b7cee677174a25d161a57b9e0dab8a877c82260191d7d079f88e54a94785ca09

Analysis

max time kernel
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f07394a87e9bc585eb768dea0bdf090N.exe
Size

3.1MB
MD5

3f07394a87e9bc585eb768dea0bdf090
SHA1

d0482a79d960741fb5bc558e0359f44dd01a1b05
SHA256

b7cee677174a25d161a57b9e0dab8a877c82260191d7d079f88e54a94785ca09
SHA512

d63409fd929e57e795ae86215cca8499c65aa894986062e7f21b6bbc04c4b6daa5c7f9445897e353d2f32e4c0836795141d88357cdf6eef09d438ea01a9ab853
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Su+LNfej:+R0pI/IQlUoMPdmpSp64JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4708	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5F\\abodec.exe"	3f07394a87e9bc585eb768dea0bdf090N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZ8\\optidevsys.exe"	3f07394a87e9bc585eb768dea0bdf090N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
4708	abodec.exe
4708	abodec.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe
1020	3f07394a87e9bc585eb768dea0bdf090N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4708	1020	3f07394a87e9bc585eb768dea0bdf090N.exe	84
PID 1020 wrote to memory of 4708	1020	3f07394a87e9bc585eb768dea0bdf090N.exe	84
PID 1020 wrote to memory of 4708	1020	3f07394a87e9bc585eb768dea0bdf090N.exe	84

C:\Users\Admin\AppData\Local\Temp\3f07394a87e9bc585eb768dea0bdf090N.exe
"C:\Users\Admin\AppData\Local\Temp\3f07394a87e9bc585eb768dea0bdf090N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Adobe5F\abodec.exe
  C:\Adobe5F\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5F\abodec.exe

Filesize
3.1MB

MD5
b3dc1bc36c419266ffb8601cf24c2b6b

SHA1
c048725f38c17d57420c18a9a4bd3f82489d4a7b

SHA256
6f063a55c0bc3ddb4654acb67ee84f7ea75bfbec8cf0ac7533521fc74853a508

SHA512
4989e37e124ee33730650f1965ff8ac521b76ce1bffd3437656c425577401c8a3e0e85dae4cd13bb3857d7cf7d0359691103c5edaea51fac3c69d4e753cd6c30

Download Submit
C:\MintZ8\optidevsys.exe

Filesize
3.1MB

MD5
cf4f520712aa9d842c70b1b07e7cbaaa

SHA1
8c28a2c84f139d554dca778b18a70fec49dd365e

SHA256
caf555cbb4a621d767d2bc1db95fc06174f52ac827bd76b123e4f27565d812eb

SHA512
63f8dba393342b5a54392fd5d7568241ab022320ec2cb0cc761584f7b9cd985964eda31a5ad97fc6e2d9efcfc2c86ad3860a9d55ef34962ca3880ec1da6fe6a1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
13c591978f77acc91485ef51ad297f21

SHA1
410eee2313df41a1f0604c10c15ba3c2e1cad3ea

SHA256
3834cf6da5128a1dc6738773cc2510d8bb948bec15aab801abb4914258401f0c

SHA512
182b1ef37efb283c99eef826acfafd3d00fcdf64bfae24186f934d0a02676e9a8b838a02dde94cd23ec585c88b1bc232126ee043dfefea9102548559b69a6c96

Download Submit