d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
Size

2.7MB
MD5

71699b8a4d6581b361f4f739be428259
SHA1

a99801a2db6c921471d030730acf8b482b4583b8
SHA256

d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511
SHA512

1c39b537900f2c9cb29952152dff0e3ea92d8993d742d7c93a101d0a4547ea8799477d6dac5f403cd03a073bc7d226589dac14fd3021bb3b56e269f5a75ecd01
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB89w4Sx:+R0pI/IQlUoMPdmpSp+4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1744	abodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvID\\abodloc.exe"	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidM0\\bodasys.exe"	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
1744	abodloc.exe
2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1744	2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	28
PID 2040 wrote to memory of 1744	2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	28
PID 2040 wrote to memory of 1744	2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	28
PID 2040 wrote to memory of 1744	2040	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	28

C:\Users\Admin\AppData\Local\Temp\d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
"C:\Users\Admin\AppData\Local\Temp\d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\SysDrvID\abodloc.exe
  C:\SysDrvID\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
a2f727487b16116b138e3f3de539bedd

SHA1
ec898f88cb2e05c2cec74cd354539119331246d3

SHA256
2e32999601114e0ee120faa1bc7b58296bcb28e69edc4e9db5e4406ab6b05b51

SHA512
fa3acff0c6c46b48cd9efbf5b51db545a61cd5b0035060053ce1d6efcfac95b14fee70208e1b3699b0ae02329f80067e1de2c215b08bba575a39cac39d5de5ca

Download Submit
C:\VidM0\bodasys.exe

Filesize
2.7MB

MD5
0dbec55aba27e1810b0032d39c5a3600

SHA1
cbf6e4786b69cc0939968424a7fe04b53b86b296

SHA256
14c6489412d9e207896c3e6bd1b6d9898a11c1c75d5b8a9a1f5c129c2489ee8c

SHA512
0edab9d0923a70f9d076af2a909b590e1389a39e48b552faa8ef5ecf4725d4c9c5c52210d5ecfd8a82dfe4e15707c87fc6106b9fad15b029168c9c72c3f317e2

Download Submit
\SysDrvID\abodloc.exe

Filesize
2.7MB

MD5
b5282f02fcac3ee4e1275de6f6469941

SHA1
9585ae3fccb23cf0530ec1a2121c8d02bcdfffd4

SHA256
be40ef2d80d31ba6d29424bfa94b059b9fd15adf884c3d6d91a148c7d4ff38d2

SHA512
1f45fa4b5a33d722e59373a96d1756843f985e6b6c2c3014883659311ab333b600d43591274a650d1b1167d42fab375b2563ce405795bdc70be3329053071b20

Download Submit