90c34a9afc2a7d75f6bb374809f0fa09cd9f8b2ac9cb416041e1925275cc0f9e

Analysis

max time kernel
119s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf87d7acd742819c3473a839282ce10N.exe
Size

2.7MB
MD5

1bf87d7acd742819c3473a839282ce10
SHA1

3de868f6bb21cc430764137e23b8971393898733
SHA256

90c34a9afc2a7d75f6bb374809f0fa09cd9f8b2ac9cb416041e1925275cc0f9e
SHA512

2e83eedfd2db96a16ada16309d1f3e187f9ec11dc31a0f369c0a21621fc4d57e622c6ece8cc8bbecbd5f4e49156a5c92950a1a6aa85c44a9895896fbf1b3c43e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4Sx:+R0pI/IQlUoMPdmpSpX4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4820	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXW\\boddevsys.exe"	1bf87d7acd742819c3473a839282ce10N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXM\\devbodloc.exe"	1bf87d7acd742819c3473a839282ce10N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bf87d7acd742819c3473a839282ce10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4820	devbodloc.exe
4820	devbodloc.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe
4528	1bf87d7acd742819c3473a839282ce10N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4820	4528	1bf87d7acd742819c3473a839282ce10N.exe	87
PID 4528 wrote to memory of 4820	4528	1bf87d7acd742819c3473a839282ce10N.exe	87
PID 4528 wrote to memory of 4820	4528	1bf87d7acd742819c3473a839282ce10N.exe	87

C:\Users\Admin\AppData\Local\Temp\1bf87d7acd742819c3473a839282ce10N.exe
"C:\Users\Admin\AppData\Local\Temp\1bf87d7acd742819c3473a839282ce10N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528
- C:\SysDrvXM\devbodloc.exe
  C:\SysDrvXM\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvXM\devbodloc.exe

Filesize
2.7MB

MD5
9df4c3440b6cf22e372efa5beed0bd0d

SHA1
457f86031dd07135bbedc28a2cadb9075c5baeda

SHA256
17533fd583cfa97b6c39514751547a1a09a0e1dfbff31d3d95411ed2af6bd5a0

SHA512
8ace46293121612367a0bd796ab668dde54145b1aacd429bf666dd3f1c43fceb4e8231be036a346968da0d41ba0feec57fb9bed83a74d73c07ace2a7c6e9300d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
213B

MD5
58c1987c778c7fb09eb79bda8f992503

SHA1
9c9ab1433dc3cab8e69161f5581addfe648e10a4

SHA256
aad380be25fd825c1fe155076641689ece1e37da04a010e12b8084b00879970f

SHA512
588ec7669ffc40b4e292786c625cf7b8d2a6b1c1e31a5d554d77dcd87cd6ba7a366b16257d1a1c2e88e1c62cfc8a1825406e301d7c05f8d36dc2d4952fef1656

Download Submit
C:\VidXW\boddevsys.exe

Filesize
7KB

MD5
2a66be02c3c27b489db2b8f5953bfa44

SHA1
242635a3ee1d142a92bde39c7a1cc5f12f53958b

SHA256
03c57c4403a457ba972b4a8fdf0a50876ef50b8a586b9366482ff3c6b84629f8

SHA512
8aaf81d458a35a958dddb5bc34416bc1e466d0c165d37c2b731745a84fe3083d42dafb1a1f3ef64045127ac64eba2d82205268cb3b08604e71997aec0d2ce625

Download Submit