2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
Size

2.7MB
MD5

380666fb854fe17223b20d3c914e175b
SHA1

67f4d3f6504f4a700b1087604139de48e78c12b0
SHA256

2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81
SHA512

3c5d7bf09eedbb45c23f9fb706c989a83cda7114814cc51aaba45ec733a0b92b4fd41e4f69654f580d2c1af3837213699da4d5f92a2436c3359bdd9407d17ac1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBx9w4Sx:+R0pI/IQlUoMPdmpSp54

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvET\\adobsys.exe"	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW9\\bodxsys.exe"	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
2116	adobsys.exe
1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2116	1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe	30
PID 1644 wrote to memory of 2116	1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe	30
PID 1644 wrote to memory of 2116	1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe	30
PID 1644 wrote to memory of 2116	1644	2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe	30

C:\Users\Admin\AppData\Local\Temp\2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe
"C:\Users\Admin\AppData\Local\Temp\2ca12ac321f0398c304f1d202a02576b175a093e55d400ed2e867cc95f773c81.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644
- C:\SysDrvET\adobsys.exe
  C:\SysDrvET\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxW9\bodxsys.exe

Filesize
2.7MB

MD5
98e9e8bbcbd1332b6484f901e67a1240

SHA1
3974b5867d26032cc9233231ff3b5115a437d1d7

SHA256
3c5280ddc8c9f90c5c62b27c30efb0a8b5cae0b2b7ee8f409872822966209d2f

SHA512
439a63c755021324d0a24f6d6b6174b5d0831bd5dbc3a51d4a88154030bd8b3cdfd09c38ce2d4ccc35a4b69c38d4480f2735799e81562a80f9e9906d8344b237

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
fbfa60395a76f9fc6d9ca424efb183ad

SHA1
6a537f51612f850b3a3cab0c561c0d93f4df1caa

SHA256
b875dbf4c9528420f9e3831331c4fb10f534f6368795d16a96684e8247deec70

SHA512
a1f747dfb140a5509d4211c61f19c8121946a9587161ff206f522dd96fff680bd668bed6b7cf9728dc4cb6046ef5eebc747c37c78df7189ed0223c6dedc49927

Download Submit
\SysDrvET\adobsys.exe

Filesize
2.7MB

MD5
c361a32c1905b8ec4345f0b2025e6f32

SHA1
c8ed45edd15b193cc6e13a982a85492fd452405f

SHA256
80bc5cfe99a4b6dd41d2f24aeaeab35088d963f066b72bf1ab0703fe0d311a7a

SHA512
ac7f234576b71f20727182962efe342019a4e29d38217f4fbfedd8c47c39ab9199b1e14353fe895d5cbdc888f4bca806d1aff142cf73931c2b9c096a17f61982

Download Submit