31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
Size

2.7MB
MD5

9607bdc2a63e9250c44bd5c7fbe26fd4
SHA1

b3971a3a75575a64a5ca45aa259b1bfa7f12f667
SHA256

31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970
SHA512

b4721a0e5e6fe0cd41292338aae831e96d9305a290850bef0388aabc5cc79c3b504c94deda43e2792e5459e1e024760d67ff86f16e020f2a7aa6aaafaad7e22f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBj9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOF\\devbodloc.exe"	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5F\\bodaec.exe"	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
1624	devbodloc.exe
2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1624	2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe	28
PID 2168 wrote to memory of 1624	2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe	28
PID 2168 wrote to memory of 1624	2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe	28
PID 2168 wrote to memory of 1624	2168	31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe	28

C:\Users\Admin\AppData\Local\Temp\31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe
"C:\Users\Admin\AppData\Local\Temp\31105a7d170dc54ac6363cb08c7bb951fe36d0331dd87f9d2fa886ab5f1d4970.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\SysDrvOF\devbodloc.exe
  C:\SysDrvOF\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax5F\bodaec.exe

Filesize
2.7MB

MD5
e0ab65029c8b9fd17624117a5fbb74f3

SHA1
caddd49b60f14d2e6fd7c6f0bf8ca8fd205f0450

SHA256
2a225e54635dd16e58a1439c4bee18f8a3b3485e54f507ca4e7f0a006d7d8258

SHA512
146415dc4c868cd674514a560264027f4a137c8d93489d64f0bb23a197c366ced15ea9888003b44095b7bc40b110068bda2e14c7103b56eb96d63e730f16dd9f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
d381aef96c1add7e7efa922ce7fd9e4e

SHA1
5583f6b168b7209422b727e9797f81fdd8ee426d

SHA256
eca39240936db4c99051e2ea120a3992d3d3a371ca9b99c76d31f602daa4710c

SHA512
c4d590b9b18201b88ac8eb07375293e2c84f497d4b717446d11d0af82f2dea3f36a2cc8473dc9fb196fc8dd93bd343451a43009396dd678ac073b72dced9bb1e

Download Submit
\SysDrvOF\devbodloc.exe

Filesize
2.7MB

MD5
265ecdd5c47efa1f60b9b26951e59114

SHA1
fb5135e1566ac1a1e3a24f0b5571bc98beaece86

SHA256
f013f42d9210d7c0dd8feffe1ecbf63ac4e8990c436c1afc923c9f2b9e42b815

SHA512
4179816d17744f31d35632c453177b9ac72d261287f39842c7642706e35526fa43fa3d58cee45726676750cb2aa74353951cfea9b56721cecf55003f21551fa6

Download Submit