2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
Size

2.7MB
MD5

a0455ba4c5e664963c46bba0bf2bbc75
SHA1

f105fc4f11e0cdd72bae81e0cdde61cda5ea3f3e
SHA256

2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d
SHA512

987900b2dff2961390af651a2cb75a742c74282e47d82386177d78e95be406e7d64c53c4a7f0c26aa7310e9d352c78abe6dad2c424a3d6dc1d6b790f0d967238
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2516	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHW\\abodec.exe"	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0Q\\optiaec.exe"	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2516	abodec.exe
1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2516	1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	28
PID 1936 wrote to memory of 2516	1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	28
PID 1936 wrote to memory of 2516	1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	28
PID 1936 wrote to memory of 2516	1936	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	28

C:\Users\Admin\AppData\Local\Temp\2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
"C:\Users\Admin\AppData\Local\Temp\2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\AdobeHW\abodec.exe
  C:\AdobeHW\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
f4b992294a82931a27cd883d2c8cc25d

SHA1
ed8a726d8c588eca88032cbd3c05508e44986c81

SHA256
88209e11a8e5cf41545e92e9a4be68a5a0bf95fe773fc1ffbad4bba96f0fa5ed

SHA512
59b01fe866e522d44377d84bf1d120ab7163478b35a85f4e996bb8bd60f85e4a7cd959fb0f6d57590ec9b17b613c431160930aa66e2e43a2e06bd7d614d23e98

Download Submit
C:\Vid0Q\optiaec.exe

Filesize
2.7MB

MD5
2dc4a7d42c7e1466b3a29c6653acb9aa

SHA1
1a01188d8aa8a18986ccf90c6670873d605fdc7d

SHA256
ba948ee76c2d8bb5847f176294847d0a4e0a296f5b55e6775ecf5aa1a6510b22

SHA512
63adb220357591c0fc5f980045e63f979b9294b08d441293f1ba6e8c7a39ff2e077e609bc11d8c4c83d4c4c6b7fdd0ab30d2e302eac423b8246332c082b1fd8e

Download Submit
\AdobeHW\abodec.exe

Filesize
2.7MB

MD5
79aeaa594e08f714d9b7e2b009e1bb9d

SHA1
e3df067c513ed106bd52c75fdcd1170203d5a55a

SHA256
54a18a69d750b6eca19593f761962b522eac5493996d37f6e75a912d5e2b7067

SHA512
89a8b320ec38d5de21b71fa86373be98a62dceef4771fafb1359f99215de05f0f752d5316fd68dd55e4fe5fce42d32682f56171e94d72a9a3fc88584a5f35789

Download Submit