78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Size

2.7MB
MD5

f4c15e4237f6e469c43c0e960221427e
SHA1

905870f4120e5952128f7a77411b89ea4c21c6b8
SHA256

78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c
SHA512

13e1be3f3b49581c091c09cc0ec078c09c80b36b5ca8c989f5bcb3e62a4655d213e598e9d37bd64f09f444508f313c1726006ed09fa6dffba30de857b44a47cc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4S+:+R0pI/IQlUoMPdmpSpe4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
664	adobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFA\\adobsys.exe"	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZ2\\boddevloc.exe"	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
664	adobsys.exe
2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 664	2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	29
PID 2256 wrote to memory of 664	2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	29
PID 2256 wrote to memory of 664	2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	29
PID 2256 wrote to memory of 664	2256	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	29

C:\Users\Admin\AppData\Local\Temp\78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
"C:\Users\Admin\AppData\Local\Temp\78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\SysDrvFA\adobsys.exe
  C:\SysDrvFA\adobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZ2\boddevloc.exe

Filesize
2.7MB

MD5
9ae47d0d836810fa4bb87b27717b4310

SHA1
daf576310679e3c3c6e231263ef580fdc21cf254

SHA256
98923add07da699b02dc999904c5be70a4afd227cc42ee6dc34d7c98b4889148

SHA512
54445aa6ce59e9ce603a676b4b6595f966bbf88b3fc3dac07336aa041addbb36510e23e9012f1370ba091b6e9e8b77a8f4dd0869463cc7c87a0c70f1e5173056

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
7a2a4308af507a1970046d1b745c1f38

SHA1
c1b2c79053e25db0c099e9fd6e7da4cefb9c65d2

SHA256
1b646346df74a141b449883eb73563235e6feddc14534883128c1753e9500096

SHA512
bd5f47b579e1e529043031f732705b286677faaf276872d00c787c4b46d561efcbcc5a4276bdbc02f18636364b4eb76af6e7055467fb6d2490305ab381bf0cd1

Download Submit
\SysDrvFA\adobsys.exe

Filesize
2.7MB

MD5
591a798bc4dc96a12d3e17d40bd20063

SHA1
1bc2b17fe51b35841e3b6862bef0ef19a69c0ff1

SHA256
b86447cec45ea8933c7d48176a62212cbd0214562b8e9c7a182a5eed925f7711

SHA512
a987a1304a23391e8bfc657333091151a8629c9cbe8cc86b2c1f95d3277663fd08597723bc44d95562c60229d23b2b5f24e65f162750442a9ac997e656722aa7

Download Submit