f54e312123bddb6f9e8315110d39f82548810b9f6a8d201a5e78fe845b2a7929

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f17bd7b2520c597a322478e44bb55b0N.exe
Size

2.7MB
MD5

8f17bd7b2520c597a322478e44bb55b0
SHA1

7ed056d5b0e40284a303363080ab2d6a4265205f
SHA256

f54e312123bddb6f9e8315110d39f82548810b9f6a8d201a5e78fe845b2a7929
SHA512

1dc5e22bea5de35ac936fe5c9566500af9def6399faced2d7517b997bbbaa81f6baf31d3455d7bea28f1815498eae05608702bb0b53b28214cc5e33705a6243a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGE\\optialoc.exe"	8f17bd7b2520c597a322478e44bb55b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNT\\adobec.exe"	8f17bd7b2520c597a322478e44bb55b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
2912	adobec.exe
2912	adobec.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe
5080	8f17bd7b2520c597a322478e44bb55b0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2912	5080	8f17bd7b2520c597a322478e44bb55b0N.exe	87
PID 5080 wrote to memory of 2912	5080	8f17bd7b2520c597a322478e44bb55b0N.exe	87
PID 5080 wrote to memory of 2912	5080	8f17bd7b2520c597a322478e44bb55b0N.exe	87

C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe
"C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080
- C:\AdobeNT\adobec.exe
  C:\AdobeNT\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNT\adobec.exe

Filesize
2.7MB

MD5
c71271c2c12273640cac3d2dd56376f6

SHA1
0c45274ba188a2a94890f801d211f07ae9b8e408

SHA256
ffcb418aaa30aefd1f587654006c9c93f74fe451cf91fac11d5a9368412e5875

SHA512
47acb957317d88042abcfec6e5f6dd05ee697ecc9d1545bfa4d94d11fc1567420810102aa095de9413e6df8468c79b44c8a1abc143f10b71fe1a5c3c37cb49e7

Download Submit
C:\KaVBGE\optialoc.exe

Filesize
2.7MB

MD5
539e1e3a579a9fad0998985d04d77e38

SHA1
4cdb99bfb31b9d509722c7aa9ad78e210e8ab6a7

SHA256
cb3f0b8a569558292d81ab48808a8225c8701bf54f0e26870fc1c492583d4d74

SHA512
2042221de486a1809e87e6903341b2ce9a781d7578f30c028bdfdd6f7846d9f327ed978dbd9b251758648849ad31cb86a8d1cfc5dcac5d11db2ca27ab4bab020

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
61b19caa0d30e42a1b8f22b104f6a1ab

SHA1
cb12d28bd268ccc3798f021cd44706447a494828

SHA256
ac1e4f810f7cce3b0595ab258b517c7c67ee12262f781fb49b9ac63cbb4b3671

SHA512
23f4a0c1b46cd775c3e0cc46e6bfbee1b2fe7e31d784e30a1a1ac451c80d4394e7c849943c10f29fe374f3fa9b675db6a76dc19f65423176666ef0b9364ac58b

Download Submit