038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
Size

2.7MB
MD5

ad68e1539676f574bf98960072aa7102
SHA1

df79721d0f842a62ef8d45c57e7228edf6cead35
SHA256

038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b
SHA512

e72790069494054cdd3ab17f58d28f87d0378048f21b86aa7601c6c36d84324037ee7bd0903038ba1386496ed844c8a7c89998a38462fafccf45a6957b6223f0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBYG9w4Sx:+R0pI/IQlUoMPdmpSpl4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2960	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0I\\abodec.exe"	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWJ\\dobaec.exe"	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2960	abodec.exe
2960	abodec.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2960	1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	85
PID 1668 wrote to memory of 2960	1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	85
PID 1668 wrote to memory of 2960	1668	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	85

C:\Users\Admin\AppData\Local\Temp\038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
"C:\Users\Admin\AppData\Local\Temp\038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Files0I\abodec.exe
  C:\Files0I\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files0I\abodec.exe

Filesize
2.7MB

MD5
2da1757ed6c03b4db2d3902b594ed0ea

SHA1
42b49cbe0f5d2f3d8f8e1aecd48c59e19c3175eb

SHA256
209b9783fb327cc8b7fe53748573868c9d8699f041a1b30d8a97fbc379a0bb29

SHA512
03ee9d23d31851e8befff2269eb229f4ecdf40a3d9259c8799611eea6de8db5ad191c595245057a0fe5adabd153585596cc7777763f2b225ebb7e798771a4ff8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
197B

MD5
9b1c962328cb88417b2267b237c7b173

SHA1
0eb4cc481d45a1966575bfb86ec65f5470b5839b

SHA256
8e6f939bb751abb2cbc97feae4ae8e95e7c0108a6446cf7524fd684cd3baa244

SHA512
e92f26ce53f1857f4f01d7dd4d0619227a680ae9b7995f9e833d22d2369c445efa1e4627d9575a6d19c7dd19b3143e0fcd52e6e7117923b087ae7da42e4af98e

Download Submit
C:\VidWJ\dobaec.exe

Filesize
1.2MB

MD5
15e66e6cf17d15b2b1e6f56c11ccba2d

SHA1
7a12e2ee1307621c55a3c7cf6e97a34d0288c905

SHA256
f3b06426801646c703cdf2f9a18ea8c75a03a3a35c447a12a3f49a8491c9dd14

SHA512
9dc4bf0eac8669d17a622e80eaec245cd6a83d6bcc584e7294cdb003dbf5d3e6ec25a9cc9fcab5aab86a4923dbb4386929e44fcb24cb9d80790d856c43c42ee1

Download Submit