7d329ecf03ed08dfb327ae69c3f3e8b3cd76f6a2c6e59e24f30b74099f80234c

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a989480f6fdd8fe45714bedd7d15dd0N.exe
Size

2.7MB
MD5

1a989480f6fdd8fe45714bedd7d15dd0
SHA1

10764c91f59ee1bd6d44d0bd47ae2ba2dffa398c
SHA256

7d329ecf03ed08dfb327ae69c3f3e8b3cd76f6a2c6e59e24f30b74099f80234c
SHA512

bd15089e0572e9299f89af58bf8b0dba4237328b6728994cd04b0fa5a29cd1fa35821c56ddf59e533f3b6cdc59c3e717763270e98947059bae3b3a9794ce13f9
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpO4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
748	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocX8\\devbodloc.exe"	1a989480f6fdd8fe45714bedd7d15dd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4U\\bodxsys.exe"	1a989480f6fdd8fe45714bedd7d15dd0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
748	devbodloc.exe
748	devbodloc.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe
4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 748	4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe	88
PID 4872 wrote to memory of 748	4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe	88
PID 4872 wrote to memory of 748	4872	1a989480f6fdd8fe45714bedd7d15dd0N.exe	88

C:\Users\Admin\AppData\Local\Temp\1a989480f6fdd8fe45714bedd7d15dd0N.exe
"C:\Users\Admin\AppData\Local\Temp\1a989480f6fdd8fe45714bedd7d15dd0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872
- C:\IntelprocX8\devbodloc.exe
  C:\IntelprocX8\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4U\bodxsys.exe

Filesize
2.7MB

MD5
8521eeac17eaf36a78203fe25167adf0

SHA1
fbf3da39a1eb3dd028240581e2d222784ec70fd2

SHA256
98d3940531819346a2ea991c6293a3db204d56f88ac6bf1c354c68ac5c26260a

SHA512
872a58c6ad25abbb9f6aae730332ae0c1dd6071cfc0710fdf6b69966fdfccbf4e7fe4d75a221f9316841de923f3645c0505f6fde81919743c06afbd6352204b4

Download Submit
C:\IntelprocX8\devbodloc.exe

Filesize
2.7MB

MD5
e0bce6d1d875b26543d9e4b7b174e4ad

SHA1
2d8b23ab7d838337a549ceaa59b778573dd94719

SHA256
b37a0fca5e171416c3f6b983e268d405ed8b65f524ba99edb679ee6604090409

SHA512
eb18571735448f9420bac1900fbe557baf9f315fce3bf953991f51641dee17e57267a755b59df61c74fb8c0e0c07f62c616c8478e4a35cbb607d8e636f8d5191

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
06bd84b2d8abc15e338e1cb89851112b

SHA1
c4499649a9b31a952d1fcafd202be8980b61855a

SHA256
8cfd0d77421f9ae77e9291850d97a09326e988c759be43c7ef5bf6abb5ae5571

SHA512
c065612929bdae9cfedf4d32d0f7672e83c68b9e02e4775357c8ae5888ed730ff34568682fd7ef4e13f729866df62e9a1c3b646a13e220259eafab721cc40d83

Download Submit