78db052a45b70fa9641178a25561d4e3c95e2d3cda7264d5f5df68ab6eabb817

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6576f3ab56d9eb0ed3c49ae32f79200N.exe
Size

2.7MB
MD5

b6576f3ab56d9eb0ed3c49ae32f79200
SHA1

11b145961a5e0d3866cf04acf6572185cd79bccd
SHA256

78db052a45b70fa9641178a25561d4e3c95e2d3cda7264d5f5df68ab6eabb817
SHA512

7aacd18b486ba70ed8a99ac1bf6bc87c38f4bcc5b90d2b28e25aaec6dff1883a8d940f4f93de99e519a991b77047074d425dda48d3894a7387960539cdc4c4ba
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4Sx:+R0pI/IQlUoMPdmpSpv4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRT\\devbodsys.exe"	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW6\\dobdevloc.exe"	b6576f3ab56d9eb0ed3c49ae32f79200N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2044	devbodsys.exe
2044	devbodsys.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe
2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2044	2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe	86
PID 2628 wrote to memory of 2044	2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe	86
PID 2628 wrote to memory of 2044	2628	b6576f3ab56d9eb0ed3c49ae32f79200N.exe	86

C:\Users\Admin\AppData\Local\Temp\b6576f3ab56d9eb0ed3c49ae32f79200N.exe
"C:\Users\Admin\AppData\Local\Temp\b6576f3ab56d9eb0ed3c49ae32f79200N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\SysDrvRT\devbodsys.exe
  C:\SysDrvRT\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxW6\dobdevloc.exe

Filesize
2.7MB

MD5
c9460552eca248dfd8b8671f7fc7cd8d

SHA1
a8a59d7594ba9be01047a70e90c1ce1e040fd2eb

SHA256
f0f9b3a53197eb417099086d6cf952ffc7de892ee94cbdfc3309ad4e7dba6364

SHA512
a2c6f6bac3c7fd5f4e18c54e848311cd5ceffd077a2410b0ed920de9ed0483654ca1eeda53caea8f3fec8c980adba3a2f46d4db0b360b805fcc0d1b5df90867d

Download Submit
C:\SysDrvRT\devbodsys.exe

Filesize
2.7MB

MD5
92e07a0d4cc1212b929419a3ecd0615e

SHA1
cb80d5a077905132c1f229d28d324de2256b7038

SHA256
bbcaab929c9dc4959f9c43d0e668d1f2ad81f4063b3d6911e930bcf4a16dea59

SHA512
9da0aaf2a26496a691e0d9415f2d743a2be3cee3ac05e81bb4e6e7b02f33c2c4fc90fde5bd1a14015eb559af0007bdb0fc6048a6f3c5ee56aa8e21738e4abb5f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
c7b2739968897de2385a153c5d8ad555

SHA1
2fa59f78371ea8fa1304593284c4eb4efac0c5e6

SHA256
1cab2f6ceb1b1f87ffac42f846f52a7a0292ba75a3ab3ba690c407bd3ce9068c

SHA512
338649613055d058e3edc491a802f67b9a197399360582da1f493a8b161b193b42cf47c763947af226c41a4aabcc7f3c2444e8a8bfe6563e8ddc0fa468e7f8d9

Download Submit