f3004e7d9434d1236876f916dc8c1284bd9a79d75509328c57879f4199db6ee7

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4179f6ff845787c1d207b6a6f6302540N.exe
Size

3.1MB
MD5

4179f6ff845787c1d207b6a6f6302540
SHA1

28e6f2db566261cb232f917d6f3124b5a4d3641f
SHA256

f3004e7d9434d1236876f916dc8c1284bd9a79d75509328c57879f4199db6ee7
SHA512

138859299ffdaedcd95a72bffad828bb1671f81b833e554c93d1911def86859528efdd2099f22a5817f6c6a8cf3bba333add7f925cafb14c91d5a85254883df8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Su+LNfej:+R0pI/IQlUoMPdmpSpS4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1648	abodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC2\\bodasys.exe"	4179f6ff845787c1d207b6a6f6302540N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUN\\abodloc.exe"	4179f6ff845787c1d207b6a6f6302540N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
1648	abodloc.exe
1648	abodloc.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe
4256	4179f6ff845787c1d207b6a6f6302540N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1648	4256	4179f6ff845787c1d207b6a6f6302540N.exe	89
PID 4256 wrote to memory of 1648	4256	4179f6ff845787c1d207b6a6f6302540N.exe	89
PID 4256 wrote to memory of 1648	4256	4179f6ff845787c1d207b6a6f6302540N.exe	89

C:\Users\Admin\AppData\Local\Temp\4179f6ff845787c1d207b6a6f6302540N.exe
"C:\Users\Admin\AppData\Local\Temp\4179f6ff845787c1d207b6a6f6302540N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256
- C:\UserDotUN\abodloc.exe
  C:\UserDotUN\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBC2\bodasys.exe

Filesize
8KB

MD5
543b580014decab172de23e7ad6bd828

SHA1
1ab580d1a283aaa4e1eafa903e1b09d807b9779a

SHA256
be042705b4c36f68fa3e7ca78a833f0e013cc2f3e93ec00a92d32c41d19ff2d6

SHA512
ce0bd033d47c0eb8cf28c4a3a6c07c58d0f911da83d3413a08ba9d7f78562620643124540408cd3c7bd6fcf8be4e07dff3e5dd2f452062ec19883dd07ed17908

Download Submit
C:\UserDotUN\abodloc.exe

Filesize
3.1MB

MD5
5f6c2312d4de1de9a80615903cef9d7a

SHA1
e48a14ef04506e9bfaafc57d87c3c7a9f1193a43

SHA256
6ba74ac3070c159b3f516b3bb34d302a3b32b9829893b454d1ebcec7e502501e

SHA512
1be504d842136fa03646999137bdad4e0231c5fb1f695e012e6bb66b8fe67fae29f676989a7067299b4063f7b589772bdccd3ca692bb0cacadce3defbc3f8a1c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
7edf2ba50f9206b45d80226cb3f52cf8

SHA1
e86e65171db09da2ede324cd08493035b1328232

SHA256
e7353ba1aa66e826bc2ea2b68f25f7d677a06a7f9ab62e3d3d917a5ce5a7f653

SHA512
108dea09621113867e94bb127005d4a3b04e561068a7a9b71c1ae674c1673c531190c07387e28176375bd4eb773d7378aaceaed3060375ff9f4889b93bd2230e

Download Submit