fe78e40074975e53368d4146eca73afee3abe790b046770477545ea797c1a365

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19967111de64b38adbc394905beb60d0N.exe
Size

4.1MB
MD5

19967111de64b38adbc394905beb60d0
SHA1

05cad3ee6cde6168e87edcd2e9e3e21cfefcc17e
SHA256

fe78e40074975e53368d4146eca73afee3abe790b046770477545ea797c1a365
SHA512

9acb96462a0044465c012fba8277ac57abc910d18fd5b9f4057a0ee20e5768b68497cca6754b7cd1f052b28a8a6fcc9390c9c16a78a32d8d27bc1b2d4bc9f87a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm85n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
452	abodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotOE\\abodec.exe"	19967111de64b38adbc394905beb60d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint9I\\bodaec.exe"	19967111de64b38adbc394905beb60d0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe
452	abodec.exe
452	abodec.exe
2632	19967111de64b38adbc394905beb60d0N.exe
2632	19967111de64b38adbc394905beb60d0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 452	2632	19967111de64b38adbc394905beb60d0N.exe	87
PID 2632 wrote to memory of 452	2632	19967111de64b38adbc394905beb60d0N.exe	87
PID 2632 wrote to memory of 452	2632	19967111de64b38adbc394905beb60d0N.exe	87

C:\Users\Admin\AppData\Local\Temp\19967111de64b38adbc394905beb60d0N.exe
"C:\Users\Admin\AppData\Local\Temp\19967111de64b38adbc394905beb60d0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\UserDotOE\abodec.exe
  C:\UserDotOE\abodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint9I\bodaec.exe

Filesize
4.1MB

MD5
45ad6bada764408399cd0c0d42ba285f

SHA1
bff0c1baeeb9a37675f327e3779a80cf3da4494e

SHA256
96a10640be8c8867ae2874d3935ccde3f9c2c8dacef92ce64374623802957c8d

SHA512
a1c1e00720791c4a1e08f387126df7e65ff46b8110d0b8d8054baa6bf27d0cfef098746a70ca063634a1391f3d7661dd00bde1813e934e93004e816518ddd333

Download Submit
C:\UserDotOE\abodec.exe

Filesize
4.1MB

MD5
d31b3041f02dc39aed525feec1c7d87a

SHA1
6d495d3a15842123b315dbba979401db92a03f22

SHA256
3acc2500e189a6b8806b2e58b12e2790367ab719e9ae5c6a7ecdb9a8c36fa3fc

SHA512
56c64797dc13ed3a02cd6863cf608c4e494150b6817527727c2a620cd54a49db4d07189754a89bb5733d242a97abd6829adb29dd55130c38d261c06a19efdbb9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
64d015e17a98245036a5c573c6528204

SHA1
718b5eb5b8df9df94f254b8377dba647adaa90f4

SHA256
0030e5d2c516d358a805726a3a907e7e9e193fbd2038408aead923629ba667f6

SHA512
adfc56a01467dd693dede8e3d99116033b316a173bfda541e9e4c6d1a444ddbf4181589eff8f5accde51a77372757198563b84f36f0a06ff4b346c7dbce73f55

Download Submit