3287fce9623e997a1cf40dea073aee220b4ef82be75b4e72cc29583c73fec1c5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129c3c25f9894fcf66083b2846b52770N.exe
Size

2.7MB
MD5

129c3c25f9894fcf66083b2846b52770
SHA1

e5c0f290b97240c9c5cb89db697c6f19e66f9ea2
SHA256

3287fce9623e997a1cf40dea073aee220b4ef82be75b4e72cc29583c73fec1c5
SHA512

c62f0e552f511372e18bafac65683b9d7b839a17d3c8812b7a4387b3237c66749ccf55c473e325b2c643f74d8b8929f17bbaf6314ff9207e527412bf87b6594b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Sx:+R0pI/IQlUoMPdmpSpv4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	abodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	129c3c25f9894fcf66083b2846b52770N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYE\\abodloc.exe"	129c3c25f9894fcf66083b2846b52770N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidWF\\bodasys.exe"	129c3c25f9894fcf66083b2846b52770N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	129c3c25f9894fcf66083b2846b52770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	129c3c25f9894fcf66083b2846b52770N.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe
2728	abodloc.exe
2876	129c3c25f9894fcf66083b2846b52770N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2728	2876	129c3c25f9894fcf66083b2846b52770N.exe	30
PID 2876 wrote to memory of 2728	2876	129c3c25f9894fcf66083b2846b52770N.exe	30
PID 2876 wrote to memory of 2728	2876	129c3c25f9894fcf66083b2846b52770N.exe	30
PID 2876 wrote to memory of 2728	2876	129c3c25f9894fcf66083b2846b52770N.exe	30

C:\Users\Admin\AppData\Local\Temp\129c3c25f9894fcf66083b2846b52770N.exe
"C:\Users\Admin\AppData\Local\Temp\129c3c25f9894fcf66083b2846b52770N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\AdobeYE\abodloc.exe
  C:\AdobeYE\abodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
8bc295104ac7b633e5b0fd13c8d0977c

SHA1
9564e3fc7d8e42e9f83699a9e1e3be6eb8e603f7

SHA256
5c9cd3f5016e81d5fbd8f8bd3fad3daa900b9ff83222c7a6cb3508d22d3f7864

SHA512
0b7ea28b9c809c850996fadf9d98de988d843bc43eb88577eac8cf0bf435d38017babc53cc64dfc7cbf8e756bdb2b62c2d142ca29a6afdb14ec1de3256229a65

Download Submit
C:\VidWF\bodasys.exe

Filesize
2.7MB

MD5
3f1b9ebe147064e041a9f64dafc550b4

SHA1
79aaa9f5fe7a30a3591b71feb2877a219320d7ef

SHA256
9bd24c7e8584c9a83763d984f83d55af2f441a78be332ace2b072ba290251f3b

SHA512
f244fbf4b5c42d4762b1a468170e2b20d1df1d3a30ff19b7fef04de0f3b52b472f8b43e8cb0f6c848da41c69de4d25abe1c52bea1aac2a749f6b6119bb55f696

Download Submit
\AdobeYE\abodloc.exe

Filesize
2.7MB

MD5
eaca62cd39e41e472920b78483aa038a

SHA1
6207e99e9f2a058572d3027db12dbea99e4d2fd3

SHA256
aea2ab950abe8def52bed3993fa47d7c32739abb0326a59588c2ce1b0dd5e9b4

SHA512
12ea2d9ae533f7052e426d4dddba6117864b92edbada96326852100acd3fd253bac760fc3fc10db0687cad702dbd6abb07a0033a9a90728d519b24418a03a39f

Download Submit