6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 23:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
Size

4.1MB
MD5

1aa0e934fb199cd06b1578ba7a55bf3f
SHA1

752bb480a9dcbbb75e4c653765909ed1cfda2a11
SHA256

6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638
SHA512

254fa64303238f333adf03c982382e328545c0dd75ce7a2fe5ba6dac2d2081a1a5deeed3cbb31a77f60264e8cf4b5c8ec00e8161a4386f34c8ce029e7965dfa6
SSDEEP

98304:+R0pI/IQlUoMPdmpSpo4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm75n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1848	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7E\\abodec.exe"	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSJ\\bodaec.exe"	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
1848	abodec.exe
2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1848	2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	28
PID 2972 wrote to memory of 1848	2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	28
PID 2972 wrote to memory of 1848	2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	28
PID 2972 wrote to memory of 1848	2972	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	28

C:\Users\Admin\AppData\Local\Temp\6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
"C:\Users\Admin\AppData\Local\Temp\6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Files7E\abodec.exe
  C:\Files7E\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZSJ\bodaec.exe

Filesize
23KB

MD5
14ed38654f412fc799d92e4c3ac4ab4c

SHA1
b46d068b8bc01faa17db3972a9937e1e8d63703d

SHA256
07604f5f02331392f17d49a573bc8850c01edb166350d7d77db5d74867abaca2

SHA512
dbd3f47f0c092e5b9f6daa11ce9cde0ac03fa180eeace2d807d474daa5e71ea6c548e9fc67e10345f7e9427e42ab2e7dd2d0778743b46616387888fa87616849

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
ca143a752fd7db7376e902092fe511b0

SHA1
c152837eebe2f879bbe5c0d65505f474a1e4bc7b

SHA256
50ecc5379bf5ab8b2a0ae5960cbf8e1694e517dafd23ef49f05cae7e2266f497

SHA512
b853f81324a96f10019593bca06dad256bbaad63d3c1a8322a5ed1af7bc58763ef636fdde659bc1797eb8ffeed56b262dd64e6e19db872976e05b95bb2832a7e

Download Submit
\Files7E\abodec.exe

Filesize
4.1MB

MD5
0929ae1122bd380f85a490277907249e

SHA1
dea8c24179951ab660d8d8f0236ff4bc30d01663

SHA256
616323e4d9582d7db52a171cd17f4d94be802b67d667cba7d348965fba168066

SHA512
dde68da26d0cc4d27e8c58fe2486e51d2b2cbe4d579690069ad0cab2f3eb45c43317a1585189f51d1affda5d749b329e259e26637d4b7593ec466573a66f63ee

Download Submit