8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
Size

2.7MB
MD5

362876641f218350bd3003822c9eea8b
SHA1

1c519b90a09099062f767e049b1214df98e8a392
SHA256

8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46
SHA512

3491fe610cae18db17ca5e02e42dcea65bd3a22a940e75a3599cb99d0d1506096c9a5da65818e2384ea0e9a42a0c4580e0218f53e257a0d11fa43a85daa1b258
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSp24

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFB\\devbodsys.exe"	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDZ\\dobxec.exe"	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
1748	devbodsys.exe
1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1748	1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe	28
PID 1712 wrote to memory of 1748	1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe	28
PID 1712 wrote to memory of 1748	1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe	28
PID 1712 wrote to memory of 1748	1712	8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe	28

C:\Users\Admin\AppData\Local\Temp\8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe
"C:\Users\Admin\AppData\Local\Temp\8b02f680492790a2d3f131608d0e8194b4d8cf3afbbd177323b04b6af8664a46.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\SysDrvFB\devbodsys.exe
  C:\SysDrvFB\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxDZ\dobxec.exe

Filesize
2.7MB

MD5
8d7d20658832d4181ba0ef7045cd49d1

SHA1
f7d7f54b98cf37808f6964fedf034e8b30d7afd9

SHA256
d32899d76ca198ba4671be4e24f9f71bb7fefa25dd420c5ba71f34c04762f079

SHA512
5270e7af8e4f70b51f82c5cc074020bf37c4cbd31603051796c205d680491facf19592d5e8929d62e60509ce5daeee3d595fbbc15ba6ea6f6fa3cf5a58d27ff1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
bb9f77826b67972c2b94ed434e5639e9

SHA1
9671e78a6d083218afc40a02af5880437e849322

SHA256
ff435d5c73b6699c3c22c36f4d7c5f01b3e5477dbea3fdaab7d0120a5659df0b

SHA512
9099dc90d554ba6f44e13c49c2ec6594c9e5bf7104783cc6b47b0cd45d2fe3fdb1cb86444f8ead362be497aa931da7969bb93049c0305953b73339f68e6a98bd

Download Submit
\SysDrvFB\devbodsys.exe

Filesize
2.7MB

MD5
b6eb5c8fc35dbaaa9e371c8396d5f3e7

SHA1
2456e0877d25b58d4420b7e08510ba21c37eb310

SHA256
20bda377b51bb83e03638d752c92badb4dddd4d6db7d3c44cb48f0224f363c3f

SHA512
76d6af4b051ce9cc06ebd0f040786bf6338cfcecbe4569afd41ebea3cc5e1d4ed248b881f5065ddc69a9ffdb311fb92843d49ed7c442a31f485001193b1de01b

Download Submit