06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
Size

3.1MB
MD5

8f15cefe374973c8ec3c6625f09930ec
SHA1

b3745edb23554aee90efc94b3b9ede24d3a34849
SHA256

06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448
SHA512

20c56551d49e9e66a770e54943a5d7b8f21732873df22bd12018dfada40bdebedc3ca924ad6020cf9c5ca524cc71b7f14e59d88225ac6f3c4b6242563fef7a91
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Su+LNfej:+R0pI/IQlUoMPdmpSp44JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6R\\devbodloc.exe"	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLI\\boddevec.exe"	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
2344	devbodloc.exe
304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 2344	304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe	30
PID 304 wrote to memory of 2344	304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe	30
PID 304 wrote to memory of 2344	304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe	30
PID 304 wrote to memory of 2344	304	06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe	30

C:\Users\Admin\AppData\Local\Temp\06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe
"C:\Users\Admin\AppData\Local\Temp\06e88c91bc9470fbe5575f2fce55401a06ec2d2ed595e1f24d25a69b649f7448.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304
- C:\UserDot6R\devbodloc.exe
  C:\UserDot6R\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZLI\boddevec.exe

Filesize
3.1MB

MD5
8521a267f813d576c43770e9559ddae5

SHA1
9a44b68b60e6280f4ef26b5be5a847d05d4e8158

SHA256
d92d1d01106951d229efe4178ded709d6f07fd45c553dfd371c05fbd84eec420

SHA512
e053c7fe9dab343b46631997585229d2d425e22289619f012bd34de65eb6f9a20da4d650d0fb4d64d8307f07b8194030c7edefd8b3a35de2eb581c9b299b53f9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
51165960f7e582454a6af99ddc0dcb04

SHA1
6b5592796e094237d499fbaa4891fef1ef7fd0a8

SHA256
a0d305f6126a25f27ab1d8aa68eee1909e9d8cf015a96cafeae4e59ded88be04

SHA512
104108588361b7b7abcd1dfd6603cf5536926a946ecf61b44f9d7f5273259c9c7be4d7cd11b3672447b581bb4903205703bf97e5836930cddc235a6199cbbbb1

Download Submit
\UserDot6R\devbodloc.exe

Filesize
3.1MB

MD5
d147dab4883633cce0f68f1ab1e2beac

SHA1
715eec62e1ebd4968024353e901814eff073e8d7

SHA256
de1e112032151d48dd90b1b38cd44ae4e3e46fa9b64ada09d033c85dcae9bdcb

SHA512
f6fa63257f2632b4ae1710a330b68c48041b98bb71ee278caab50164e73671330ab82614b9f5322aa845f9ee9f59a7bdca4f04bf5bcaa3f307715f24d73d4390

Download Submit