fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
Size

4.1MB
MD5

9b813683e9c38940244cde4701914b7e
SHA1

0cbee4e8a113a7bad4cf2330cba16c600229b52c
SHA256

fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e
SHA512

a8a362cd736d195d26f7a2ccce8fe465951dceb38d45be52a9542fee2162c5ef6b0043f165ccb8ebc1cfb0f8478573f389cfbec5ed925bcca9271a67e70122e8
SSDEEP

98304:+R0pI/IQlUoMPdmpSpO4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmJ5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2968	abodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTX\\abodsys.exe"	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFE\\bodasys.exe"	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
2968	abodsys.exe
2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2968	2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	28
PID 2964 wrote to memory of 2968	2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	28
PID 2964 wrote to memory of 2968	2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	28
PID 2964 wrote to memory of 2968	2964	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	28

C:\Users\Admin\AppData\Local\Temp\fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
"C:\Users\Admin\AppData\Local\Temp\fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964
- C:\UserDotTX\abodsys.exe
  C:\UserDotTX\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZFE\bodasys.exe

Filesize
157KB

MD5
f11955f6bf73c6a26a1d929eead68abf

SHA1
56342d3ef0e456e6fa3b103c489bd59ee13da282

SHA256
89893dadb88e56ce6858b2847b15e94a1b6edb269342e258d1dd1c1129790038

SHA512
6866f41b99fa62452f07698615307e1f3f671bd3012bdab86268bb299a009207102a044de67cc44572936eab0249bbd3a84feb17df7ccf5ccef9ab26651575be

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
0a44e3699c18c4d656dd9ea7cd1ee926

SHA1
dd7af9742c39e4148b2c8c53e0489e71d8eb0665

SHA256
d57ffc1296f56f5242622c9337b89cbe856884129ea8f0c9d274bddf7d19ab3f

SHA512
bd0319591b7962cdcc23eaeaa1748f557b735e82991abc3024410fd8adbededc26e0304d68c44e9d42e4bbaf447973acb213844ccd5bbc673bd1f46ab0aa5442

Download Submit
\UserDotTX\abodsys.exe

Filesize
4.1MB

MD5
3522f9cf166dedc9e6d243bd3689fdf0

SHA1
e539a1c3bbf4c495cc249d858eef3c2e8dca24ca

SHA256
229451edec2d7d4be1c45d008227e62c8eb1c72603a9a5fe3f9642b7d4cc53ad

SHA512
57902be6abf88363aea02aee69f97aebcb048d5167a24f9342596573a050cd6fdbdba9d4bf746b26a981df1d38878d72487e6691d50580aef5fd4d562b4b036f

Download Submit