ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
Size

2.7MB
MD5

611a2e9538ac48e61ba3fbc789bc45ee
SHA1

4f525587a4873501b28c2ecf23b1edbe7826a7af
SHA256

ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348
SHA512

a061d4e797adcf632ddd1680921856c4df43361e4a65c3cefcda0753ab64816a87b89fac2df3feb0f92152222b50baf7b0c6ca773858e3fae840bdb0103b34d0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1076	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFI\\abodec.exe"	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEL\\dobaec.exe"	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
1076	abodec.exe
1076	abodec.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 1076	552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	85
PID 552 wrote to memory of 1076	552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	85
PID 552 wrote to memory of 1076	552	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	85

C:\Users\Admin\AppData\Local\Temp\ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
"C:\Users\Admin\AppData\Local\Temp\ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552
- C:\UserDotFI\abodec.exe
  C:\UserDotFI\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintEL\dobaec.exe

Filesize
657KB

MD5
d5b79b1033eb81cc23e7807a45475dca

SHA1
cd0894eb7f1043c4a0ef79f7de8d104d02f9c286

SHA256
ddc6c4620566ded423a9d026d43ff2acf2765678a9b40bb8f95017741d738376

SHA512
dd4dfbaef52275583cf02fed6f63f05c4bb98790176a3810980e681c1043a57b511eae38fe4f580485a36228579d12ec9caf2ca50c7fcab9e28274cd5d5b52b6

Download Submit
C:\UserDotFI\abodec.exe

Filesize
2.7MB

MD5
a10af1abc68bf1a53e871f16ffe861b3

SHA1
a97c6d69f6cda13830bd90fa827a92b91c890756

SHA256
b299f1da9135ef0fed82fd03461546162000643b46e8d2bc9e3afa00bca3b573

SHA512
5e34b925dc84d0de1711107c89d6483852d04549c6282eb01a428791ab9942f9fe6c5be65f03891024a72bcb5526dec0dcaa66da33282d71488f9f54ccfca13f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
f86ffa05ce283dd3921239832c3d3477

SHA1
c9a5cdbbb7187a78fb44b01244846026fdc59549

SHA256
8638e002146ef1eabd6e1a660c371b45422e837402c60feaa1d21fa59f39e302

SHA512
62e1483d58d3b521d9a6e342d6086d62dc6df225612a227e27764235f62785ab4099ecd0c7dee3a5ff6c73303e0da7cbbb182af8b5bc435a2b2187d20563a272

Download Submit