Analysis

  • max time kernel
    119s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 21:57

General

  • Target

    35e70875e812ac8383c01c66741805e0N.exe

  • Size

    2.7MB

  • MD5

    35e70875e812ac8383c01c66741805e0

  • SHA1

    a2ef611c57ce7e7ac29dc652d01225cf69734033

  • SHA256

    f853651eef774acb0e4ad3104cc1aedd2630c1b17388cd0496b5f97831d0fd9b

  • SHA512

    606904076e4d70f26f2d24819575083857fd2ab6998a2a90eb2564afd700998d03e0d0a6afad116ead63f702599ff3ab876bbeee730125cd1d27e13a118a4711

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpO4

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\IntelprocRH\xbodsys.exe
      C:\IntelprocRH\xbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\IntelprocRH\xbodsys.exe

    Filesize

    2.7MB

    MD5

    5fbd065240e0e1e082358a34c4b24fe2

    SHA1

    2f424f019c23a4ea9e1428363ef7be5fd060658f

    SHA256

    8113e793b24829f6772042c9daecfde979bb6ca4d1f787c888a500a2b6b7537f

    SHA512

    b57ad76f5ef575e535ee61d8358f318db331495e1ba9ecd7fdb1403ce9f378cdeb12774edaf4912992315553f301d377e535a3468880c7479dd5ef50f28fccc0

  • C:\KaVB4V\boddevec.exe

    Filesize

    8KB

    MD5

    18f9e5889b79178d8757b18c8d1b67d3

    SHA1

    e70ee94d53ceba1eacdea91d5af71a2203f08ea9

    SHA256

    187f66f9d8a67e69a32c5d0631666f1a7594d1207f37d94d421023d225ed6c14

    SHA512

    b64bd79cae188097cc91a99887efef58804ba8948745a6bba8e365bf023d7c107be2433b4b8f12720994b00e45c51902ddb1a9042db65adc85c64fea360b76f2

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    205B

    MD5

    760996b8658a714215bdc00cab1fa354

    SHA1

    59108c59a5e49de3f0f8ee15746a5ee45af6a767

    SHA256

    9efd876f56412ca7d33963eee6a514c0cc60d5c845e39850d1173fe2ea28bc20

    SHA512

    359a14fd1cf497f14a09abb9e5a596a6e741e1a821a1cad1d74f6efd4658d231b6428076ea538a90b82da5901f24894074ea499897d711b5c87b53b7e7f0561b