99ba52880a39b5f1b399a61bf51e3251c773ea62e1f301c52e9ecb52287a14d0

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 05:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4109429cb18ce817037b09675b0635f0N.exe
Size

2.7MB
MD5

4109429cb18ce817037b09675b0635f0
SHA1

f3b649149c200b440c8f53e3fd5f90809f637b1d
SHA256

99ba52880a39b5f1b399a61bf51e3251c773ea62e1f301c52e9ecb52287a14d0
SHA512

52b2a9ad7c53f75d9b3096ca493162ad704adcada1dcf070cd9cb1333e02b46b63c53989b63738f60833b658d3855790b6464342f89befc72aee4247e75f2d20
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpu4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3564	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCM\\devbodsys.exe"	4109429cb18ce817037b09675b0635f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZT\\dobaloc.exe"	4109429cb18ce817037b09675b0635f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4109429cb18ce817037b09675b0635f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3564	devbodsys.exe
3564	devbodsys.exe
3272	4109429cb18ce817037b09675b0635f0N.exe
3272	4109429cb18ce817037b09675b0635f0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 3564	3272	4109429cb18ce817037b09675b0635f0N.exe	95
PID 3272 wrote to memory of 3564	3272	4109429cb18ce817037b09675b0635f0N.exe	95
PID 3272 wrote to memory of 3564	3272	4109429cb18ce817037b09675b0635f0N.exe	95

C:\Users\Admin\AppData\Local\Temp\4109429cb18ce817037b09675b0635f0N.exe
"C:\Users\Admin\AppData\Local\Temp\4109429cb18ce817037b09675b0635f0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272
- C:\UserDotCM\devbodsys.exe
  C:\UserDotCM\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintZT\dobaloc.exe

Filesize
2.7MB

MD5
6358da04ffda53a61543768b58c85230

SHA1
915601d810a160ef0c6d07dad95ff052a0fa2ef8

SHA256
9dad51adfb59f03f02e876afaf4a2c2d528b965083cb10cbff6e85a9bc56704a

SHA512
0adc37b52d3bf108786bfd69f92a9945aea830d65330f89dc66bf90fa4bf0ee2b5992c1835ea048924b7bc406cb522de1b0a3d47de67484ec1704cdc327d1f26

Download Submit
C:\UserDotCM\devbodsys.exe

Filesize
2.7MB

MD5
9c58b375e2804e30c7df1e19ff1d269d

SHA1
191d140a85451ceb3287dcf062c2885931d25a97

SHA256
a428f2077efec78cb3110caba7426b24cf7accece91fed88ed9486d796e4ed17

SHA512
c95d71d841337d0917bb2fd01e27de735c3a768a54d3857a1da3280fff6f981f33128f40569843f4210f8af6900bdac86315d71c2e982c3c9eb428aecddfffdc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
62d448c8b9c31aa2ca2e97ced766be64

SHA1
da6513758504da7f94492743fdc6bccbf21911b5

SHA256
25c4db7e181fcd1ad9e8943df0a382147961ea62dd1c1cf9d8d4ede0449a1131

SHA512
cf199e685f5ab0446f81bfd2d39ad3345676e7b9da08609807af3c9c48652ef03f863ac798238faf936b3415c031cfc9c30e924eb245b34f6253a94d7326c5fc

Download Submit