31f6fc7be2c128058abcacaabb0a2791d6a1ba4dc3a4700381625527fafb6656

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ddf7a328fa127d449d63fbcf0521f60N.exe
Size

2.7MB
MD5

3ddf7a328fa127d449d63fbcf0521f60
SHA1

bad3fb59bf4d27f89751c36d54c4b2b7e68f8cd2
SHA256

31f6fc7be2c128058abcacaabb0a2791d6a1ba4dc3a4700381625527fafb6656
SHA512

6b129492c907ab96d17c1850ae494beabf05c8a8884be9925d183ed4d4b8c4e578f88e2a61870142ee8b5c7c43af84f8f6b9650181d6dced503a8ebe2eebc6cc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB39w4Sx:+R0pI/IQlUoMPdmpSp74

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD5\\devbodec.exe"	3ddf7a328fa127d449d63fbcf0521f60N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ58\\bodaloc.exe"	3ddf7a328fa127d449d63fbcf0521f60N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
2112	devbodec.exe
2112	devbodec.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe
3084	3ddf7a328fa127d449d63fbcf0521f60N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 2112	3084	3ddf7a328fa127d449d63fbcf0521f60N.exe	89
PID 3084 wrote to memory of 2112	3084	3ddf7a328fa127d449d63fbcf0521f60N.exe	89
PID 3084 wrote to memory of 2112	3084	3ddf7a328fa127d449d63fbcf0521f60N.exe	89

C:\Users\Admin\AppData\Local\Temp\3ddf7a328fa127d449d63fbcf0521f60N.exe
"C:\Users\Admin\AppData\Local\Temp\3ddf7a328fa127d449d63fbcf0521f60N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084
- C:\FilesD5\devbodec.exe
  C:\FilesD5\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesD5\devbodec.exe

Filesize
2.7MB

MD5
ac45a005d266494c2f41660e77119f11

SHA1
da9d4c9823f83363c6044dd6fc684b8b9f77802c

SHA256
3a2248b14188173fe370cb45b6c11d6263f5cfba68dc4d9bc71b58fdc199d943

SHA512
8b1a7547370f45e21e94d11e89ab178dee1dd40e075bf65ec265e9be13a2ca6839de2344cc42783fb1c1887c79674ca0e5314722e6a17e116645c7b921286024

Download Submit
C:\LabZ58\bodaloc.exe

Filesize
2.7MB

MD5
04ce7e4fdeb02d93cccca7f68d101b19

SHA1
3625d95bebb32408f2bf1524602676f1a436f178

SHA256
fefa1f402f3276da1f40634a843d772eb41be56642cf23978a3c6fdbdcd7c410

SHA512
ce687eb0e4ab6b109ec3b096c8114a92132c4893c106d5d438256c2707794761ee5edbb0d50f7523930bce0f18f999daa2e23e6f7fd3b8a5e56de683d2d0ec30

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
30b075c018235c0f887bda17351d6d13

SHA1
e8f95f4bc3440aa5301d116dff86c19ad0c2e18f

SHA256
150a9c0467d1738f78ac7c13fdef886c74708d3f9a9e63a0d177edf70ac6ed1a

SHA512
f1abcb8e98026c4a4dce7d7513e4be975a9c14ca873224a5b19dab67aab003b0cd14072dbc46125393e441e3ccb182878da5836297c7a393463a633ab2e98b81

Download Submit