ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
Size

4.0MB
MD5

51f3ee66614b51fa48e234c973819761
SHA1

c2883e3693ff70956cda6ca666ffd62c7258731f
SHA256

ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88
SHA512

4fdfe93bb6d240d831c2ca75db65f8d4e4af02eb58004ded9ce4ceda7918f5763b7e91ae763039b63fca646b8f1dfe1f24bece0e53d110439fda0c15cee64351
SSDEEP

49152:XxX11cS3lxnI95u+euCoNJg3tjl0scZqydiMFIpd/KFBHYvsZo4kF29o:XxX1/vKUuCIi3YscJBIpU7y29o

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe

Executes dropped EXE 2 IoCs

pid	Process
1552	optimdev.exe
4356	adobeapp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Cabinet = "C:\\AdobeC\\adobeapp.exe"	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\KABx64 = "C:\\KABx64\\systempx.exe"	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
1552	optimdev.exe
1552	optimdev.exe
4356	adobeapp.exe
4356	adobeapp.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1552	2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	86
PID 2472 wrote to memory of 1552	2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	86
PID 2472 wrote to memory of 1552	2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	86
PID 2472 wrote to memory of 4356	2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	87
PID 2472 wrote to memory of 4356	2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	87
PID 2472 wrote to memory of 4356	2472	ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe	87

C:\Users\Admin\AppData\Local\Temp\ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe
"C:\Users\Admin\AppData\Local\Temp\ee1affa3be7b1851b89dd6f2fc431129748d4c784e031fcad105116605a44c88.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\AdobeC\adobeapp.exe
  C:\AdobeC\adobeapp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC\adobeapp.exe

Filesize
1.4MB

MD5
ac643f450ccc13523c71b1db20c02fb2

SHA1
fdeb6362b58ce2255118d3ce5832e46ff4d53d10

SHA256
35a1dc6abe0d31c214c44c4c54d0e65805bee85e4b6d1bcf12cac49b84983b4d

SHA512
df02350769a9a9743953403d73f31cc7e143430d3de7e1b4c5021ee7558e2d976761602d46aa90d921f38f699616ef0481d59749d828728885860a42b260ce7d

Download Submit
C:\AdobeC\adobeapp.exe

Filesize
4.0MB

MD5
014ddc372c28971348ac3664d7ed5d5f

SHA1
015c72d5d0be83ecb2a973b74f359cbd9fe66afe

SHA256
0a183ff5d1d82577c05ea4d5fdb24f714491665998f7dcf64e6b5b6a118c3181

SHA512
de77e84847522a249a6322417527a576661ec65e3f5ff30f18bd53c8ed7a0927e60f97b324d48ea3e7d1798c2b3d439061a5e348013018d8c7b5f7fcba74c249

Download Submit
C:\KABx64\systempx.exe

Filesize
1.3MB

MD5
99220aa4b048be80de573e2a5b0f0d86

SHA1
94f9367540d5f068fd34c00f2714026146c04cb3

SHA256
f5e629002bdae7591c7f77db71bec88149dd2b1a667453a81bada1e8974da395

SHA512
7adbcfac7a48b2b660b777818ff7865bf7b67a3216288e59e6fc1f7793d9ad46955de3283d8f8d3696dd2a836bdc2932bc544c54011f3886d3a2d3b679c25ac6

Download Submit
C:\KABx64\systempx.exe

Filesize
2.5MB

MD5
461af81a7497ab218aa0aac822a9ee9a

SHA1
656d10238c992935d3ecf832e06c24f47236f368

SHA256
ae2d23692c9e821f7b1b1272fc72759b8fe60d36511587a8ea1dce810959d465

SHA512
1587cdca37df3a1bd0bdbaa310962e205c3d102eea1b5bca31dc5226e92017bdb3684b856c28007708fd833ea74f0ba9ada17754099769c5c10572ba4baf0a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe

Filesize
4.0MB

MD5
5016b40a86862ac54c3240fd393eb4f1

SHA1
08698f32c35843cbed3af364b6e1445f2137b93c

SHA256
a8517275b81be1014b4676651880181ad05b522027363d1ebdb72dbdd9056955

SHA512
e358dae9dec439f92ad2f183b0d7a842a65694b1109af6375fc10f83e049ff51d0a3a23d88bc1bc427d131eb0bff7a061dcefd0a31418ce03733363ecaa5d96a

Download Submit