556382dad1d916e7aec78bcb4a7b97326a971aa9f9f537d0402991a62e77b2f1

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100467e8e07a5efe3eb2292bad360a10N.exe
Size

2.7MB
MD5

100467e8e07a5efe3eb2292bad360a10
SHA1

aa599e2a6aa63f6ab0833b272689e6ef6b5e7929
SHA256

556382dad1d916e7aec78bcb4a7b97326a971aa9f9f537d0402991a62e77b2f1
SHA512

7824d817c9d4002c80b6f8274cfcc915fae6198c3b88a426c1237bdca5483073e30a0908afce7d9978bce1a180ee7caaf822cd93f38e9e43685727f10b203b78
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBd9w4Sx:+R0pI/IQlUoMPdmpSpl4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4188	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGE\\abodsys.exe"	100467e8e07a5efe3eb2292bad360a10N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNE\\dobasys.exe"	100467e8e07a5efe3eb2292bad360a10N.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFecxdob.exe	100467e8e07a5efe3eb2292bad360a10N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4188	abodsys.exe
4188	abodsys.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe
4884	100467e8e07a5efe3eb2292bad360a10N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4188	4884	100467e8e07a5efe3eb2292bad360a10N.exe	89
PID 4884 wrote to memory of 4188	4884	100467e8e07a5efe3eb2292bad360a10N.exe	89
PID 4884 wrote to memory of 4188	4884	100467e8e07a5efe3eb2292bad360a10N.exe	89

C:\Users\Admin\AppData\Local\Temp\100467e8e07a5efe3eb2292bad360a10N.exe
"C:\Users\Admin\AppData\Local\Temp\100467e8e07a5efe3eb2292bad360a10N.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884
- C:\IntelprocGE\abodsys.exe
  C:\IntelprocGE\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocGE\abodsys.exe

Filesize
2.7MB

MD5
8d3cf45dba1ca48165a0ba6f76fbc8f2

SHA1
c5ce072ef8afb12f3f193c80ee4d447607a5cd18

SHA256
bda9ea4d89583a8ea5ac9c61234ef9bbc94c39725e3217d9abfbda327c518517

SHA512
880a01450500ae219976a326908e66f3ba404198f5f1ebc505621cafe698f454dd618a72555041e896dc285577a174fc21f6692be98fd8fcb01849223e4cbfd4

Download Submit
C:\LabZNE\dobasys.exe

Filesize
2.7MB

MD5
0ccbab725292c8038fd32ea2ffa6b9f9

SHA1
82189fc89dc876444bf9308a92465748447d3153

SHA256
eff1dc25cc49366b7d85c9fba457b012e009bb9d6491dff707be0b0ea722607a

SHA512
1eeb408151133c79b8e2d53f6893e3dab5a1efcc3acc4c6f13f676215527bf50670500b374c910cff49b8c18305bff25414e71e9bc3f866196bc08f179101672

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b50538a38fbefd669140d982f9aeee58

SHA1
d5e3ba7a5e8c08758c59d2597abf063a20d8b35e

SHA256
02ff810255c7cf0718b0af8e6d533dc97b39610636c8f3c77553892a1bfce5f7

SHA512
28c7aa407603c93ea4e875b76ec9c237164d5e7ac8f112ca30e8d8fd6d5ea5fc26871c82d700cd1a631b298273696f496d44983e03b0d6152d6ca3a79bf00dae

Download Submit