eff2bee0b268751b4fd0c77715d9fa3f5bb820054ebf61bd5a73fac6da90aafc

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3925fd9da556d26c0ef2e1c6577fd060N.exe
Size

2.6MB
MD5

3925fd9da556d26c0ef2e1c6577fd060
SHA1

b4ffe721246913ebe9ff7d277ceeaa72aed7a5e9
SHA256

eff2bee0b268751b4fd0c77715d9fa3f5bb820054ebf61bd5a73fac6da90aafc
SHA512

ee411911889511161c4cd2382e374ead742b6d4012858d85f2642924c85ff91c06a47a187916e7594552b31c9d23fc317c26c94a9890006a1a79a64834f5b78d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4S:+R0pI/IQlUoMPdmpSpi4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1320	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeJQ\\devbodsys.exe"	3925fd9da556d26c0ef2e1c6577fd060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVN\\optixloc.exe"	3925fd9da556d26c0ef2e1c6577fd060N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe
1320	devbodsys.exe
2352	3925fd9da556d26c0ef2e1c6577fd060N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1320	2352	3925fd9da556d26c0ef2e1c6577fd060N.exe	30
PID 2352 wrote to memory of 1320	2352	3925fd9da556d26c0ef2e1c6577fd060N.exe	30
PID 2352 wrote to memory of 1320	2352	3925fd9da556d26c0ef2e1c6577fd060N.exe	30
PID 2352 wrote to memory of 1320	2352	3925fd9da556d26c0ef2e1c6577fd060N.exe	30

C:\Users\Admin\AppData\Local\Temp\3925fd9da556d26c0ef2e1c6577fd060N.exe
"C:\Users\Admin\AppData\Local\Temp\3925fd9da556d26c0ef2e1c6577fd060N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352
- C:\AdobeJQ\devbodsys.exe
  C:\AdobeJQ\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxVN\optixloc.exe

Filesize
2.6MB

MD5
2123a378d39900413dc1332dd3c2ddbf

SHA1
99e4b9b6d0881e6592f3cd4b5e416fbf7f2dd9ce

SHA256
9f6121114e2b19ef2a08f3d2ec487226eff5ddc6538fb96157ff9cc7c6245a32

SHA512
36c18ff77011bd474bf744442ec7a37262cce963ea6476ab18858ffa82a8ab92c4f0e042674bc2f92ad4db4822b917c4439af9a42551e8f8fc43369548679c7d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
83a6e712fa09d5c4839de1c24fabdbd9

SHA1
a3fc4b02ff41506f82a137090fd1738d5403299f

SHA256
722bba243a6f965740ad7470b0b6f68a37b21c6a896fb685872e9974cdd8fff7

SHA512
55e2ff57c0fd96f0642b119c4b4bc92e41d405307136b6820fa558f79bde7a5f4ed9a57b02174de4ddffcff8be478c93818f4f2efca05e6454f48c76068fdace

Download Submit
\AdobeJQ\devbodsys.exe

Filesize
2.6MB

MD5
14531e8ea98688a6bc399913b1104aad

SHA1
74dd8a497e0c374daff5ebff8466c64eef72b8c2

SHA256
617cbc713905629195a2c31eb082400457ec7d045460ee4519197b744b850bcd

SHA512
dee08a06ffc60aa4f4e6af10c80f4a6a411ec7d901af23dc85984b61b89fd2d71b3a21bd1a089c993f2d86dfdd33e56e3675a4b4e7de5fc26cf70ea59790b4bf

Download Submit