47b1dceb83bb9f203b409810d90d071d916712ccc625735490ec71841d3f4a0c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0edc7b98b794b69193f730e8c80d0d30N.exe
Size

4.1MB
MD5

0edc7b98b794b69193f730e8c80d0d30
SHA1

20d911968a7aec4d1f7aec5bab34c2cac30b8c95
SHA256

47b1dceb83bb9f203b409810d90d071d916712ccc625735490ec71841d3f4a0c
SHA512

8c5b992403e4f90339f9cd2139599a4b3b18cfee049aba210fe2a0c84bc440ae39438a40c6fc8ee1307ba6ad7c1b2b8c3ce3cefe6541e1f57f65ff01e86ef6e3
SSDEEP

98304:+R0pI/IQlUoMPdmpSp/4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	abodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1868	0edc7b98b794b69193f730e8c80d0d30N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAA\\abodsys.exe"	0edc7b98b794b69193f730e8c80d0d30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZU9\\boddevec.exe"	0edc7b98b794b69193f730e8c80d0d30N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe
2408	abodsys.exe
1868	0edc7b98b794b69193f730e8c80d0d30N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2408	1868	0edc7b98b794b69193f730e8c80d0d30N.exe	30
PID 1868 wrote to memory of 2408	1868	0edc7b98b794b69193f730e8c80d0d30N.exe	30
PID 1868 wrote to memory of 2408	1868	0edc7b98b794b69193f730e8c80d0d30N.exe	30
PID 1868 wrote to memory of 2408	1868	0edc7b98b794b69193f730e8c80d0d30N.exe	30

C:\Users\Admin\AppData\Local\Temp\0edc7b98b794b69193f730e8c80d0d30N.exe
"C:\Users\Admin\AppData\Local\Temp\0edc7b98b794b69193f730e8c80d0d30N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\FilesAA\abodsys.exe
  C:\FilesAA\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZU9\boddevec.exe

Filesize
4.1MB

MD5
7b00de753e04e5a09fb443b5807ecaba

SHA1
2cbb7cb6aa2e81748b948b6f319ca55dacec2039

SHA256
bdaed92b785ecd656ca71ccc3cce74ac42b2c6bf9b97d87e75b2cf6f342fbe6f

SHA512
63c2efd7d4366887aeb1c6972e477c0aa3e5f9c30dfd726252da93bd7bdeb4e8d3d0677e09cc51eae13033bc1c85985ee13bad1571ac0e19c6d076a482277742

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
5cc9b7cf8035f0f4ac4b95573898e36d

SHA1
6ef6da250bbd7a43f4b3e991806d2f245fa03e4a

SHA256
cfdb3afce4522890a8753a22fdd4bc7185553d174f766907100316e38db64db5

SHA512
32a4ea91185c7a75f6f83abbbf720da4de2ae88ca98eb1b5c22e7e16d6eddd39accce6de56eba1761b2b4fc714ae3e7478d56d4cedb3cb28c084dd330a0a387b

Download Submit
\FilesAA\abodsys.exe

Filesize
4.1MB

MD5
189e2e9825d96703d2c13bf4eb7f22cb

SHA1
77b109451294d8fa886be2f07b8bcbc961358a75

SHA256
894c876702565d4aa7460b616f3444b9b4f77e303959346e1cef5de44d1ebf65

SHA512
25c06e9677b2f8879c17ff9528e3694e3e392822ac5ff2b1e31f4f4cf0bd206ea36dc885293a62133c78dd5932989916ffdc31e420a373fe8e4f25c12599fdfd

Download Submit