f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
Size

3.1MB
MD5

0ac1f6f935c1e9c94f39c2fdddc1d293
SHA1

3151872d050a0265dc5481c04fc7a29f41c4fa98
SHA256

f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95
SHA512

39bfab2926b968b5434e1ee982e58ad7705ec1810de1a262c9544b4a362f2230aee635fbb6ecb690743ff0813f1020da99ad038ac8a26e67aefde36abecb6304
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBv9w4Su+LNfej:+R0pI/IQlUoMPdmpSp74JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files29\\devbodloc.exe"	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHH\\optixsys.exe"	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
3064	devbodloc.exe
2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3064	2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe	29
PID 2064 wrote to memory of 3064	2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe	29
PID 2064 wrote to memory of 3064	2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe	29
PID 2064 wrote to memory of 3064	2064	f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe	29

C:\Users\Admin\AppData\Local\Temp\f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe
"C:\Users\Admin\AppData\Local\Temp\f0185337545467d44a3eaddaf40d543045591c29ad81599e10db58239330ce95.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Files29\devbodloc.exe
  C:\Files29\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintHH\optixsys.exe

Filesize
3.1MB

MD5
8bf7abc9763a086301ef07b7ccbc88a2

SHA1
387af1126859efaa6c46a9eede215a0973d24ee5

SHA256
9ca7a74b2734690da0afd97f7c9c31ddb427868091233aba8bc96f0afe0c9a10

SHA512
deb50317e6d2fb24650e6988632be108062baae704c0e51e7b8bb9bc33e49d5eb2d7542cc48da573f0dc38f0ffdee06144dd7f0748bf922e9ef3b169b58921d7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
05d0680be7419780f77de456b0cb4e85

SHA1
231c3d8cbf0068d308f5e59e298f26cd6f62d0ae

SHA256
ad547ea9de81cc12297080f6c6d4a5ca0df4c749b593ce4f9a0965c8fcba48e4

SHA512
b40176e04f4acba94c024a9ec93e0124ab55c6f46a79b0a294798c04bc1efcee657d4af0b9bf1dff27bfeee556fc3b39db80f3662a4ea7e7f426fedcf4b2cb7c

Download Submit
\Files29\devbodloc.exe

Filesize
3.1MB

MD5
a5fb41cc2d980083c87621804b1ba68f

SHA1
f0c3b2156072566a75b8d56c042114e035cb6db0

SHA256
31c81646ae942181804ee48ca4e4ab20b0a1e40bacc431480cbbc489490c4986

SHA512
2d25ff4767f61eaa7e67ea3b0aa681fcef93cb04f4e33ecb497afc258cc92a95ffd30cf90825ad65888d641ff3063d17b8809ec0cc31f9ca2d8345145310fceb

Download Submit