ecefdeca3f0936086119593c098b8b14b9431ae698f2861dba7a408f5f4fbe8b

Analysis

max time kernel
119s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d0a100a87a3f16fa9b4f08a2d2a010N.exe
Size

2.7MB
MD5

18d0a100a87a3f16fa9b4f08a2d2a010
SHA1

e1c367595f444375d9b5b2730959209f5fd5081f
SHA256

ecefdeca3f0936086119593c098b8b14b9431ae698f2861dba7a408f5f4fbe8b
SHA512

6fed51c840b7e0ea1f28df7c37e71d1245f0357afb9acd2f9416ded3a6725b9388853a2a266a8bf6e8aa68208f7f5e8e0175a2dd8dc2a7557c106985def5e566
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1072	adobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMA\\adobloc.exe"	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD4\\bodxsys.exe"	18d0a100a87a3f16fa9b4f08a2d2a010N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1072	adobloc.exe
1072	adobloc.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1072	2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	87
PID 2820 wrote to memory of 1072	2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	87
PID 2820 wrote to memory of 1072	2820	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	87

C:\Users\Admin\AppData\Local\Temp\18d0a100a87a3f16fa9b4f08a2d2a010N.exe
"C:\Users\Admin\AppData\Local\Temp\18d0a100a87a3f16fa9b4f08a2d2a010N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820
- C:\AdobeMA\adobloc.exe
  C:\AdobeMA\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeMA\adobloc.exe

Filesize
2.7MB

MD5
ff8d67282200ea3cfd76d9ee23548cf6

SHA1
bf8a9111c62d24e8a8bdc5feedb40396e628ff1e

SHA256
1278af95074ff3cb57d1a2d6631b767e6b7cc76c38fee752751cc5e9955f588e

SHA512
f5a35673c992aca91bb6fe5571f2d1a32d743558b5269f2707ab3f14e4c2aa927c908dd3434429898bed673aff57cee6058a3e80e8777d8d06d932688ee558ea

Download Submit
C:\LabZD4\bodxsys.exe

Filesize
2.7MB

MD5
805086cf29c84bf281fa62e269c91351

SHA1
f49298b8ca1006e314fd8cdbd0a591e70f923833

SHA256
c9d5a2e1ba939432816cf9e510c9901134b573426626a6299bbf2da39cb78437

SHA512
553c0edd3e43f6db9befaf05943f63b4f573829c7e294d7d8c716abb18af8a2f184e7bb939007b8296f263fb9dd6e106b776288138bc17108f341aa8eb5e63a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
d97b0b3b29d4fb30a21121fda50bc315

SHA1
32acc1891f260167bc5f8eabb945389d4b6cb693

SHA256
32d61a34c776b664c36e9c84478bcfec51bff4858912ef485ccd93c049b53a3d

SHA512
5bb2e2992fe347e8790373d5e93ef040507502a815afd13c12fb84e15151a573709f5c06c2f181b7c6e4e784e3d94512a9906571cc9895ec030864150f4edf95

Download Submit