8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 01:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
Size

2.7MB
MD5

ae8e68167383e516c4e7de09b32a15c9
SHA1

d26bd3ab6ef244788fd970f1e4d0def8e2580326
SHA256

8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077
SHA512

03f3b10f3f9a788a9258a5d1cfe64b285b22257d9b50b8a196997d1f23824f609e7ce8c21e8155f9fcee76a86ede5f859ee8f4b682876e4d3e7e32e3a9569efc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpp4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1236	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc63\\adobsys.exe"	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPP\\dobdevloc.exe"	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFlocabod.exe	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
1236	adobsys.exe
1236	adobsys.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1236	4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe	85
PID 4276 wrote to memory of 1236	4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe	85
PID 4276 wrote to memory of 1236	4276	8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe	85

C:\Users\Admin\AppData\Local\Temp\8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe
"C:\Users\Admin\AppData\Local\Temp\8c1856323894537239a55c610b07ac416e57f3918220e37cb1897b0aab677077.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Intelproc63\adobsys.exe
  C:\Intelproc63\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc63\adobsys.exe

Filesize
2.7MB

MD5
ede756c7c374ccb67b953e72b2c51b65

SHA1
d2be519d6033bdee306f6f0493e9a16657a23574

SHA256
7cd89f3f6f9a8fccb585455f32c825c0b12eecfff847ae45c577d37c6387e345

SHA512
d49267717c8900d45c3e867469c7efc787beffd3144ef2ff4886f1b09c21b40998b690644f9c191387e1d2ababd6623bdc1b10a0f0170d99dc0283335da1828b

Download Submit
C:\MintPP\dobdevloc.exe

Filesize
367KB

MD5
28cf526eb7a3fae9d65a10768836430e

SHA1
64ba3912719b6f328df83870fdab16045721388e

SHA256
d60dfa9f7a0e54b21165630999bcf976ca4de87b052d9113c8a79ff836cdd89d

SHA512
4acc144b92b7ffbedef5754665932313bae41fb1154e60a863d502ca7c7f04a50ed2b7e17ab5428f26ac97422b5582b26dcf6424b05ba444dc6fb0bb6473fb6e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
8dfbac3861c83cc0598cfaec7eaab75c

SHA1
26c11ea1db99818dfca1b3f59e166f5cdae55dde

SHA256
1cbfb22a3ca5777e271f77eae8c22efbda40ae829d6ac15c561914002a108082

SHA512
e6e53ac27fdc82dc22e537f1f6ccdad8dcc8e83f06f8dbc58f1ac4dee348d7e48d2290a7335de249e0223cd4da63b680f2ca2482fbc65f877f931b6b4adc2f68

Download Submit