
851899faeeb90c7ffd8789ebc8b7919682b4542c

SHA256
06a9c54579a7de9728d1110ca873be5f0df6ba3e9ab0c879a10d31169e262fbf

SHA512
5a52898702799f23555b601f1cf7d213ab6dd5b9a060fc7212c4a9828d53855571a31cfca451882743c6f65c621af77cfefebd70e56840604de6ac33ad6a1170

Download Submit
C:\SysDrvF4\adobloc.exe

Filesize
4.1MB

MD5
83cab0c229efec285c30efc24c75d122

SHA1
3467579ab462be6caa96170689af7adbad460224

SHA256
5121f455d985f6b7a84c569f418997bddade4398cbd31f00d4b89bf7713cd6b0

SHA512
8d6f84f42e7b0c5d7087ee9fb5463f9441264b8b3c5dd75ae2db1fb9b7178cc4ffecb19e48cd73f668f7bc1a2c2874971b72ae5201c77e06a0498aa143dffddf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
0ff4078c604114e98dcc6ce25776d8dd

SHA1
9751d9057b7eeb0545ee134177e03389c2361940

SHA256
6e67ed90792896e2cd3ce3f1bbcba10453e3711cf115a3f0d94df2dd0e831ef2

SHA512
8770eef8b191888e18abb11e08981367e0bedce350ff013ee9c1e1526945168448a3267dda51e5c06367a857e8ab9e1a3bb3b7e127ef0f9c8e3a5f5ab4475a01

Download Submit