858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
Size

2.7MB
MD5

4a0b7dff0f067d6fc86f463ece62b17b
SHA1

4dfbd56823e5b9b8df86748dea260cd75fdc8583
SHA256

858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965
SHA512

0a21551d2c5b0b917ea455464b0aa5e9ea45b83e01dc203b77d5bc4451c51540f64880e21decc9dc9a7c74728b28e79bcabc67d10e16d7e435d02cde4bf7b851
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBj9w4Sx:+R0pI/IQlUoMPdmpSpD4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1056	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1Y\\bodxloc.exe"	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8B\\abodloc.exe"	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
1056	abodloc.exe
1056	abodloc.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1056	2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	85
PID 2476 wrote to memory of 1056	2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	85
PID 2476 wrote to memory of 1056	2476	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	85

C:\Users\Admin\AppData\Local\Temp\858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
"C:\Users\Admin\AppData\Local\Temp\858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Files8B\abodloc.exe
  C:\Files8B\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files8B\abodloc.exe

Filesize
2.7MB

MD5
a09f59a5294cc1af3569b95741c08570

SHA1
025bb5a41b7aa7674ce5167a085297a353268bc7

SHA256
402b252b35a5cc115fccbda68c7727f980909f829f172d7fdf463e4a1996e7a1

SHA512
3627b710f3da9e93423a433d52a549c250163028917e9884efc9049a240029810479b5c9b8d22091b5acdd18c41ecdc65f893848ded90f2f6c30c80cda8a6f6c

Download Submit
C:\KaVB1Y\bodxloc.exe

Filesize
2.7MB

MD5
3b629d2aaa16cfae585cb40f7dfcc3ab

SHA1
75dbda1a9daddc81efa1cc56395676310a3ad87d

SHA256
108b5850a5231418dc5ee79fd66e8d8ff7e13ff44125a3b4c21f999bedbe257f

SHA512
591de7fbab68f0053689ec3cec63f1a38dbd3bf41c8f670cbcca0c6360fcf74bcc43931636fc24eb6b21e7fc41256947386dadd884dafbbb3711487d4193600f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
db69f6bcad2bf4d27dccaedd32f77817

SHA1
561bdfed08cbcf4d823a4cffa5aa3fa36976c908

SHA256
37b590faeeaa005713909b1e106df8363b8ee9a2b8005c2dd80ccf0685f05321

SHA512
548a4e71c77957a2305b40b7419bbd7bbc9d12fd112374d0408cde7f003e63280ebf0471a71f883464aff9e4636b5e0e8beeac34968a4d7520195e8fda4bffae

Download Submit