4d2276f6c1c36f57d6bbfea5eb972a5caf734287eb36b7e19c6413727cfd44d4

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a36dbc34c80e27d52394c9def2756f0N.exe
Size

2.7MB
MD5

7a36dbc34c80e27d52394c9def2756f0
SHA1

429bfeee3cbedd1840072ac519cd4d76107af731
SHA256

4d2276f6c1c36f57d6bbfea5eb972a5caf734287eb36b7e19c6413727cfd44d4
SHA512

9272409b57111a194c03d35d3f8dfc8a88d8dc4b1e917867c1cd53658af33929d86fd29dc3ff760abad8a0d12119b74d6957c7f20c4307830fd5973fded95bb2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSpS4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	abodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	7a36dbc34c80e27d52394c9def2756f0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFY\\abodec.exe"	7a36dbc34c80e27d52394c9def2756f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN8\\boddevsys.exe"	7a36dbc34c80e27d52394c9def2756f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe
2720	abodec.exe
2764	7a36dbc34c80e27d52394c9def2756f0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2720	2764	7a36dbc34c80e27d52394c9def2756f0N.exe	30
PID 2764 wrote to memory of 2720	2764	7a36dbc34c80e27d52394c9def2756f0N.exe	30
PID 2764 wrote to memory of 2720	2764	7a36dbc34c80e27d52394c9def2756f0N.exe	30
PID 2764 wrote to memory of 2720	2764	7a36dbc34c80e27d52394c9def2756f0N.exe	30

C:\Users\Admin\AppData\Local\Temp\7a36dbc34c80e27d52394c9def2756f0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a36dbc34c80e27d52394c9def2756f0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\UserDotFY\abodec.exe
  C:\UserDotFY\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintN8\boddevsys.exe

Filesize
2.7MB

MD5
56e464d231ec9358fc28db15a61ec2b5

SHA1
4391b083dddeb4da824ebd04e13de132d67c925e

SHA256
386e2be6da4502afd8640493e059f81b2e293501df32e98d26887989840c4896

SHA512
e2b86a9446b72ae30f24b5a77e8d3148c676daa0aa1de9efbb1f40907907c4b520866297882d99952dea7d8983cc2c73eb9f3766420bd109e4eecf1b1435426a

Download Submit
C:\UserDotFY\abodec.exe

Filesize
2.7MB

MD5
21ca578120faac194dfe9796206676ac

SHA1
9cce5949a7f79fef3307332df3114fa410b52fe1

SHA256
6c65db66bdde44c034dc10999d5693f2551ff5e96870ce74b9fcc43f1fe0c00d

SHA512
ae807baae8f822b25999aaccb9d48d6c947770e352d22cbb875ed9f32a437a27d8dcecbf9e0cd9b9a1908dc4317604ccac68d497339589145237194551033597

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
ed7a63fdf69de28e0684dfbf70f4594d

SHA1
4e84cd25ffb72f0c00a81112273f1c4fa5475b84

SHA256
921389b9ac4d8360b4ae91d200c766a0da7f97f1fd3f6c4d7e05fddf50bee3a9

SHA512
ba6361a30dfa232f5c6da163648a542a9d9e3985a90e149cf2b12234dafe6121bbf75bb6ae4727540471d1a2effc2c5a33a1fbb48b9d341c40929edba03d33bc

Download Submit