94cb60d51eecef2d0ef53c025d6f13e7062f62a3dfdc28f1a872b8e2914277a6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
Size

3.7MB
MD5

338d88af3eba6e44ee41e2e4521f7860
SHA1

0037a6254e5236b718ddcaac7341f6285d8133bd
SHA256

94cb60d51eecef2d0ef53c025d6f13e7062f62a3dfdc28f1a872b8e2914277a6
SHA512

ec4e22d7b9c7a34494415e9730f8a539f3f2335ec9f9c780033fb88921dbd7f20f57ecf89ddf7a5de603967e010070ae6dfca57e0340d4c4b91649d31962b195
SSDEEP

98304:+R0pI/IQlUoMPdmpSpd4ADtnkgvNWlw6:+R0pIAQhMPdmK5n9klR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
840	abodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9S\\abodloc.exe"	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidI7\\dobxsys.exe"	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
840	abodloc.exe
2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 840	2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe	28
PID 2096 wrote to memory of 840	2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe	28
PID 2096 wrote to memory of 840	2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe	28
PID 2096 wrote to memory of 840	2096	NEAS.338d88af3eba6e44ee41e2e4521f7860.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.338d88af3eba6e44ee41e2e4521f7860.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.338d88af3eba6e44ee41e2e4521f7860.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Intelproc9S\abodloc.exe
  C:\Intelproc9S\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc9S\abodloc.exe

Filesize
3.7MB

MD5
2aac61a6638df7a9eee3ae2a8c0d2e11

SHA1
c8040f65afa7df29dfa8ffd3dcb1212c9f1c1c01

SHA256
fa6d7623bc83060cbcefb223bb50edb91c9c89049530e845789ec402a7610042

SHA512
9755596328a4dd07b296e4cd6f9df653f51998d5f433e685cd161396c56459dce6944d7ac5e0342d11b5c70c251bd2ae777b5988e787b46f411847ee127a547a

Download Submit
C:\Intelproc9S\abodloc.exe

Filesize
3.7MB

MD5
2aac61a6638df7a9eee3ae2a8c0d2e11

SHA1
c8040f65afa7df29dfa8ffd3dcb1212c9f1c1c01

SHA256
fa6d7623bc83060cbcefb223bb50edb91c9c89049530e845789ec402a7610042

SHA512
9755596328a4dd07b296e4cd6f9df653f51998d5f433e685cd161396c56459dce6944d7ac5e0342d11b5c70c251bd2ae777b5988e787b46f411847ee127a547a

Download Submit
C:\Intelproc9S\abodloc.exe

Filesize
3.7MB

MD5
2aac61a6638df7a9eee3ae2a8c0d2e11

SHA1
c8040f65afa7df29dfa8ffd3dcb1212c9f1c1c01

SHA256
fa6d7623bc83060cbcefb223bb50edb91c9c89049530e845789ec402a7610042

SHA512
9755596328a4dd07b296e4cd6f9df653f51998d5f433e685cd161396c56459dce6944d7ac5e0342d11b5c70c251bd2ae777b5988e787b46f411847ee127a547a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
d2038f619d560dbae325b207d7f82b22

SHA1
544996620953379d210211a2242706665249ca8b

SHA256
8202bedac7e6a7ee2d423197dae7e151d1582dca31e839ed669db361d5308ac6

SHA512
c5f6b9f2c968b8142810bc3fc9bd393b2fabbc2b9d79d34b442d92808df1ea67a6a34aa5a570c059d5e33e836ae69faecd424db9e2340850fee088ec1b106fac

Download Submit
C:\VidI7\dobxsys.exe

Filesize
3.7MB

MD5
600961e5625a5c382ff5358229f66acf

SHA1
b7255c4583b19be9a0ca8307cb2e741d29cbc6e3

SHA256
1513ed7b750c64f350598b7148895a36f3961a38d4bf547ec62c98d4bc3f3510

SHA512
f499404fb68fed662e355fd7e2d36f99732641ee894d874319684d19eca666adb3cd0c7a831e627e946538615f00a551f0818c13e6871a0196cb467a63481494

Download Submit
\Intelproc9S\abodloc.exe

Filesize
3.7MB

MD5
2aac61a6638df7a9eee3ae2a8c0d2e11

SHA1
c8040f65afa7df29dfa8ffd3dcb1212c9f1c1c01

SHA256
fa6d7623bc83060cbcefb223bb50edb91c9c89049530e845789ec402a7610042

SHA512
9755596328a4dd07b296e4cd6f9df653f51998d5f433e685cd161396c56459dce6944d7ac5e0342d11b5c70c251bd2ae777b5988e787b46f411847ee127a547a

Download Submit