016d17cb37fae920b04c3371bd5a48fbb16173196c8c95584083e83dd21cb79e

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 15:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82d3cd7883e2d506a2e62472f2689810N.exe
Size

3.1MB
MD5

82d3cd7883e2d506a2e62472f2689810
SHA1

646eec4f1cf7e2ecec088d0871adfce7281e4595
SHA256

016d17cb37fae920b04c3371bd5a48fbb16173196c8c95584083e83dd21cb79e
SHA512

1d3e59c8d2df19be81356f0330df2882eb07170de0014a16a589f46a270d7d5423dbd7fe45912f5b2c67d81d30a503f384a90ddf80852bf395ae35252675757b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Su+LNfej:+R0pI/IQlUoMPdmpSpE4JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1068	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	82d3cd7883e2d506a2e62472f2689810N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVS\\devbodsys.exe"	82d3cd7883e2d506a2e62472f2689810N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxY4\\optialoc.exe"	82d3cd7883e2d506a2e62472f2689810N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82d3cd7883e2d506a2e62472f2689810N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	82d3cd7883e2d506a2e62472f2689810N.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe
1068	devbodsys.exe
2384	82d3cd7883e2d506a2e62472f2689810N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1068	2384	82d3cd7883e2d506a2e62472f2689810N.exe	30
PID 2384 wrote to memory of 1068	2384	82d3cd7883e2d506a2e62472f2689810N.exe	30
PID 2384 wrote to memory of 1068	2384	82d3cd7883e2d506a2e62472f2689810N.exe	30
PID 2384 wrote to memory of 1068	2384	82d3cd7883e2d506a2e62472f2689810N.exe	30

C:\Users\Admin\AppData\Local\Temp\82d3cd7883e2d506a2e62472f2689810N.exe
"C:\Users\Admin\AppData\Local\Temp\82d3cd7883e2d506a2e62472f2689810N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\FilesVS\devbodsys.exe
  C:\FilesVS\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxY4\optialoc.exe

Filesize
6KB

MD5
320719c96854b0a5fd311ad8efe3b90c

SHA1
929f6f68e9d0ac11ddb60ac23f6df8e912623717

SHA256
bd7ff3d8c407c624edd5ceb1265060b5503e5a215dfdcf474c9d311d2e7612d8

SHA512
2b1fe1fde8fe575df017873514f9b0313565bc3fe9d79bc7d99a68a366bba63b2cfe02be2b7261cefccc38ad68dd6b63b8c98bf9bf50e57119b8396d3e0476ee

Download Submit
C:\GalaxY4\optialoc.exe

Filesize
3.1MB

MD5
6c8ff9b9b07e8041009d81f2c8d6d557

SHA1
92534b65cdf16cc662a4c9b020c3157d5d5bab0f

SHA256
6599f65418bc98abaf710079a5fa7c55c73ef162fa3be2a96ad83d4f38aba9f7

SHA512
5ad91ea5f9f6eb26b637a8523119d920cd8997955802ac73a903c51e58f498e0fef6b2ca8eb8795cb1b102bc795263eb58c3500c691b7dc43bd7aa25e2c837d5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
a0220cdcb29d51769fb57f6ac380da6b

SHA1
fa64fc3fb0c40368107ae7ad00ff4ab8d0b33718

SHA256
1c73bc7a7e94d635f7f60723613ef363acdc830035b00a5c7309edf9c0070a53

SHA512
19ec02c6c8f698e890207cb375436d8b581f1b37222a1974c243514588820db3e0aaa334b8cf177895db862c4ea301cbdb5356641e8bdb56e268285fb1e3e321

Download Submit
\FilesVS\devbodsys.exe

Filesize
3.1MB

MD5
386210dbbd5d8a299f1917e1921f1f2e

SHA1
fff430b0578650458b9cbb4e9607caecb2a6e4f2

SHA256
a67e162415440608a04b85480e844a739a2609675abd99f67179b0df3aca6f2d

SHA512
4ba2545e6dd358265ea870022570bbea471ce2569d24637a0b3218c627a13e86f3903a14fce974335c06ffd72e575c7b8f94139020cfd376962d4ada6fdeb34c

Download Submit