e1449013915197d1bbd3c23b8bea6ef99b7ed74ae93374274b81888e3e6831fd

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8555b1bd6a0d6d9e47389205d09e6a0N.exe
Size

2.7MB
MD5

a8555b1bd6a0d6d9e47389205d09e6a0
SHA1

d4f480e8556bfa7920a1df4a3169840ea3790852
SHA256

e1449013915197d1bbd3c23b8bea6ef99b7ed74ae93374274b81888e3e6831fd
SHA512

aaec80d7554018ae77c04126241126172b68afca89a3f0c8fdbb49ba46918b7a51dd5bc702f2d0794086592950d78e682ac04f204a76adf9eafcfdaa9006b2f7
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4S+:+R0pI/IQlUoMPdmpSpe4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3024	adobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2B\\adobloc.exe"	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWY\\bodaec.exe"	a8555b1bd6a0d6d9e47389205d09e6a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe
3024	adobloc.exe
1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3024	1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe	29
PID 1768 wrote to memory of 3024	1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe	29
PID 1768 wrote to memory of 3024	1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe	29
PID 1768 wrote to memory of 3024	1768	a8555b1bd6a0d6d9e47389205d09e6a0N.exe	29

C:\Users\Admin\AppData\Local\Temp\a8555b1bd6a0d6d9e47389205d09e6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\a8555b1bd6a0d6d9e47389205d09e6a0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768
- C:\UserDot2B\adobloc.exe
  C:\UserDot2B\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintWY\bodaec.exe

Filesize
1.9MB

MD5
5f8110be9e90af95c3d8443ddcb858e5

SHA1
08d7466db551a3f762e2b922ce9996c534fe8f16

SHA256
c8b4a2a4668e2a82c370ed610c884c35345f2b027c30765418888e72dbd55d41

SHA512
0af882069c142b8a3f6a14cea4589176410cf7bdcf37ef28b7c7f328621121b3c00f934b6a60e8ddcf23d997acbdc2a43242365e5c0150906ad9605d2c1e5f17

Download Submit
C:\MintWY\bodaec.exe

Filesize
2.7MB

MD5
8a96d2fa7e6d8f2511d5ac62bd53b425

SHA1
7d5472e36726aded13bce6f6364b40b91ee6bdca

SHA256
751d50c88ba9d7401ae1f1701ba24157d533d4683652a29ff97dd03602775cf0

SHA512
de3900544ebbd6fb18f07b6d3b6dfc72ef197526920e6417e73075a9b42babed2de3dc5714da66b07736ed7e757cbc5641cd1f665c9a7f6e07b92d46661a4c76

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
193B

MD5
59f4554d70d42b67ab616328c2bbbf03

SHA1
e942e9449e48fc2ad025edfee779f4b9165201db

SHA256
041ea37c61d235a16f584a1d920de5e9ae199d6b9e8b7078186172884ddde015

SHA512
837f66568f6c0f634664f7b51da827ee42fa544cb33352f32df726fc4bde97c723edc1ee3f16307a9128a2556b5a8fbd3a8ab29f4302cad32ea77e52b63534d8

Download Submit
\UserDot2B\adobloc.exe

Filesize
2.7MB

MD5
1801562611e67b8e5f82091df3e0846a

SHA1
5a71b46d7feb064dfdaf063bdb794f31d2325ece

SHA256
e7012ee363287069048622d24033ba3f18dca8ea6536b74c40688b6b21d06ec4

SHA512
164b42b3b6cc05221390b9c392e1fc88f3e39063bafe72a8ce16a19ad64bafd226b7c18430c569b34110b69c123886e2b3b2d027eb4a424dc14554be77ab0d4c

Download Submit