a802503854c53fc064de135f93ea80937e13ac005c5d17210f465ca08a6f01b0

Analysis

max time kernel
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 21:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1df721ab91fb60de90e2b24cde767310N.exe
Size

3.1MB
MD5

1df721ab91fb60de90e2b24cde767310
SHA1

9a1acea19b41e30a8d7a49a372fc522f87d7b8c4
SHA256

a802503854c53fc064de135f93ea80937e13ac005c5d17210f465ca08a6f01b0
SHA512

e1ea94a18847a5ac7c0f1ac4016b8ea6f778f2bb1c20a50b29ab65bb22b3b290695336bc48308534d014b4ec127898cd24a669f5be7d5c622bebd5be5cea6625
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB89w4Su+LNfej:+R0pI/IQlUoMPdmpSpq4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4708	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB84\\dobxsys.exe"	1df721ab91fb60de90e2b24cde767310N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUH\\adobsys.exe"	1df721ab91fb60de90e2b24cde767310N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
4708	adobsys.exe
4708	adobsys.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe
3940	1df721ab91fb60de90e2b24cde767310N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4708	3940	1df721ab91fb60de90e2b24cde767310N.exe	84
PID 3940 wrote to memory of 4708	3940	1df721ab91fb60de90e2b24cde767310N.exe	84
PID 3940 wrote to memory of 4708	3940	1df721ab91fb60de90e2b24cde767310N.exe	84

C:\Users\Admin\AppData\Local\Temp\1df721ab91fb60de90e2b24cde767310N.exe
"C:\Users\Admin\AppData\Local\Temp\1df721ab91fb60de90e2b24cde767310N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940
- C:\AdobeUH\adobsys.exe
  C:\AdobeUH\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUH\adobsys.exe

Filesize
3.1MB

MD5
6a41bcc4c731e0604bd32db14951a861

SHA1
407751c0fff79142bcaf86de830a5116fd5325c5

SHA256
90aab142134a70277cc10d86fcf41596c0c735bfcc301e82d9f14c39b60b3d00

SHA512
6aaf1b076f85dbf7c844418318bebfeb91b75d12b15211ddea8969b17d40121ce9eb93f1ae2d834abb8262f23e302bf53f1035a8a2efa3d204a671f235cc49e8

Download Submit
C:\KaVB84\dobxsys.exe

Filesize
2.5MB

MD5
7ea7aba983f448a2564470181a4e75e8

SHA1
c38febcad29a35ace00a794ee616f3e09948b562

SHA256
001293e6591830adc2268a3f4bae5bc8bf88e848f4eadea221c1243ec528c529

SHA512
e131a8795ac9aca868b71923abef084a0047e49c4533f1ed95610fdb303ca4e18bfa15d1821c8ea5019ab3786baee594fed3e79971c3d1d3667ae5d33bc890e8

Download Submit
C:\KaVB84\dobxsys.exe

Filesize
3.1MB

MD5
ba65cd680963fe4c87e82fea909a73d1

SHA1
902e16d94a1018880b001e91bfbd127fa162703c

SHA256
3acb9522b329a6cf2e1583a9be2e8af1395ad44d67ef0291da3ddbf8b2b0500c

SHA512
0620a204976c1ee0f36aeb9b7ff5a0318f17172d614085a10ff4ecd07debfc48d8d3b7cabcccdc8bd7b9c5b0356baa0f5530cd4fd6cdb9efbbbcf1a1eaef15d7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
6a6d83158de103c2355bc9cee4132000

SHA1
ee573c36633a6472da2b712c293787539135a99a

SHA256
45caa4e551058f5c084fad58d5d71dba56fae6163152fb7efc922fe834faed9f

SHA512
9b425d2f277ce2c0e0ae7aaabc216c849c56ee82bcf3a90820786b3dc42ddf3821b30f7424e4fd4425206ce0cd94cf1660e2bfc7e14dceb84ec7db5097b93f8c

Download Submit