Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 09:23
Static task
static1
Behavioral task
behavioral1
Sample
389e101c4706aed3fe07b7ebf06ede80N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
389e101c4706aed3fe07b7ebf06ede80N.exe
Resource
win10v2004-20240802-en
General
-
Target
389e101c4706aed3fe07b7ebf06ede80N.exe
-
Size
2.7MB
-
MD5
389e101c4706aed3fe07b7ebf06ede80
-
SHA1
9f98928db60dcbc9623040e7b1c201838a7cc504
-
SHA256
b175a0890b0a46ad09305869f77bda9262de713793a714de5a0cddfd015574b7
-
SHA512
5d40f0b29ec49c97167be167cb16f9ca96a02ca6cac4af5e60d773e8a63b521175ab000e2a80dbae0dfcea09a87fba747b8df72b505600f3363b2561c6b81714
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4S+:+R0pI/IQlUoMPdmpSps4X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2860 devbodloc.exe -
Loads dropped DLL 1 IoCs
pid Process 1240 389e101c4706aed3fe07b7ebf06ede80N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ2\\devbodloc.exe" 389e101c4706aed3fe07b7ebf06ede80N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZB4\\boddevec.exe" 389e101c4706aed3fe07b7ebf06ede80N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 389e101c4706aed3fe07b7ebf06ede80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 2860 devbodloc.exe 1240 389e101c4706aed3fe07b7ebf06ede80N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2860 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 30 PID 1240 wrote to memory of 2860 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 30 PID 1240 wrote to memory of 2860 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 30 PID 1240 wrote to memory of 2860 1240 389e101c4706aed3fe07b7ebf06ede80N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\389e101c4706aed3fe07b7ebf06ede80N.exe"C:\Users\Admin\AppData\Local\Temp\389e101c4706aed3fe07b7ebf06ede80N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\FilesZ2\devbodloc.exeC:\FilesZ2\devbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5052d20e299fc5e6d20da90a59707742c
SHA150d1aeae8f9271779fa74d82d251ca29f6a23c14
SHA256a8f8c493b6e86af7a5bea77eb8a1f940353f0d23862b1d3678b1cdd723910d2a
SHA5126414f8d7291878dba40372e2b2eef98b4a26904d40ba1a7a6c7412bd02654e36fab4bd93ef040d718ddb9640de2b32bea625478b1b97c0124f996eb54ba61839
-
Filesize
204B
MD56d66a8ff4195ce636237c394d144d268
SHA1db5f9618d4606e0334547c1f6e028ce5e868de1d
SHA2560b116850d3c6209dcb477194cd8520499497daf399bd001377d8d8d8a4b853cc
SHA51271c29132e1ede769c57a87adfc1cf40f8e8334556afe45f2a78f0b8cb0b6cbc7ab16b6574f92799735a42c4e988ec074436cabf809f8d7fe35e995c138327d28
-
Filesize
2.7MB
MD55df8685f5b5cf99b4701f7f77e6ac383
SHA1c23e13d1d5a206b53efa1449407db79898329a92
SHA2568d1e3636f2304c6df0547a589f54d07961ba0ba5c723dde631c080cde75004ff
SHA512b6145d79190c318ccdd304097aeb1ead85f50470be53e20fc49e968e2fc4756cbd5e8040b6c2d30775f0ea1e0f2d18233a59c2ae684a0d99eaff135206ca9990