Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
f6e5d2403182c1424d4976c7a6d38060N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f6e5d2403182c1424d4976c7a6d38060N.exe
Resource
win10v2004-20240802-en
General
-
Target
f6e5d2403182c1424d4976c7a6d38060N.exe
-
Size
2.7MB
-
MD5
f6e5d2403182c1424d4976c7a6d38060
-
SHA1
123f0d8f595eb7cd80f54682367e6e3d0bca4415
-
SHA256
f250bacae99b16b1bfc41820d10b9e7d7f8cc33b8c7a60025d9b9717a932cd5e
-
SHA512
212d37c49a0ce4d426bc8f9f914fb29dc4dbeb97bc119bda650ce84e4abc051a47ec3aa9bd5c70ba9aba15276bd008fb3ef5ab5e7532c7daa7eca2c35bbad31b
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpr4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2192 abodsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6F\\abodsys.exe" f6e5d2403182c1424d4976c7a6d38060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxO6\\optialoc.exe" f6e5d2403182c1424d4976c7a6d38060N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6e5d2403182c1424d4976c7a6d38060N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 2192 abodsys.exe 2192 abodsys.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe 872 f6e5d2403182c1424d4976c7a6d38060N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 872 wrote to memory of 2192 872 f6e5d2403182c1424d4976c7a6d38060N.exe 88 PID 872 wrote to memory of 2192 872 f6e5d2403182c1424d4976c7a6d38060N.exe 88 PID 872 wrote to memory of 2192 872 f6e5d2403182c1424d4976c7a6d38060N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe"C:\Users\Admin\AppData\Local\Temp\f6e5d2403182c1424d4976c7a6d38060N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Intelproc6F\abodsys.exeC:\Intelproc6F\abodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5ec23b1ca16735b9b088034fc8375c3c4
SHA1f095886f5229fa0bad58e7c61099b9950b012a22
SHA25669f5cac87295358a8d20af0f65d8e900f010af5e9ef388d12c6cc39989d9716c
SHA512eff5a57e314115ce526e07bee5af32e17faa9ca8bf57c69900ae9c596772282124cadaeab2033555013813a722d97cb101096ae367daf62fa62a4fd2d45b5e9a
-
Filesize
2.7MB
MD5d940b5f38b207bc9fe2d458e77a81a60
SHA14015d9a17e1244797e0595b0963df5423573c668
SHA256b23a3ca9e9a3ebadda5183f7f76b57a945ec5faba2ce2aa1bb9ba900bd07df25
SHA512be4b6af376f17cbcf0b7b21a395a45111c3d88907a56716168f21ea6b1fdc4a7e1dff58874dbdedd48cbb42bc066b250282100e48fe76d9886748a644abba934
-
Filesize
206B
MD5df1034d2f649dc1b0443e81093c94ba6
SHA10a9dc5b230f9e6e480a5b852fa826f5584faca24
SHA256ed5f8e8528d1d1843db72227eaa22cf00e6787d94ec52bcdb9b18b410d6d9a4e
SHA51219be8e36b5316a2a358e5ef206774b234f5abf4880aaf7bf911052e9f62868f8bec61a50e525dfec3d506db3e846e425953ee0424ae92962600fa723e795cc86