395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
Size

2.7MB
MD5

3978ba71e3e4d5739e2223a3cacbb220
SHA1

0864addd0f5d750babfaca987db7dcd6c85cbc3a
SHA256

395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb
SHA512

56f4f78ca7f568a7cb9e999725d28573d425a178d984920c3981440ac087a234f5e02e8d04f3de343abb0db21b22465e0c3ffe71dc26cd8a845928174deaa31f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files72\\abodec.exe"	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOG\\bodaec.exe"	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
2540	abodec.exe
856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2540	856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	28
PID 856 wrote to memory of 2540	856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	28
PID 856 wrote to memory of 2540	856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	28
PID 856 wrote to memory of 2540	856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	28

C:\Users\Admin\AppData\Local\Temp\395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
"C:\Users\Admin\AppData\Local\Temp\395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856
- C:\Files72\abodec.exe
  C:\Files72\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBOG\bodaec.exe

Filesize
2.7MB

MD5
c80a772e57451bdfcc627147945f31da

SHA1
3633ef34b42b28fa633a1333cf0ccae1d8c887a9

SHA256
e5b54b0c94b35b2df6edd8786daea53dd08a845f6a5f99bcaf0c952f919adb9a

SHA512
ec84da24abc441e05d126e1636a1232d91329e9182d943d86e19529d9322aab816a9e336cd72f1818329fde449f8e906c64ef56931bc31984c9741625aa72268

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
29fcaf0a83e7ec5e0033c7303844fff8

SHA1
35b1cdb5063ea319d5469c205a1d745f8fc9bb64

SHA256
697102ff8a7d24b38177a675015a21a4d0b2cb20409563ef3416420e704253e9

SHA512
fb2345ebf6ab5d7b2ba4b20873fea39366619cb89fb022bf2091f40c601bdf927399d291f312519451a12030393dd7199e29278de3c839120fd7d973b0862dd3

Download Submit
\Files72\abodec.exe

Filesize
2.7MB

MD5
38b1932da0024b128ac94a5aeb05d101

SHA1
3aa97506b9fa196b7be1c6cd91e4f84d928f34ba

SHA256
983570234c392e1d3fade93da66df3005cb0aea585582c3d3305a8197be36026

SHA512
6a06efee31cc42d866560c18327ff5209e0961289b0ef3bb4292d5030e3e670d10a25c34566e0b513e8644746245ae13b9937ff489bf3bb447b34c3049d94b25

Download Submit