14e20327b3c67562bbcaf50c5abd61de572ca58a635c1fc6ead3b33c8fe5c12d

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1222f87570f2a64434c24d4829692380N.exe
Size

3.1MB
MD5

1222f87570f2a64434c24d4829692380
SHA1

e0fbc3f6746338264023a243c44a6dfd0751cf9d
SHA256

14e20327b3c67562bbcaf50c5abd61de572ca58a635c1fc6ead3b33c8fe5c12d
SHA512

30a46c87a1d8a5e5be4b3171926b3d4e5d42742d20e78902e1e85e4d8bcaa26ba2452caa1518cc0a0c3f42139019a12db1f7c73b1c19626fa1b3d604772e098b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Su+LNfej:+R0pI/IQlUoMPdmpSps4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	adobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCD\\optidevsys.exe"	1222f87570f2a64434c24d4829692380N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL1\\adobec.exe"	1222f87570f2a64434c24d4829692380N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe
2044	adobec.exe
2044	adobec.exe
1904	1222f87570f2a64434c24d4829692380N.exe
1904	1222f87570f2a64434c24d4829692380N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2044	1904	1222f87570f2a64434c24d4829692380N.exe	89
PID 1904 wrote to memory of 2044	1904	1222f87570f2a64434c24d4829692380N.exe	89
PID 1904 wrote to memory of 2044	1904	1222f87570f2a64434c24d4829692380N.exe	89

C:\Users\Admin\AppData\Local\Temp\1222f87570f2a64434c24d4829692380N.exe
"C:\Users\Admin\AppData\Local\Temp\1222f87570f2a64434c24d4829692380N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\SysDrvL1\adobec.exe
  C:\SysDrvL1\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxCD\optidevsys.exe

Filesize
3.1MB

MD5
4884a6c80ec8e8f8001575980a93ee65

SHA1
7070e781adee4a882c9e703b7e714f9280655504

SHA256
af696b3c6f557b2c9622e693bf5b98c279a4ea6c60f10d484c99a3984c4fca48

SHA512
99bd517de5de4ef1d98052dd211fed426cfb923cb181aeebc79160da984f43d42129a26022db0274b67297cdb9cf32ea35fb1fd61df5226022b1dce2662afce5

Download Submit
C:\SysDrvL1\adobec.exe

Filesize
3.1MB

MD5
f4f6f0f4a288cb7f683e2db0de37e3ce

SHA1
4016b038d5eb026586b2a8e8bb78057fd9109b7c

SHA256
46435f55bff2f8f855fde4728e2ad6333f9130b7e151403adc621cb1c2699d0d

SHA512
29f9f7bee6d20f6878be916fc35528e7f8f515b2349581d4c2f2dcaceb63cbdd5fd4be8a2ebb4f514d572cb41f4c788b593e17811f786918376dcf865dd3c3f5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
01c1931ea180529b3fffbac103a2ae33

SHA1
3aa6b894d8360b9ff1c446187e5feadf0fe531a2

SHA256
cb90cab0d532f21a34afa7d2ebba598272fb97b68883b181c5d037bb73fa4535

SHA512
f89f4976d789724ac48adac9cf34a50347dce73d8f47849d2be51af3a8dd716471a4f95a3da4e3b57f3cbdad4e7d02ec7fdb2b413477258f3abee18b9c6126a9

Download Submit