87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
Size

2.7MB
MD5

35f8c7f1f7a112570f1aeaa895fe71e0
SHA1

91e04fcc331ae1087130d2136d6c373c2e7dc394
SHA256

87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839
SHA512

4ed2e74303a260c0780bb12ffeb5e714e114d95b8f455529c22d4711a503abd87039188e7e1279ff3e99c19e7bfc96bfcb9a12412785fec88d79b921462be01c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4S+:+R0pI/IQlUoMPdmpSpE4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2536	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQM\\devbodsys.exe"	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZT\\dobxloc.exe"	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
2536	devbodsys.exe
3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2536	3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe	30
PID 3016 wrote to memory of 2536	3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe	30
PID 3016 wrote to memory of 2536	3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe	30
PID 3016 wrote to memory of 2536	3016	87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe	30

C:\Users\Admin\AppData\Local\Temp\87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe
"C:\Users\Admin\AppData\Local\Temp\87479a69580640ca83a2e897e544f4764afed2b2e6dab7f4b06457bd19bc3839.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\UserDotQM\devbodsys.exe
  C:\UserDotQM\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZT\dobxloc.exe

Filesize
1.4MB

MD5
d52a35a94e4cae3b563a556bde7b9e46

SHA1
057ab918e880022a4cbd3a2d5edf831bfce14246

SHA256
b9b74efa8984d8a7fa6d58e128338e837f8d8b4fb0d18496e0590f58d0950e40

SHA512
db70b8c31388ad8b4f8d849e69e36914e97ffc2eb454177d647e39d9f9171a16fb49f4cbd7d9ec18951050131ae8f7023a30a83be97004ba3d3182b4fa39cc04

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
6f7891c1e1db2c6a160c8c6e33a5983b

SHA1
79604026b594dfd9dd7493b69f131a2b5f275cfd

SHA256
7eca814d8da5f61a03513a7a990c1ff046c34d742a3b7027b076ba2d8df5a51d

SHA512
3cda9f108cfb5e0b148eb3de95db1bbeaa17fb423931fbd5ed77bd031e02c34524a29586da33654539789afaceb0ae6201984eb5fe0d46b9a93187ab0c6c7e26

Download Submit
\UserDotQM\devbodsys.exe

Filesize
2.7MB

MD5
81742e47a2d1b000f9bb1780a4c55a1b

SHA1
5877bb16923bc962a12ecafc431afeab9f87da84

SHA256
484497bc703c7ce34ac8dcb738c94c1b24c946090d80a222a7a1c30429c868cf

SHA512
1aa8540f1df9298925f0aa0531d56ba90e005503997336143c1c20d658966183aa0840dad35e67b8c5e6bf2dad8a184f2b6953cd5a613fbad4fbd5578b65ea02

Download Submit