Analysis
-
max time kernel
119s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
b6576f3ab56d9eb0ed3c49ae32f79200N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b6576f3ab56d9eb0ed3c49ae32f79200N.exe
Resource
win10v2004-20240802-en
General
-
Target
b6576f3ab56d9eb0ed3c49ae32f79200N.exe
-
Size
2.7MB
-
MD5
b6576f3ab56d9eb0ed3c49ae32f79200
-
SHA1
11b145961a5e0d3866cf04acf6572185cd79bccd
-
SHA256
78db052a45b70fa9641178a25561d4e3c95e2d3cda7264d5f5df68ab6eabb817
-
SHA512
7aacd18b486ba70ed8a99ac1bf6bc87c38f4bcc5b90d2b28e25aaec6dff1883a8d940f4f93de99e519a991b77047074d425dda48d3894a7387960539cdc4c4ba
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBT9w4Sx:+R0pI/IQlUoMPdmpSpv4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2044 devbodsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRT\\devbodsys.exe" b6576f3ab56d9eb0ed3c49ae32f79200N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW6\\dobdevloc.exe" b6576f3ab56d9eb0ed3c49ae32f79200N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6576f3ab56d9eb0ed3c49ae32f79200N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2044 devbodsys.exe 2044 devbodsys.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2044 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 86 PID 2628 wrote to memory of 2044 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 86 PID 2628 wrote to memory of 2044 2628 b6576f3ab56d9eb0ed3c49ae32f79200N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6576f3ab56d9eb0ed3c49ae32f79200N.exe"C:\Users\Admin\AppData\Local\Temp\b6576f3ab56d9eb0ed3c49ae32f79200N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\SysDrvRT\devbodsys.exeC:\SysDrvRT\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c9460552eca248dfd8b8671f7fc7cd8d
SHA1a8a59d7594ba9be01047a70e90c1ce1e040fd2eb
SHA256f0f9b3a53197eb417099086d6cf952ffc7de892ee94cbdfc3309ad4e7dba6364
SHA512a2c6f6bac3c7fd5f4e18c54e848311cd5ceffd077a2410b0ed920de9ed0483654ca1eeda53caea8f3fec8c980adba3a2f46d4db0b360b805fcc0d1b5df90867d
-
Filesize
2.7MB
MD592e07a0d4cc1212b929419a3ecd0615e
SHA1cb80d5a077905132c1f229d28d324de2256b7038
SHA256bbcaab929c9dc4959f9c43d0e668d1f2ad81f4063b3d6911e930bcf4a16dea59
SHA5129da0aaf2a26496a691e0d9415f2d743a2be3cee3ac05e81bb4e6e7b02f33c2c4fc90fde5bd1a14015eb559af0007bdb0fc6048a6f3c5ee56aa8e21738e4abb5f
-
Filesize
207B
MD5c7b2739968897de2385a153c5d8ad555
SHA12fa59f78371ea8fa1304593284c4eb4efac0c5e6
SHA2561cab2f6ceb1b1f87ffac42f846f52a7a0292ba75a3ab3ba690c407bd3ce9068c
SHA512338649613055d058e3edc491a802f67b9a197399360582da1f493a8b161b193b42cf47c763947af226c41a4aabcc7f3c2444e8a8bfe6563e8ddc0fa468e7f8d9