eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
Size

4.1MB
MD5

25b41cd2c03b1c669aa06c5f7eed17c9
SHA1

32fd257b0d3c8efc7b2f2448e2b0516aa1edb3d5
SHA256

eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48
SHA512

f3cf051644ca2d99a1253c06482b69288083d9e994d20b61df6c3dfcc258a96b15c291f60ecc47bd8b28feb14ca995ff9c4f9a3e2ebbb237f3cb93ea9b415c9e
SSDEEP

98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmg5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2996	abodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXC\\abodloc.exe"	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHX\\bodaloc.exe"	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2996	abodloc.exe
2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2996	2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	28
PID 2320 wrote to memory of 2996	2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	28
PID 2320 wrote to memory of 2996	2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	28
PID 2320 wrote to memory of 2996	2320	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	28

C:\Users\Admin\AppData\Local\Temp\eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
"C:\Users\Admin\AppData\Local\Temp\eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\SysDrvXC\abodloc.exe
  C:\SysDrvXC\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
bdb6c8b11e1d4c48094545dcc958071d

SHA1
d1ab91decb2147dc9d35088c874d79894962b19f

SHA256
65e317eadce08e1407734476ca9b0cb53c79cc2b48e4c9776d71b49fe05b611b

SHA512
873af814393658b3cad72fba4503f38130bb5f7754b74e7769c1de1015d952d099a7cabf47b607e1a3e8d889f75310ba7799d67eb796097df7cbee8f3cd9b42f

Download Submit
C:\VidHX\bodaloc.exe

Filesize
4.1MB

MD5
c99bd022444c184d80a977765c9680cc

SHA1
6043f0445f9a021a1d2c289055463fd7367eebdc

SHA256
86b6aeef545726d7292357c26153e12e95647487b7b1aedd1e4343119cbf0b53

SHA512
d5d396e8810636d7d8ea73a089c370678b9b50010d37b20207ace9b29ace3ab939acc5f3cf19a3ce724004e6254fc86f171e5068578ca5bec9b83e27c610777b

Download Submit
\SysDrvXC\abodloc.exe

Filesize
4.1MB

MD5
94adbbd40e9754e122151f5ad5bb9a3e

SHA1
507904c96d71de70250b66e0cd1a1d69a6ac3262

SHA256
42abf6c1823076baefb21f38ae0844889cc3335f67817ba3441ab329f71b8b7c

SHA512
225911724da4ee97a45e59e8488922f4052e4e00038b423505cd33ae7954950275fa4761e8b181b44e9d7c5aaae5e2c16ad80b26c59d007ec2694b2c88d31fc4

Download Submit