ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
Size

4.0MB
MD5

51f3ee66614b51fa48e234c973819761
SHA1

c2883e3693ff70956cda6ca666ffd62c7258731f
SHA256

ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88
SHA512

4fdfe93bb6d240d831c2ca75db65f8d4e4af02eb58004ded9ce4ceda7918f5763b7e91ae763039b63fca646b8f1dfe1f24bece0e53d110439fda0c15cee64351
SSDEEP

49152:XxX11cS3lxnI95u+euCoNJg3tjl0scZqydiMFIpd/KFBHYvsZo4kF29o:XxX1/vKUuCIi3YscJBIpU7y29o

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe

Executes dropped EXE 2 IoCs

pid	Process
2768	optimdev.exe
2060	adobeapp.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Cabinet = "C:\\AdobeC\\adobeapp.exe"	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\KABx64 = "C:\\KABx64\\systempx.exe"	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe
2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2768	optimdev.exe
2060	adobeapp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2768	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	30
PID 2688 wrote to memory of 2768	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	30
PID 2688 wrote to memory of 2768	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	30
PID 2688 wrote to memory of 2768	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	30
PID 2688 wrote to memory of 2060	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	31
PID 2688 wrote to memory of 2060	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	31
PID 2688 wrote to memory of 2060	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	31
PID 2688 wrote to memory of 2060	2688	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	31

C:\Users\Admin\AppData\Local\Temp\ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
"C:\Users\Admin\AppData\Local\Temp\ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\AdobeC\adobeapp.exe
  C:\AdobeC\adobeapp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC\adobeapp.exe

Filesize
4.0MB

MD5
9b3ead1bf1ec3d96e382c4b7acb8a78b

SHA1
f67b0b6d57a6bd22b7d1093a1044440ab813c523

SHA256
eea0d9d846e8bd8d4628f3471931b682d577189e7d389f7f760b8c61b08496b9

SHA512
1fc516954902294c99e31d966d3abade94b729f4ccc74b5fbb5a2878bfdd0614298506294e2348d7e488a5b1e3156a50a9ef5821af96a9c281f26129393bb3bf

Download Submit
C:\KABx64\systempx.exe

Filesize
4.0MB

MD5
2a9e4946ba12557453b30bb985c4a779

SHA1
926768c6a6a26b0975340c82722e7a1e3c43d959

SHA256
720ce3c903568f492dd59f8ea8d04088ac8090cebd78a81428f368c5b5d2d4bc

SHA512
eb0810485725912dbbe138987d753fc54389afc423d7970a563274b6b06bab5aa9731243606dd4f872f6a924240c7e3a459f17aa51b97e487d2aac0f1da88857

Download Submit
C:\KABx64\systempx.exe

Filesize
4.0MB

MD5
28177b4f0543c50f12f1c0cac3049df4

SHA1
77c7f70b5302d8bca18e0ccc4867cd5359abca99

SHA256
5017d8a74e5240ae610f72e029626191f39fde35fc98def3969ce1d78ac360df

SHA512
86cdd0262829a075beb03bea1cdae206f5c3d05a78699389f1427eaf23cb0695b83a8a538b580d1b18d3df7d47c39e2edb646c301ad2996d97255b2a72551e18

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe

Filesize
4.0MB

MD5
78382479e1f19a3080af0ab6f0b757b7

SHA1
a2ebf91c997c1a92df7d5ebd348ff7ee0ad48a70

SHA256
32be8f07b60619271c23bddbf2300062149e7079a8599eb0a2014bfb8183cbb3

SHA512
7c63b86d4cb5ab6bab0e580ea881c64127ed5662352856574435ba71660f52c2fc041d3b98e6490acd732d0c82ccddbad4516551db33e85ce144ba1deecc5567

Download Submit