Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 04:07

General

  • Target

    6a129fff61c52a1e98de3db21daa75b0N.exe

  • Size

    2.7MB

  • MD5

    6a129fff61c52a1e98de3db21daa75b0

  • SHA1

    3a191b45c786691c7e8d5b6c98f3d296a9502b4d

  • SHA256

    59a88fb3571c7839d37bc090322ee9d6003355d45fa881fa7b722ce233b514a7

  • SHA512

    008ddc15119315b21bd2f9eb04fb8bd53c116f97d0c668c567557022b79dc2bc8122a30482683af444b51037f6317dd677a81e2ea72b600f08e9c7da70b1a01d

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4S+:+R0pI/IQlUoMPdmpSp74X

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a129fff61c52a1e98de3db21daa75b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\6a129fff61c52a1e98de3db21daa75b0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\SysDrvWH\xbodsys.exe
      C:\SysDrvWH\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LabZEP\dobdevloc.exe

    Filesize

    44KB

    MD5

    152adfe481ced658e20985f7e54f0662

    SHA1

    d40e90f4f6cf6927c554c8412181f45983f41566

    SHA256

    90c23d6898ba2b155f770e72796294fad8879498c2b492dc64e87dbefe9b4398

    SHA512

    423224cf1d31327a7463535c96766b895a91e719aca8a6cf25115d58499cb495e6d3cd81e505b759b52b47f75167243f6456d5e4db9519652dbf7a8c31abbac1

  • C:\LabZEP\dobdevloc.exe

    Filesize

    2.7MB

    MD5

    9db24087fc0918d608d831eddd3be1e3

    SHA1

    564b31471cad9bd81b65949bd051b889c6efdeb9

    SHA256

    ad61685ff49e37b5825c7dd8e9809a3ed3e7d6b984784f919fb6ca43b990f3dd

    SHA512

    82c5db30afdcb04cb9d56a5b644527b8a02b114ffe6c2c994ff8ed238630dd7d682571db74c8c1a412a79da4103357ef7d505a5d76d6d5dbb7a301df6e14a28d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    202B

    MD5

    7d9d74ba49dd83de09c6d02a9cdb4f7f

    SHA1

    522a147dc5cf6c9c32b6acdbeeb49a03972135ee

    SHA256

    2f036b98113e163b3e09b4e60ce92f7adf0098885ffee81605f38dfd2b81cb2f

    SHA512

    8d56a85b9258dbc29afff33bb049d09700e4a78c3efb2791c5b951724c68d818889c35ad291d8d892618b803c313220f3865ab95d9c45013a1e21c5a66e94bcb

  • \SysDrvWH\xbodsys.exe

    Filesize

    2.7MB

    MD5

    1d99b221f34c6a552c2ebbebdbca64bd

    SHA1

    89c4ce1c245491cafbae898e17a43bed6897e1ff

    SHA256

    e35d2e6f0d7595a59cb137a89c7b1ddb20aa985e630b5aab346ea4efd6efe6b2

    SHA512

    d9a33dcd27f3e654c6448b2912b03cc56e667847fbf22e63cfffb835775e3cd0660b596bcac80bc5c45971f1d323961889d0906cccc67eb21f3f296b76424ee0