a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
Size

2.7MB
MD5

91fc7785ddb5e889204495330a0bab50
SHA1

a2d207b6db88c19c3d4c0ae407561c587a324b4f
SHA256

a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8
SHA512

44b806a79135063c20531821d07ef7a3ea47a9f25f04f1c016e38d46504d91355107c3be895187e15015e0c3fcc336d95b2b5631ec45be5a6769f12a6e8c7380
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1820	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKA\\adobloc.exe"	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJN\\dobaec.exe"	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
1820	adobloc.exe
2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1820	2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe	28
PID 2072 wrote to memory of 1820	2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe	28
PID 2072 wrote to memory of 1820	2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe	28
PID 2072 wrote to memory of 1820	2072	a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe	28

C:\Users\Admin\AppData\Local\Temp\a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe
"C:\Users\Admin\AppData\Local\Temp\a09c66fd66057ed34a34a1be153d8d4c69edc9f65cdec8b07e9974fd36a728b8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072
- C:\UserDotKA\adobloc.exe
  C:\UserDotKA\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZJN\dobaec.exe

Filesize
2.7MB

MD5
2e3e0d9996801dfb4b129c11c2d0bc77

SHA1
834a67de1f1f9cad201d636499fefdbc7eeb5d03

SHA256
6f5ff648b221bcd8b913ff0805ba028b94ea3a9fcc25e24d642fee9f4073f110

SHA512
8983ea5194923f7b0cb112831c3ab5aa1e35eaba48dc7740718e826039fb6603282895ffe1362b20b1fe951f28ecebc0a1c417609d72bf45ee6a2de79cbcc0f8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
efb047445cfa1f560ee9d3bbe51b54ec

SHA1
59d4b8b6aafe34bae34eff23da318dd18f158ef9

SHA256
aaf8fb7833376ce5a357cc9674f5edbe5ce96cc2feb097f5fd805ca36efa841b

SHA512
0040fbf6fedc18f7cc8002ab26a7bb4396acb0c6e00bbd7b6cb2d1f5a2a9574d30a31a61b8e13a94d4b6b1f47949dca27f39b583688632bc747341a382e7cff7

Download Submit
\UserDotKA\adobloc.exe

Filesize
2.7MB

MD5
b393d31285d40db858b69cbd486592d7

SHA1
bcf51cd848fd1ee7c6816142fc10b9797d3238f7

SHA256
c96ccb3b0ed21c15ad55f6860a98b990c2914398347d00f3217064141fc8bcd5

SHA512
900df166cf183bbb3fb428082d0cfbe585afaa257cc99673ca6462627071b08bbfb33e3557e82290ac33b784c19dc48d1660e8106abe8ed5da202dff58c4258a

Download Submit