3e10f94f77f1d784a5ad7d8abbb6207f1cffa97d9c115a63178a954a9ce9c216

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41505b4e9ab9b533bacc0aa9495ee650N.exe
Size

2.7MB
MD5

41505b4e9ab9b533bacc0aa9495ee650
SHA1

1f106de5fe90bb9c664fec71adc574a13c650e54
SHA256

3e10f94f77f1d784a5ad7d8abbb6207f1cffa97d9c115a63178a954a9ce9c216
SHA512

c675d548fac49db21529a90a7c494c96f5bf35071428eb9621d4785c5d104d93c8bcc48c56061a5ca8b9b50cb798b432a6075d20a711df178a9dee6d5192487d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSp24

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG5\\devbodec.exe"	41505b4e9ab9b533bacc0aa9495ee650N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid31\\bodxsys.exe"	41505b4e9ab9b533bacc0aa9495ee650N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe
2340	devbodec.exe
3060	41505b4e9ab9b533bacc0aa9495ee650N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2340	3060	41505b4e9ab9b533bacc0aa9495ee650N.exe	30
PID 3060 wrote to memory of 2340	3060	41505b4e9ab9b533bacc0aa9495ee650N.exe	30
PID 3060 wrote to memory of 2340	3060	41505b4e9ab9b533bacc0aa9495ee650N.exe	30
PID 3060 wrote to memory of 2340	3060	41505b4e9ab9b533bacc0aa9495ee650N.exe	30

C:\Users\Admin\AppData\Local\Temp\41505b4e9ab9b533bacc0aa9495ee650N.exe
"C:\Users\Admin\AppData\Local\Temp\41505b4e9ab9b533bacc0aa9495ee650N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\SysDrvG5\devbodec.exe
  C:\SysDrvG5\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
99778465a20ef1c80675ca0b4874d18f

SHA1
7bf7e317e49b885e2c9061365cec09c066b07953

SHA256
410604756a09d3fa7ac22bab3662ba206807e131cf4786d5a433d1e30aae0125

SHA512
64c6b79b67decaf7b7c0d514d566d2ad67556a6d14b14519bb4fff4e850c7ba3d70b2cda7141150928556ac53dc37a160d6c9345a2a6a8ace75fce61c6fdb397

Download Submit
C:\Vid31\bodxsys.exe

Filesize
2.7MB

MD5
f88a4f29d8232c7e403678d639375d78

SHA1
e57dd7914d35bf3403e083595143abf212d388e7

SHA256
4c74af8a8d78527ded8a0c79ee69ae613201e91f451a8ce002ad73b9300554d5

SHA512
d138f09fcbd9996f62552a479062f800f15ba74a979a21268e3bb48738b5aed48494fc110fa18e1b93c9d772244e36d6dff4fc7a073e7696174bcc17b4a9ee16

Download Submit
\SysDrvG5\devbodec.exe

Filesize
2.7MB

MD5
4e1bf8c2fc173220baa2a451fc80f706

SHA1
8be1e2a08bbda09cb2ee7572d84e7edb2ce2527f

SHA256
7845a25678ad05ef4c85e3c22c839a11a364c47cf45b70b122876de8992f0525

SHA512
3572a09c105a85fc9955acc6b7c0946fe3ca08d443bb65ae15fba30174080700ee2c735dc44397f10dc0eb2d90f167696c671c6b958f3205348203d22f17e7ff

Download Submit