a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
Size

4.1MB
MD5

4dac0566d53005f3551ba5847cb96876
SHA1

7a98dc3b9e56f5aa0006f09e2d649c05b91f9c28
SHA256

a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf
SHA512

8d19c8e4bcbdce17bfb2268e5d12eb9486466d6859a9de23285df5583fb91a0a1d574953a314e7eb1c68fd186ade2dd7f6ff27175c2fbe10d0920eadc7e023bb
SSDEEP

98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmM5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNW\\abodec.exe"	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRN\\optixec.exe"	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
1924	abodec.exe
2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1924	2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe	28
PID 2460 wrote to memory of 1924	2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe	28
PID 2460 wrote to memory of 1924	2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe	28
PID 2460 wrote to memory of 1924	2460	a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe	28

C:\Users\Admin\AppData\Local\Temp\a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe
"C:\Users\Admin\AppData\Local\Temp\a6f044731fb8024e765126cbe3a879b9309d4086e61c9697fff46a320ede0bdf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\IntelprocNW\abodec.exe
  C:\IntelprocNW\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBRN\optixec.exe

Filesize
4.1MB

MD5
81f291720a8bc5daba91c19200fea463

SHA1
3a2f171958e5d8f70c54a54f9d717ea6d9c7c19e

SHA256
bd761f0c46a61c01146b1f3c026e3f7c798cc9b20a7884f70b301fd4019f4879

SHA512
dae3cd63561f660b6d13b254865ee63385b9acaf2326fd62532b356e8f9ab34a3e9aa14b4b1141c6b6e8eabad150ba2fcd70b32df3a16565bcca152d59020345

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
f53dc2fba1a9798f2353ccb1b415fdda

SHA1
91e3712aa3a3565565bdba1aec8cb0d4b5c50325

SHA256
637d92bd3758682e4abe505277bab82eba193d399fdbaa662a7433ffc6dc7b47

SHA512
405e55ca4a7d508c672610e8d5003874eafa4c157e81e3d9a1e38d58730d25ebdb86bb00c633d8f85f0f5075d84e4dd462777b8ac6a5815a1e4d2e5f8a881961

Download Submit
\IntelprocNW\abodec.exe

Filesize
4.1MB

MD5
f137d3746bed31115a10b2e49c4dd94b

SHA1
22c1799b8c11fe2e111122c909af7147901360eb

SHA256
143b0a12a0a063b04f8f290e8bc10aa0793e8a074d2cc8e088c5964d746a1d6e

SHA512
7650890be5b2161df961098e4a87263ac6cd303203bd07da1317e95a714c8f878657855682c186f30a4bf8da00fc57e7e52de57aab1abbdf84b9b8e5ee8c0140

Download Submit