Analysis

  • max time kernel
    119s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 15:12

General

  • Target

    b6576f3ab56d9eb0ed3c49ae32f79200N.exe

  • Size

    2.7MB

  • MD5

    b6576f3ab56d9eb0ed3c49ae32f79200

  • SHA1

    11b145961a5e0d3866cf04acf6572185cd79bccd

  • SHA256

    78db052a45b70fa9641178a25561d4e3c95e2d3cda7264d5f5df68ab6eabb817

  • SHA512

    7aacd18b486ba70ed8a99ac1bf6bc87c38f4bcc5b90d2b28e25aaec6dff1883a8d940f4f93de99e519a991b77047074d425dda48d3894a7387960539cdc4c4ba

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4Sx:+R0pI/IQlUoMPdmpSpv4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6576f3ab56d9eb0ed3c49ae32f79200N.exe
    "C:\Users\Admin\AppData\Local\Temp\b6576f3ab56d9eb0ed3c49ae32f79200N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\SysDrvRT\devbodsys.exe
      C:\SysDrvRT\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxW6\dobdevloc.exe

    Filesize

    2.7MB

    MD5

    c9460552eca248dfd8b8671f7fc7cd8d

    SHA1

    a8a59d7594ba9be01047a70e90c1ce1e040fd2eb

    SHA256

    f0f9b3a53197eb417099086d6cf952ffc7de892ee94cbdfc3309ad4e7dba6364

    SHA512

    a2c6f6bac3c7fd5f4e18c54e848311cd5ceffd077a2410b0ed920de9ed0483654ca1eeda53caea8f3fec8c980adba3a2f46d4db0b360b805fcc0d1b5df90867d

  • C:\SysDrvRT\devbodsys.exe

    Filesize

    2.7MB

    MD5

    92e07a0d4cc1212b929419a3ecd0615e

    SHA1

    cb80d5a077905132c1f229d28d324de2256b7038

    SHA256

    bbcaab929c9dc4959f9c43d0e668d1f2ad81f4063b3d6911e930bcf4a16dea59

    SHA512

    9da0aaf2a26496a691e0d9415f2d743a2be3cee3ac05e81bb4e6e7b02f33c2c4fc90fde5bd1a14015eb559af0007bdb0fc6048a6f3c5ee56aa8e21738e4abb5f

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    c7b2739968897de2385a153c5d8ad555

    SHA1

    2fa59f78371ea8fa1304593284c4eb4efac0c5e6

    SHA256

    1cab2f6ceb1b1f87ffac42f846f52a7a0292ba75a3ab3ba690c407bd3ce9068c

    SHA512

    338649613055d058e3edc491a802f67b9a197399360582da1f493a8b161b193b42cf47c763947af226c41a4aabcc7f3c2444e8a8bfe6563e8ddc0fa468e7f8d9