c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 05:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
Size

2.7MB
MD5

749959d429cdf1fbb3d47c4ae977f806
SHA1

bf1c9a39ad32113ad15d112dd4f8a15a618f233b
SHA256

c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c
SHA512

c65aaf9c8865cd47befd0eacc26a623fbf4e6b904257b607bf06e139f9dbedabd1f52a9a39e23a9909eb9dd3f4178eab86c361c5c8e8da9dcff5d0b2d07445cd
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBv9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1X\\dobdevsys.exe"	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesYP\\adobsys.exe"	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
2624	adobsys.exe
3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2624	3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe	30
PID 3040 wrote to memory of 2624	3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe	30
PID 3040 wrote to memory of 2624	3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe	30
PID 3040 wrote to memory of 2624	3040	c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe	30

C:\Users\Admin\AppData\Local\Temp\c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe
"C:\Users\Admin\AppData\Local\Temp\c93a2abaf35796622273c88343b8b82e6334ba42fc23dd3cfd778c509e33378c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040
- C:\FilesYP\adobsys.exe
  C:\FilesYP\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesYP\adobsys.exe

Filesize
2.7MB

MD5
e20ab072110567e7539369b21eda4f19

SHA1
a415e290d6cac23f21dda842f13ce0ad7777b581

SHA256
1db4bbda248d401e2e94335851fd1abf992cef87b5c7004938646bef991b9668

SHA512
1612fa86e2c833123c47d038e7496ef65d3034a096b738e21baaa501b953ac5b461acd0c57445648d51cadcf17457518607c733e6c56261e1f466877e02f2a76

Download Submit
C:\KaVB1X\dobdevsys.exe

Filesize
2.7MB

MD5
750a1a7b097fea9e8297f52535c2bf46

SHA1
a49204a4b49c696dfddd90f3057664daaeacc7d0

SHA256
fc77b1cd1047c5525a5ce07af13d1ebfc65aab56192050ead9bf49569bc7c11a

SHA512
e34b399ec44241f0f11e6c9c0ff66f29143b822eb5d2dca88536e8ece0ce20b756d36fce39cc2975f2057bba2f67aa43d009802d9cafef86790a9138bd3362ad

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
67b1bfd349b7cf953d8e30706de3fd80

SHA1
557fab0f36156606719a009570325e2b2843e574

SHA256
eeda1e3932f256560ee52f6dca0213ce69fe7f4dd9e5eda368558f9b9133a0ce

SHA512
33c23c8a046f353ab15b9e4d06d6002a6d663e65ee0f5fd7a3ae60eef94392f2891a0cdc24e11e340bae078e4e5b26bf03661c0eaa6e65598bfd22cd3bd6dede

Download Submit