343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
Size

4.1MB
MD5

724c20f5e46ac4d10f2d704dc8b13907
SHA1

33c036a22fd7987ac13b38581fda85b9e1ba0b1f
SHA256

343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0
SHA512

441f935a8b15dfa7cdab23ea477e376b24277ea462c6ca947d8d5d2619d48e46a245639d64777d52dd5c90d468e9f59aacf26757105b049eb5ba21f6f43ca75e
SSDEEP

98304:+R0pI/IQlUoMPdmpSp84ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmP5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPD\\abodloc.exe"	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3L\\dobaec.exe"	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1808	abodloc.exe
1808	abodloc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 1808	332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	92
PID 332 wrote to memory of 1808	332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	92
PID 332 wrote to memory of 1808	332	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	92

C:\Users\Admin\AppData\Local\Temp\343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
"C:\Users\Admin\AppData\Local\Temp\343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:332
- C:\SysDrvPD\abodloc.exe
  C:\SysDrvPD\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ3L\dobaec.exe

Filesize
3KB

MD5
3161dff010f251bc927e6e78cec9f490

SHA1
c2d8e5e54300810e861e8bc27b869b3e8053b8f6

SHA256
b1a15ad4b5bb8edcf1808226895d8dbb5d7a9b52f7859584e51dab938991a13c

SHA512
40a22a64ff72d4b9528f24e1cc4a5a59e79cdc441d00f9a9853cac1a3cbde37f264ee95d3fac212e89beb62a050da325fb2191f881422f57ba38ce13876e4679

Download Submit
C:\LabZ3L\dobaec.exe

Filesize
4.1MB

MD5
9141a24de6d7179c560d3f307396b20e

SHA1
1a19f8b081536d39725357c107fa07c9d235e615

SHA256
2b875e7581e6b918ca4da127cd7630b3f68e9285bf93d23876ccb82e0f4a5798

SHA512
50f81a210a2101a469bfe832be1ebae4c5fc97b5e63cd003170bd1e3022f5d63c7410e277c38e229672d5f6017a48a9ac494faca1ff976f59d8601d1f861f5cb

Download Submit
C:\SysDrvPD\abodloc.exe

Filesize
4.1MB

MD5
838766a01679adf35fc3fca0f4cb219a

SHA1
ffd44cbf72257630a4b492bfe6c7135860af3c0c

SHA256
5f74f1b549346d9e4fa65ac2a86e54d70b27b368784b37f055af244231a72b24

SHA512
637360af855abe14caba1b8bdc77608265167fb702a2e9cb552ce784e839d6af2f9cf21c1f90d7d872dfa9b4478c46893cc64bef14cfb5b9e314d7f97203512d

Download Submit
C:\SysDrvPD\abodloc.exe

Filesize
4.1MB

MD5
838766a01679adf35fc3fca0f4cb219a

SHA1
ffd44cbf72257630a4b492bfe6c7135860af3c0c

SHA256
5f74f1b549346d9e4fa65ac2a86e54d70b27b368784b37f055af244231a72b24

SHA512
637360af855abe14caba1b8bdc77608265167fb702a2e9cb552ce784e839d6af2f9cf21c1f90d7d872dfa9b4478c46893cc64bef14cfb5b9e314d7f97203512d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
2062a94fc7b080a084ac8e4100e1e4c8

SHA1
8726038c94c09d2c8fac0e59aa9537472bd24e26

SHA256
2594492bb677b5584c5eab188a240b4d26e2ff635a52f9c617f742f8399f1b13

SHA512
9d536e3c23a49b4b706d7f576d7d0ab2b499406e924cd4d6ca7c275abc695c298362d6717cc766e50a8840266f9b31f13de7bbe5112389e3f89d7a6b0e013b30

Download Submit