63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4df

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
Size

4.0MB
MD5

e0b22bed83463152450d0b89544f8b70
SHA1

d26937922e2062dfa9b815657b1060dfa78af239
SHA256

63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4df
SHA512

1187530c9491bd614354d4339b2b951c9eb045e8074e0cdb85e57ecae87a107aed1a32f8275974d23f29154c1364d9813bc6087648616f03888dcc5b926e776d
SSDEEP

49152:XxX1FcS3lxnI95u+euCoNJg3tZl0sc0AJqydiMFIpd/KFBHYvsZo4kF29o:XxX1vvKUuCIi3Ksc00BIpU7y29o

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe

Executes dropped EXE 2 IoCs

pid	Process
4572	optimdev.exe
1588	adobeapp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Cabinet = "C:\\AdobeC\\adobeapp.exe"	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\KABx64 = "C:\\KABx64\\systempx.exe"	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optimdev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobeapp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
4572	optimdev.exe
4572	optimdev.exe
1588	adobeapp.exe
1588	adobeapp.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4572	1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe	88
PID 1800 wrote to memory of 4572	1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe	88
PID 1800 wrote to memory of 4572	1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe	88
PID 1800 wrote to memory of 1588	1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe	92
PID 1800 wrote to memory of 1588	1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe	92
PID 1800 wrote to memory of 1588	1800	63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe	92

C:\Users\Admin\AppData\Local\Temp\63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe
"C:\Users\Admin\AppData\Local\Temp\63be1f15eef64f050d5b6fcac168219028c5252a76b4c1f80dfe67a5e8aae4dfN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\AdobeC\adobeapp.exe
  C:\AdobeC\adobeapp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeC\adobeapp.exe

Filesize
647KB

MD5
4c2384d468682ac06dc2dbb9df09ff43

SHA1
66dff6c3d63a60195a414eaeffdaf4cd001ff7da

SHA256
b5ab99a3c6b2f1c646b623d2b37336d8cf25569cd53f94dfd9ea56c4afd04b07

SHA512
5656073288d573959d8c305f799fc6c45bdd9ec47e001d91474b1c6324d5b8628e359ef2f30ef188f02d6c0af190df210a082395e5403edd8a64fe7933c882f0

Download Submit
C:\AdobeC\adobeapp.exe

Filesize
4.0MB

MD5
9f1aa7fd38a89afd10b20b6b69511c63

SHA1
4316b6cb5059716e7b47dda9152fa0e9977cf182

SHA256
096c8f3055f6cf7050101871997f8da3c508d51da2cdc398d565008cdbb1522e

SHA512
c03442018af137969f34c387cf05a2a690692ec991ff414260688d3262adf8e04e831ac888ff9eb183963fe3207a0ac26f283a09b8bc310038d2c10348d8863e

Download Submit
C:\KABx64\systempx.exe

Filesize
2.6MB

MD5
29271f26a2f919971b1cbaca3b1883a5

SHA1
eec20dc81f18dc993c9e81369afb459c4bc0303f

SHA256
50d9aceac24dbab08f2582deb674f60cb9bde5106cc6bf6f8fde671bef6842f2

SHA512
fcf3905e6f28a0edd18c20bbae721f452e41f8ceea11fe1c8622dbbdc62755ebb8102743a781f2b62292e15fdd38d9a00866aa5b4f1037d83e73746ec9813a7d

Download Submit
C:\KABx64\systempx.exe

Filesize
1.4MB

MD5
7bb604dc98bd8a596ddfbe50a7448d1f

SHA1
0e6b21794f1fb404d636ff033eb521582452de5e

SHA256
14ba330f0c0d0646b187a655a6e2b48907270cb17d819ffb397408f85c49cd17

SHA512
bb391cdbae921aac29c1c51223dfa7cca8818b838cf6a4581ac3eb97553a1c3aae2793dd9794c3f8d583a7e762b361de27189f74396a9a66541ebbc92eafcdd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\optimdev.exe

Filesize
4.0MB

MD5
d837a2a5b5424a9a701b4343632d61c0

SHA1
e2f149918cf5af91b0a4da6ae54ebaae388d0972

SHA256
3f27b7be139aebf22f0df0f06dae3c485c844d2d220a8527e8876ceb03ac0f06

SHA512
7b3932167efda9799bdac399d338c49dce05fef2d4468c9bc0d597e9f2ee988d66fb3c7deb6a40df82bcc83df1f1ae6e78ad7395de1ecf13bd4091be9bb08c40

Download Submit