08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 18:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
Size

2.7MB
MD5

4b2a5356aa624bcccf84d047269a36fb
SHA1

d2790f4d2fc27d50babddf97bafb5b2907a688e3
SHA256

08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd
SHA512

a04ff768b50015bba65f25cd8ffe4e44a52676fb009a5ccbd5acab9273ca06b3dee0d6e5fc54e8e9f59a55dec0f79e86da0d62cd83e3afb018a5ecc42f8f71ad
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKV\\devbodloc.exe"	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCM\\dobdevsys.exe"	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
2916	devbodloc.exe
2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2916	2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe	30
PID 2992 wrote to memory of 2916	2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe	30
PID 2992 wrote to memory of 2916	2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe	30
PID 2992 wrote to memory of 2916	2992	08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe	30

C:\Users\Admin\AppData\Local\Temp\08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe
"C:\Users\Admin\AppData\Local\Temp\08dc98118679c825a8b4541ab34d35e63788fc51ec444a2623be6d13607483cd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992
- C:\AdobeKV\devbodloc.exe
  C:\AdobeKV\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxCM\dobdevsys.exe

Filesize
2.7MB

MD5
62a2587b9314bef58c5879caad6e3bec

SHA1
5397f302d14601a61555f245d6fa2793493190c5

SHA256
ba6781e89ef10a28afaeff280056f21a1184b913bdd8f1aef3b89d79725e9ce8

SHA512
6fdf3979e79486fe3f9e08e367720ea4a789f810bb7a1f04687e2b941b67b96a936854fce9a3f370aa4947ca3aab742d5bd12b724512bf197dd5e8065509fd33

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
2d5deac625ed2e33a7dc64fb78ffa861

SHA1
3e40ec607e8d90f885224c938c72203384355932

SHA256
f12dc57fec1671daf9df8a31e80b5e841ffdaad0763d3e3538a9526e8956f826

SHA512
2e86a86fe519ffcfb80a79ee87dea6440939f5b3553b1fa66e6395ef2a808d46b61009ee4a9fb1fd0bd0e55a5af09d359fff4ec18cb45ac98f3ca2190af6fc1c

Download Submit
\AdobeKV\devbodloc.exe

Filesize
2.7MB

MD5
958a67b346486b68a9f6e4e844aecdf7

SHA1
7b0ffe3cd13dde4808a715e57d456979f1a7eadb

SHA256
20849d3cd480140dbeef46665554ffdc9cb032f59496b9be32adb6a445fecd6f

SHA512
cd06d23a1d1bd2c5aa48a89a30b688382c1652474d2dc0bcb1a6aeb838da594316309bc2b4cd881d73fa79aa73a9293dbcc70c167d47c3b37e9dc6aa815df2ca

Download Submit