Overview

overview

7

Static

static

3

335989acfd...4b.exe

windows7-x64

7

335989acfd...4b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 20:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    335989acfdc955967db8819b848a4e3bf7ffb88f0fc6e0ac4fa1010a59eb9a4b.exe

  • Size

    2.7MB

  • MD5

    5e4489f2cd18598701012f0b38c2dfd7

  • SHA1

    b1b5cbd4a75a9908e60eb2b5ee5485f00ee17d62

  • SHA256

    335989acfdc955967db8819b848a4e3bf7ffb88f0fc6e0ac4fa1010a59eb9a4b

  • SHA512

    bb734ff1b0401123eb901bfec21deab8ad6a7d760f1fdeccfcd63063cb73c1a9501d4d62d495a335d8797e7644ede298a04d2122a6fee28bb110d237c26c8bda

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4Sx:+R0pI/IQlUoMPdmpSpL4

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\335989acfdc955967db8819b848a4e3bf7ffb88f0fc6e0ac4fa1010a59eb9a4b.exe
    "C:\Users\Admin\AppData\Local\Temp\335989acfdc955967db8819b848a4e3bf7ffb88f0fc6e0ac4fa1010a59eb9a4b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\FilesCI\devbodsys.exe
      C:\FilesCI\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3288

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\FilesCI\devbodsys.exe
          Filesize

          2.7MB

          MD5

          53fb269fe551376838830446d8aed5b3

          SHA1

          082a1946669815d3493552033adb82630653e481

          SHA256

          c4711e4fde5523d722ec171729eff949abf62bcc3858b3eb70d394ff7d1c30df

          SHA512

          e84eaec9dc75af1a37e53a6fb0e3a57a9b2806716aeace36c745efb84435c2496988174d67e9d043cce86799e360a57659fc28b99bf160b2277e9ba3c9090dbe

          Download Submit

        • C:\GalaxH1\bodaloc.exe
          Filesize

          2.7MB

          MD5

          eef751ac0c7176c586bcc1fa0b5355d3

          SHA1

          3343130c14b2554ad14a03caf0975d61cdf6f0f2

          SHA256

          3e3285710bf32ea6f55276a704338b5fd18afb1378f0d646143e04feacec1af3

          SHA512

          34dbc98105f89a34c081b48a64c73935c9e37b3563444303d6cc0a15f1b875701b2af6412ee893af028eef30fca1b25aea919a35a0b48c9f8998f311675f3b65

          Download Submit

        • C:\Users\Admin\253086396416_10.0_Admin.ini
          Filesize

          206B

          MD5

          55ebe8782759ce6beab2bd166c3aabe0

          SHA1

          b3ff9a0bbb1004f84ed04c91d1100713bceef7b8

          SHA256

          f83c8345497de6a35e5a5ae35bcc26de8775752eaa0c116cf930a5834065d8ba

          SHA512

          200b1400087d8061985ade26f6f566b409612fcf43154804510813cf12d883b06ade58744aa637b861c3bf41d5e67ec504e65bb4b287f7fde6f1a5f9cb7b7eed

          Download Submit