ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
Size

4.1MB
MD5

a9f408bc334cb1ec3a6c1178e6f6d8f3
SHA1

8b4e78dd371be65149ab1d9e4c0f1d0bd598332a
SHA256

ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1
SHA512

f548ace253b1a1578cae9193f869f06951e2950249830085845c489565a53e371e688d5ba7b0ae7d3ec3cf32f3d5aad46177220a527c1cc35764b47a2f97a6c9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpo4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm75n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4744	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQA\\boddevloc.exe"	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files73\\abodloc.exe"	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
4744	abodloc.exe
4744	abodloc.exe
3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 4744	3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	93
PID 3488 wrote to memory of 4744	3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	93
PID 3488 wrote to memory of 4744	3488	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	93

C:\Users\Admin\AppData\Local\Temp\ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
"C:\Users\Admin\AppData\Local\Temp\ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Files73\abodloc.exe
  C:\Files73\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files73\abodloc.exe

Filesize
4.1MB

MD5
b87bb98dd0aa8d82dbcc34e606d2b67a

SHA1
806512a5a2fcb9bdaf52e281f0fb8a49962348e5

SHA256
d70770183298b52e9f849dab60a6647107e0a11420634b48be5c2819a81c4cb8

SHA512
94bbc9868f2188d1b6b4fc28b2211c9dd0c6ba431d79751a36128c820c66357b6329dab970285f0af2c740e4197839b3e882c70e62f389dda00025fe84c4c3a7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
c3a719cef2340604387d8f5e3786e979

SHA1
29498572f8f26029966e677c8c49f1f4d22797b5

SHA256
27ac0b1d4ab230ff21dabab6ebf47ac1d8909831b346e8f2eda3601776552d48

SHA512
3d270db98fd596ad4184683ed9df2bdba1d9c6e3ea3fadef625128d50e9d8a5b00306586a0ece965b3786f633c9e95730b375553dd987e95ae7347ba101e1635

Download Submit
C:\VidQA\boddevloc.exe

Filesize
4.1MB

MD5
2c40367ac383ae6b489cf6aece4b4fa0

SHA1
093451c4012f846598965422b34682c46882df5d

SHA256
a1064c1933fb26b67a036e3fbb76d345372bd739ea27be3e4ea1d1a18fe0707d

SHA512
c295b6359408abff5c52a6dbe2e5c24d292d47a3521544ae48a23094af0a8b02e034def2898e66a8f659677a78018de1117e3c4029deb48b01f2f191cb9a4455

Download Submit