1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
Size

2.7MB
MD5

696f4b8fe87dcb8e1d82c1c0d27a2a13
SHA1

b492c3213ef11dbb30c5ac6a154a9d8577cb7466
SHA256

1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c
SHA512

290e4bbc9ed6a768a1156d33dbfc3ca6bafd4ce89bfc88201ebed27f1df7843e88d006d4ba586ea885a3203404daa801b33377559cc9b8bfadb090e07031fc20
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB69w4Sx:+R0pI/IQlUoMPdmpSpw4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTW\\adobsys.exe"	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintPP\\dobxsys.exe"	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
2812	adobsys.exe
2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2812	2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	30
PID 2484 wrote to memory of 2812	2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	30
PID 2484 wrote to memory of 2812	2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	30
PID 2484 wrote to memory of 2812	2484	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	30

C:\Users\Admin\AppData\Local\Temp\1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
"C:\Users\Admin\AppData\Local\Temp\1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484
- C:\AdobeTW\adobsys.exe
  C:\AdobeTW\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintPP\dobxsys.exe

Filesize
2.7MB

MD5
dbbb6da019f8fbcb639114e81fae8ff3

SHA1
11cc32bbce1bf57cf118c632bc5122c132951969

SHA256
8d38c561d4420393d8565315fd5633a4fe6f6c5e7313923ee68238b91b3a5e07

SHA512
a18a4be96e9c858e460e41123fa142150f905a5e454a1d9fe805a613f08afdd122d45a85f8690a170aa3df8d659c7c1cca68354025a56092d4d546e948ad9add

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0acc27eaad3bb7b6af270440aa5045b0

SHA1
339386e5750a9e964166e3ebe12fc06afb96b789

SHA256
3129379a00d1788a8aae613917873d3db4de49061298850866c80be222cb0009

SHA512
a20ca75850744832f0fd570cbb5459817858504eb85d666d0337cef6b8b59a31ce6ec9ddd85ec259dad9675c51227fe5c6d689cf92b645d6b54580f526ad91a6

Download Submit
\AdobeTW\adobsys.exe

Filesize
2.7MB

MD5
c69bbc976efd4951e2f17ffc9d5c33f3

SHA1
5d35d13e8fabbb7581b17b4c999d3180df12867a

SHA256
21ba5acc0357f51c2cfddeeb956e10317cdda73adf8fa97ee43786b953e0ac93

SHA512
380cd2f850ab217c28fb76e0482d03eb73ee6d7e4c60a65367337cf7b966ec969f522ef011411c34abe750a8e1b0ef169c99ddae0143b527952bfca119f8eda1

Download Submit