26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
Size

2.7MB
MD5

1ea58000756dcf8acac702a7e0d50c26
SHA1

ad998f3e95b02d625bc5ebfe45869ce324d3fe11
SHA256

26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9
SHA512

6693e490f9372ec13b9c992cb112783fc294d3f189fac4b1030c8a315098d44301d070a94976186c047e98f0612556753523e8ef2a551c4550a65986e049e47a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSp24

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMS\\devbodec.exe"	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZED\\boddevec.exe"	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
1956	devbodec.exe
1956	devbodec.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 1956	376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	90
PID 376 wrote to memory of 1956	376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	90
PID 376 wrote to memory of 1956	376	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	90

C:\Users\Admin\AppData\Local\Temp\26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
"C:\Users\Admin\AppData\Local\Temp\26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376
- C:\IntelprocMS\devbodec.exe
  C:\IntelprocMS\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocMS\devbodec.exe

Filesize
2.7MB

MD5
b8a59d10d485a0bb4d7153333c553f42

SHA1
15795db12db80e09b35fec86e46c7afe258190ff

SHA256
27989783eb4f886b01a47e8b42a72e64b40ede8dbfa4147b396911322259ca6c

SHA512
ec3ed6b2e148ee5f1e55f062113a245f14a6bf0d3dc27d9b8c349b71eedeb1ff45acb8fc359ef400869f087e753bf270b68aea2049fcd7ab0be8b9a54bd75131

Download Submit
C:\LabZED\boddevec.exe

Filesize
4KB

MD5
93c3f87716a154eea8306d08215372c4

SHA1
d03afe36d1680611b65fb7c13b57d148398a6901

SHA256
c98fca3871ef568c1496363395b309f028eb71f64f1b7c1e44b778a566fb06ef

SHA512
4629f27969a1b71e71f22272703931b9432442b20d8ef142752358a637db0af4a14b04074e4bcaf6aba2680596506901d4e7394a8b7f35d895e3836b4532f59f

Download Submit
C:\LabZED\boddevec.exe

Filesize
2.7MB

MD5
6e163a902bfbba6d2314568db0080599

SHA1
862a6462b9d340cf7754efb65922c83c86298d79

SHA256
6d66a6df493e6e1aa7d206aa327831e6c089e76e17c92e1711639dc430a5b019

SHA512
1dcc20f95fbd24ccdf9aeb6086e2c125716afd021fe4b0aced42d7106882146cb83531bc50e101ed4dcdb245c1ae6ce99cc068e73a7b994c590c9c4e4c798f52

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
02f09b4c15fba2b61dd0f59abecf47f3

SHA1
bdfd0f8202f296caed4b0431d7121838e656059b

SHA256
085d427bfca42d2d5e307d6d0a6fd7741459a97affc83ca6ff70082d4bff465f

SHA512
102752e82dd58de008f4834e1013a01c708d79bd1f552a745e64e98fd8718bf33836904f85c311b680ece2858f2f7d4ce410bb6dc9092d79f2e0fdd11e7e782b

Download Submit