Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 09:23

General

  • Target

    389e101c4706aed3fe07b7ebf06ede80N.exe

  • Size

    2.7MB

  • MD5

    389e101c4706aed3fe07b7ebf06ede80

  • SHA1

    9f98928db60dcbc9623040e7b1c201838a7cc504

  • SHA256

    b175a0890b0a46ad09305869f77bda9262de713793a714de5a0cddfd015574b7

  • SHA512

    5d40f0b29ec49c97167be167cb16f9ca96a02ca6cac4af5e60d773e8a63b521175ab000e2a80dbae0dfcea09a87fba747b8df72b505600f3363b2561c6b81714

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4S+:+R0pI/IQlUoMPdmpSps4X

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\389e101c4706aed3fe07b7ebf06ede80N.exe
    "C:\Users\Admin\AppData\Local\Temp\389e101c4706aed3fe07b7ebf06ede80N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\FilesZ2\devbodloc.exe
      C:\FilesZ2\devbodloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZB4\boddevec.exe

    Filesize

    2.7MB

    MD5

    052d20e299fc5e6d20da90a59707742c

    SHA1

    50d1aeae8f9271779fa74d82d251ca29f6a23c14

    SHA256

    a8f8c493b6e86af7a5bea77eb8a1f940353f0d23862b1d3678b1cdd723910d2a

    SHA512

    6414f8d7291878dba40372e2b2eef98b4a26904d40ba1a7a6c7412bd02654e36fab4bd93ef040d718ddb9640de2b32bea625478b1b97c0124f996eb54ba61839

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    204B

    MD5

    6d66a8ff4195ce636237c394d144d268

    SHA1

    db5f9618d4606e0334547c1f6e028ce5e868de1d

    SHA256

    0b116850d3c6209dcb477194cd8520499497daf399bd001377d8d8d8a4b853cc

    SHA512

    71c29132e1ede769c57a87adfc1cf40f8e8334556afe45f2a78f0b8cb0b6cbc7ab16b6574f92799735a42c4e988ec074436cabf809f8d7fe35e995c138327d28

  • \FilesZ2\devbodloc.exe

    Filesize

    2.7MB

    MD5

    5df8685f5b5cf99b4701f7f77e6ac383

    SHA1

    c23e13d1d5a206b53efa1449407db79898329a92

    SHA256

    8d1e3636f2304c6df0547a589f54d07961ba0ba5c723dde631c080cde75004ff

    SHA512

    b6145d79190c318ccdd304097aeb1ead85f50470be53e20fc49e968e2fc4756cbd5e8040b6c2d30775f0ea1e0f2d18233a59c2ae684a0d99eaff135206ca9990