e4c3de52cc3a83d771abaa2cd448fc204c34296764d2e6a87b435a7e2dd8b447

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b2f580ab94c1e2ac4123d9865c340a0N.exe
Size

2.7MB
MD5

9b2f580ab94c1e2ac4123d9865c340a0
SHA1

440f1f38c85d8ed4398574d00e0e5c525ec90a90
SHA256

e4c3de52cc3a83d771abaa2cd448fc204c34296764d2e6a87b435a7e2dd8b447
SHA512

6979b333feb85c3c97772be1cd8ddfb3b30c109a2fd9f6ac357b7832dd49a1dc258c14d07756f26b567042ba1ce520e81c727f0bbe0fd7336d221f2e06a5bc16
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpK4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	abodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotA2\\abodloc.exe"	9b2f580ab94c1e2ac4123d9865c340a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJR\\dobdevsys.exe"	9b2f580ab94c1e2ac4123d9865c340a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe
2656	abodloc.exe
2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2656	2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe	30
PID 2644 wrote to memory of 2656	2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe	30
PID 2644 wrote to memory of 2656	2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe	30
PID 2644 wrote to memory of 2656	2644	9b2f580ab94c1e2ac4123d9865c340a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\9b2f580ab94c1e2ac4123d9865c340a0N.exe
"C:\Users\Admin\AppData\Local\Temp\9b2f580ab94c1e2ac4123d9865c340a0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
- C:\UserDotA2\abodloc.exe
  C:\UserDotA2\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJR\dobdevsys.exe

Filesize
2.7MB

MD5
c3c46b5710ebb61a957d5cc97d11ac8d

SHA1
c88b8aabac5f361b22bb0fda325bcd8c40b3c5e0

SHA256
25704e1de19f801c2ecdb519d6d5cf1c8b61061ea377f4726c9c03ab63bcf529

SHA512
4544bf0a622b49316ea82f60231ad6a108725240160507de95fbcead015d2c74424014881819e72ece3a546b810b7a42c4a1131fef72e5e77ef4d0096614d0cc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
56f235e8d32eaffddd78bac486c8bf57

SHA1
9989d9826eddf73159ca448a72d2067e2cb21fa6

SHA256
8d54a8c4ef7d6fbe23dca9d2bf7ea2f7b1a83da08cb52348530c6863efb40121

SHA512
b4f03f6e6211d49be4879553de237b0a24187dd14eb0c8faa50bddd331f7eec53036a58ac5797b5e1bed27a2d9b6ca62fa47ab09ae6211b2094114dbcaaaf8e4

Download Submit
\UserDotA2\abodloc.exe

Filesize
2.7MB

MD5
6c9178a3208451ce936e4a8a71cb0ada

SHA1
23a5d972cb66063021ed20cd1369b0fb06d064ef

SHA256
286f9b032a2fbcb5b6d28bfd671da5a02b6967eeac1e72afc4cd8771a3bf06a5

SHA512
37f5f175868d298557e6bff2e1f56e78778e0e70774ee216a7a95aa994d4c49801474222d2ad13a2251fd6cbd791fd0f594efbb6b5150ef10f42b52281b27c1a

Download Submit