ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
Size

2.7MB
MD5

5dc8d038ba899e75dae08732df2f08d9
SHA1

59049183069ffa35f084209be6b4bf9efaabcbd3
SHA256

ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8
SHA512

e3e27f43b45dfd0471402d85397a31f26e65849e0cc9a6944734e09abfaf87faa51528b37b3899bd5fe2bdb5a2ed0e061231a85cf701ff0a1f361d11c6fb569c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJ2\\adobsys.exe"	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDH\\bodasys.exe"	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2308	adobsys.exe
2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2308	2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	31
PID 2332 wrote to memory of 2308	2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	31
PID 2332 wrote to memory of 2308	2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	31
PID 2332 wrote to memory of 2308	2332	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	31

C:\Users\Admin\AppData\Local\Temp\ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
"C:\Users\Admin\AppData\Local\Temp\ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332
- C:\FilesJ2\adobsys.exe
  C:\FilesJ2\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
47857dceb059a95eba318f54ac42072a

SHA1
396cc703d9b9156551b42f726594f4f2366c02da

SHA256
09068dd23eef79286e6212ac05d9ef9e43d13ae0aa1ffcabb872f17f3666236c

SHA512
5453615dbbe3d06886d1c887156c58cb69c1b64a24eb58399ce2cf0ca2b158d92db3553550a42c8ebb1d58788214b67a1d1dd37846d512eae25fc8ce13acc4a0

Download Submit
C:\VidDH\bodasys.exe

Filesize
724KB

MD5
ce931e24db859aab3694d2f567e85741

SHA1
6884a3e86d86ea2550490139b7c72152d805a7fc

SHA256
2f917a0bf668e6da9b1a95f8ae4b84ccb721dca6f614404c82100bdc30c8b8e6

SHA512
5b6285d2bef3067d99a1816f4d8d51e090ae04b830783af9462fffe53f2c32bc72cfa25352830875b29fc8a49403a9dd3acf8a0bf793e0c86e5d13176c5b1cc3

Download Submit
\FilesJ2\adobsys.exe

Filesize
2.7MB

MD5
a692fdb36bc8ef30032bd95c8066496a

SHA1
d31f2cc10d606271407d6d579940c0fbb98a33ab

SHA256
08b69ea0ba1f6d1421532c3cb8a474bdee1b4b01025b2492700a1dd545437eed

SHA512
83a7636e0f007d3009ab4a43a2bc279499974831f5fba49d713badf61a893555a74a225f1fdd4fcbbff8e4d65ab2df3de1a1feb2f01599c65599b5e537b2fd48

Download Submit