aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
Size

2.7MB
MD5

bc68260f81b45ed1becb124e4474885f
SHA1

a6613403a31074c52beb434b612849949d226262
SHA256

aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6
SHA512

a45052f294378a6752254097096025ac0eccdb3c7fe797d0bd755ecc236452e21912c3a365fbb478c63e263745f72cb14a2b6a495480bb42c60c5093613bdb6f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4520	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUD\\abodloc.exe"	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3B\\optiasys.exe"	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
4520	abodloc.exe
4520	abodloc.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4520	3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe	90
PID 3092 wrote to memory of 4520	3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe	90
PID 3092 wrote to memory of 4520	3092	aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe	90

C:\Users\Admin\AppData\Local\Temp\aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe
"C:\Users\Admin\AppData\Local\Temp\aff46f15294f2eafb7b10955cdb0b9f58f763946298ea76f076fe4f5054ee9d6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092
- C:\AdobeUD\abodloc.exe
  C:\AdobeUD\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUD\abodloc.exe

Filesize
2.7MB

MD5
5a5e54740054c0c468f9b6cd6194fd30

SHA1
915055979e3fb6e633b2c2ea51e69aba5d615f23

SHA256
f4a0f8d3d8e7b236ba9de8bd4c7f0d9cb065b92d5c5f492218f8aa1af6d369fc

SHA512
82bc3d38db78a72e4e4a514c760f0eaec3204f7ae6623c1b1a31d00882a1921dff1b1e12c42bc3d2509459877e17121bbbf140176713e35db0ccc3617674a1f1

Download Submit
C:\LabZ3B\optiasys.exe

Filesize
87KB

MD5
5fc1f9f32cfb77cb9db101e35961ddb1

SHA1
5ebd1979f26a5d2549ebf75a125241e3e8424728

SHA256
091c739a335c593cc8f134193feadaff9d55db5695329aec1b532c475d41dafe

SHA512
1aef814c98ccc925feb3ddc6e74da742e8eb21a58fa6a79b76c203116cc24e98b2a77a2c95ea440c57a615d7886977c00b161cb56ea0fbb7872e87009f059699

Download Submit
C:\LabZ3B\optiasys.exe

Filesize
2.7MB

MD5
4930d96cfbf708e3aefd2eb3f031a068

SHA1
fd482438c1a682c2991df623de73b46f1b513f27

SHA256
a2538a0b2adc175cda09bb8e26066f6dd271bf560aa284be7244c953e64093d4

SHA512
fff3922f1f2c8eba0041773a0132d80c9997f4274920fe5bbc888e8158b65fae75e56835ab51745661529d6b5fb8b7e0a1422801a2483bc576fa0fc4655649a9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b72f62d928024eeffd209b704a40e874

SHA1
a56fa244779e5567d58d8b34240cfad5233aa98c

SHA256
e957a510896ebd700f5b36fd4c255533057d592b2aae768e4ab72f3b509d6fa6

SHA512
a042ca72c7f1d2bffe30d7b7d5cc351e2027cec04dc490c519b0311ed33e1ff26a0bd80876e35bdb086ba00f7d9152eb93461ff19e55ca00106ed9e2ac7110bd

Download Submit