3a59b0795985b0d19af9fb21002613cab96e3812e19529efcb9c1add9f491953

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27626ce203ca48bb276f020211df2e20N.exe
Size

2.7MB
MD5

27626ce203ca48bb276f020211df2e20
SHA1

33d0d03ef89b00352da937ee3adc7cf1bfd4353c
SHA256

3a59b0795985b0d19af9fb21002613cab96e3812e19529efcb9c1add9f491953
SHA512

b4e01071da80ede293c998c211692a77663398e8f1f6884fcf0c9077c80d35e5cf5aade924c7efe3a3f1dc34999f75d986f43768a3b63c4732220541e9e9dc8d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSp04

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5096	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocL6\\abodsys.exe"	27626ce203ca48bb276f020211df2e20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJR\\bodxsys.exe"	27626ce203ca48bb276f020211df2e20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe
5096	abodsys.exe
5096	abodsys.exe
752	27626ce203ca48bb276f020211df2e20N.exe
752	27626ce203ca48bb276f020211df2e20N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 5096	752	27626ce203ca48bb276f020211df2e20N.exe	87
PID 752 wrote to memory of 5096	752	27626ce203ca48bb276f020211df2e20N.exe	87
PID 752 wrote to memory of 5096	752	27626ce203ca48bb276f020211df2e20N.exe	87

C:\Users\Admin\AppData\Local\Temp\27626ce203ca48bb276f020211df2e20N.exe
"C:\Users\Admin\AppData\Local\Temp\27626ce203ca48bb276f020211df2e20N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752
- C:\IntelprocL6\abodsys.exe
  C:\IntelprocL6\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJR\bodxsys.exe

Filesize
2.7MB

MD5
1cb51ff2c718579b070f9db92225e233

SHA1
19ec91296d7548fa035de2645d991ba87c9d8aa7

SHA256
9c72d7bdff7451540388785ce5557fbfaacf25222f7b19e30e7df141a0e0d261

SHA512
893a0fd970f390fdc56cf15eeb4fc83db23e5de0b94f8fccdba78210874db6046671325704a4ebc48f46480f11b9954095a2184e051f4c3cbcf3ed32661c4757

Download Submit
C:\IntelprocL6\abodsys.exe

Filesize
2.7MB

MD5
bee2dd6acd8c836d4694fc073fe8ada2

SHA1
24158ddeb5a4e02942d88d5233a11245091b8e04

SHA256
02e4ad78d1b473379259376f343d1c2d542baa8efc8d52e2aceda7c3bc21b31b

SHA512
22aca9bfeb469b3372c8ecfd02cddd8a7517ee2e19612424739bf72c658c9a030e24cb64eac3822d4b7185fa7234b4d321e00e390553d4370c78a50ef5c02e6a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
b2c66923c09d31e0f183056fb1bfd4e5

SHA1
fd8e262b9ed48b3e3629bf281719f1b7fda001a4

SHA256
8b3a7cdae74df595fbf7814029f5a4b4771f790f73b6025fcd61b4384df64cfd

SHA512
442aa96a6c0192c56ec55ed9bc0ee92ee86bba681d65d981cf66c05479b6bd90cb5ebddc9d1e8c68126f309cda4e322ac86c1c41599d3c9801ebdc2572973dd8

Download Submit