85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
Size

4.1MB
MD5

fb7578361cb2052da97c195feb5a5232
SHA1

39896d87576febc3924ffdd2be544644d4052b11
SHA256

85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852
SHA512

b93dbfcda4f4c4ed49e2e81f219bee564a277e3c0fc464f17a4ff85991baea05e5dadcc0c76f7ce47acd4658994b16e5eb4f6b5f0b927fecaa394f32d3ffefde
SSDEEP

98304:+R0pI/IQlUoMPdmpSpO4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmF5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3476	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJ5\\abodsys.exe"	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxC1\\optixec.exe"	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
3476	abodsys.exe
3476	abodsys.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3476	4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	89
PID 4084 wrote to memory of 3476	4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	89
PID 4084 wrote to memory of 3476	4084	85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe	89

C:\Users\Admin\AppData\Local\Temp\85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe
"C:\Users\Admin\AppData\Local\Temp\85bebaa2471175d73b91286c8870cdcd6b03aa2a80924a2c362d1497765cd852.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084
- C:\SysDrvJ5\abodsys.exe
  C:\SysDrvJ5\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxC1\optixec.exe

Filesize
4.1MB

MD5
e12343c4320cdb66572016556f9d0c93

SHA1
04e949ad27c9c3bbf8e6938667907a7222d56f04

SHA256
71cc20708ec9dac79b5790c995e47b773591d1be32f5fc39a5955a1e4e44dcb8

SHA512
06994ccab0c055c2f1a5800d112fb5a916db8ad4d418eba9ab7b46cbbaeca4a7ea3c4e18389d27a21a989c864cce2bd8942e9b646405b5ccce9dd785c5e0760a

Download Submit
C:\SysDrvJ5\abodsys.exe

Filesize
4.1MB

MD5
2e75849e0fbde17a8524e01068c91201

SHA1
0a81519d1e0a05ab5595d7ed5eb6ed61749c9d59

SHA256
46dd9b56e02d7cb7ab3708fafb3fdf6226c0bdeea558cc559fec460dc2eb5f26

SHA512
b8b2602d98d54b597767198db719b3cb358880fbf678c26770611f30d7d142f53d910b3b5705c317897c37ee5f8cb36d59fc86df686489d2bd326336101b5e44

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
6330e19cd09d7c7e82ad204d9587e42a

SHA1
b4619f4b6e67b932f32cc29c7bb58c5c2a8ff94a

SHA256
5bfe92b071f52cc4dbc437e3110d3b6f87a7cfe6d755c810e1eb77993bef0fb1

SHA512
f8167aef826e82549f7960f3bf52870dcebde68875a86d77c459962524b5df645e958579b7bc985c5bda0290ee252589f45d47b5790d764da88d9292896cb04a

Download Submit