Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
4b4bb546dd9ad7f18ceb6c2252e66d10N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4b4bb546dd9ad7f18ceb6c2252e66d10N.exe
Resource
win10v2004-20240802-en
General
-
Target
4b4bb546dd9ad7f18ceb6c2252e66d10N.exe
-
Size
2.7MB
-
MD5
4b4bb546dd9ad7f18ceb6c2252e66d10
-
SHA1
7cbd6b8f616eafb381a701e1bfbd1139b5fc88ad
-
SHA256
21888a0ed3dd718e5413f9dfee4965bd013fe1d4a22b08de092549c71c8feb1e
-
SHA512
93fd0199381d389cd5416cfa48f7d27c3eb60378a050508b3b863f549d3eee77963130a2961c5827956bc5dc64147c53425542be9dad8eb509fd49d48a030c28
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4S+:+R0pI/IQlUoMPdmpSpn4X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2156 adobec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFG\\adobec.exe" 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPB\\dobaec.exe" 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2156 adobec.exe 2156 adobec.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2156 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 86 PID 2388 wrote to memory of 2156 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 86 PID 2388 wrote to memory of 2156 2388 4b4bb546dd9ad7f18ceb6c2252e66d10N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b4bb546dd9ad7f18ceb6c2252e66d10N.exe"C:\Users\Admin\AppData\Local\Temp\4b4bb546dd9ad7f18ceb6c2252e66d10N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\AdobeFG\adobec.exeC:\AdobeFG\adobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD51e662b9cf5219c820407134c82b0e4c0
SHA13284a7a99f2e7cd09b3b0391b3d80268a742f841
SHA256fb8a04dc1b737bea491dfdbafaaa278a05134f2676a007806cde3547ab91251b
SHA512617193e883711571303c63885dcfd5e5f44f56f61a22f3c8bba085bc3c971e54e7fd4f674e0ef25ca8840042762ebac6524a76dcbacedb0a6f0386b6f695eb55
-
Filesize
795KB
MD52b313c77b3f9166b60cd4de9fba191f3
SHA143a017699c57a2f988b2f53b3fe78047557210be
SHA2563546e2f8c6469310fb042f1b281e6e01ef0eae7864e0809a5a290a324a889e0e
SHA51220750d1e5dc3deb4aa0e514a23fe217279c4b6994af218160cc180cb34c51d2cac17fb2cc5d663bbaee15d4a91ad65ff9ad728b0da494ba4d78d77850b69b3ea
-
Filesize
189B
MD5f164218d8d0912f26416b2b66e17ee35
SHA11ffac659c8be292fece2c7f31b6e7a1933aff9d9
SHA25651ee169c3a5d540929babd3ee796d8fbbff5abcf986cb6fcd894a092477f2606
SHA512d0619fde8880c9633f066200d28b9124139e4288b936e9f9fa18dc7aec713e86adf076dfc5223559e718ed802270396550704d0f2e2e2a0e3d7998cc39b0d8cb