406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
Size

2.7MB
MD5

76b8c5f16aa7ee3bbc92dae4f8a34dbc
SHA1

a23b9e2fdd3ec912595a35452e3ae7552e3c43f1
SHA256

406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51
SHA512

276efee4a15b5acc2d8094f1a9dcdb028a75c12ac62a222d0b78297c7ef848ad449f7d0f8302101756e1d0d922cfca7daf557a20b55c4238ab8e14464c81fcf0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBB9w4Sx:+R0pI/IQlUoMPdmpSpx4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJO\\abodec.exe"	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY4\\bodasys.exe"	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
2868	abodec.exe
2868	abodec.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2868	1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe	85
PID 1452 wrote to memory of 2868	1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe	85
PID 1452 wrote to memory of 2868	1452	406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe	85

C:\Users\Admin\AppData\Local\Temp\406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe
"C:\Users\Admin\AppData\Local\Temp\406695b89a4faa66b440a35f0d28f8b352508b92f5eccb8d34e843e7ee242c51.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452
- C:\FilesJO\abodec.exe
  C:\FilesJO\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJO\abodec.exe

Filesize
2.7MB

MD5
24cf204a73afbc1b0d843526b1471492

SHA1
0ee85b4379e2d1cf15f7b50775530902731c5c8e

SHA256
9a45b4967ab599d43ed636d6c8338b60397442452811bca055bff72b1f205bb9

SHA512
8c81f781f22ab7ce74e16ff0513b6c8208de7f0e14e1937e43c44bb8a566a4c9f5b6baf3bca670ff8fa3595a54ecdd10bda4c5bd81c4649fdffe54221f869c86

Download Submit
C:\LabZY4\bodasys.exe

Filesize
20KB

MD5
7bdca6cf2d00ab8b26d8585b0da0c634

SHA1
c50ea7df9295ae9d1740613b1e76a0bf51f338b4

SHA256
29b763903a0d649bb5942c5703d71b907b3e6e6c4c6220a100fff6427318b831

SHA512
9670f9cd0a8d1ce4f61ca62fc0d126b204f631daf37364025cbdd8dd78e8d8b102c96e3dc6262965adfb921ab76015ec3114d80c8a233ba3427074ef2353cf6f

Download Submit
C:\LabZY4\bodasys.exe

Filesize
2.7MB

MD5
2d7e3b893d0989aec0d72722e809600d

SHA1
df3fafb0c8ce929aadd1e459e867e770bf507b77

SHA256
69c38e255b71e5c5cc4f6c9266ad9957d7564c4e92f59bfb295bf5e3c2e2d1a8

SHA512
1eb0e1b91f002316413670df8183ae233d35de332c36efe58456ff8e2104459b68441bc9bcbcf1e721939e8138dda5519349bbbb7d271cb327170328ddcea9fe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
e57343c40fbad2779d31ba6b30462fd1

SHA1
16673b0baa6124cbd646a6d3cf098de40552334d

SHA256
7585daf11515ae45bab913ee0f524b40bd0704529b59c717ebee85a46b8a802b

SHA512
d0718af09c4f080b0e5610defc4783e1b351f9a33dd39e3fb9fb1ef301a7b0c47bf0e5ccca33d0bd9a71624bf01023f7fc4636176ac5ae9853f2866680185ed4

Download Submit