103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
Size

2.7MB
MD5

95ee134eb5f84b928cfce514db43bd51
SHA1

e20d3e2010dd7f234f10f6c3c0f0332d0feb82c0
SHA256

103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d
SHA512

1ecc339cf70779a7a5f66dc9898eb7e7ccdcbd558b9cc32ad90259034f748e5016f359b2e65df7b20185e81631868d4789f3f6d54ade341510e57d5877677453
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4S+:+R0pI/IQlUoMPdmpSpw4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5004	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKH\\devbodsys.exe"	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6X\\optidevec.exe"	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
5004	devbodsys.exe
5004	devbodsys.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 5004	3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe	87
PID 3592 wrote to memory of 5004	3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe	87
PID 3592 wrote to memory of 5004	3592	103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe	87

C:\Users\Admin\AppData\Local\Temp\103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe
"C:\Users\Admin\AppData\Local\Temp\103fb908433e953769b58e0f59b6353d5a5cd34542b89d273a1fc386c430415d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592
- C:\IntelprocKH\devbodsys.exe
  C:\IntelprocKH\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKH\devbodsys.exe

Filesize
2.7MB

MD5
03b5e0905c02b57504f002f8c9c59114

SHA1
3e5b729e1da92ae3bd1820bd4c51cf9ba96f243e

SHA256
735b70922acd33b42b7ea63e936aec0d4ab56e8c4648055fafc7b9cedbb950b7

SHA512
f1c44cddde7a43bb69ac6404b5ddba4f0842582fa394c0de474556d4c752b53f6fd2be76d3c7fec9a3f4fba7d9e9857cce156e863027872d5db85534d0d23a9f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
687f4160dc71742f3cd189496c69c860

SHA1
2b7947d2e38a273f4bbfb052553f822ff30401e0

SHA256
b522212d678209061b707aea8f3732390b92f97f018ed53e22ee9d4659a165b2

SHA512
cf4afd8c4101186f6e5d4f89931171179c91b69cbd78ad355d9bd39897334d3c47e5a9e276c77dcd723768e73a5f7efcd3a1808626ee0bb66606ab0c705ef3c2

Download Submit
C:\Vid6X\optidevec.exe

Filesize
2.7MB

MD5
a8556d6dbb187a9a10f184536937ed9a

SHA1
204714446e477d140c2136a562d82748638bfe43

SHA256
cf7778e31172140a711540d56145319e25bb1e104d7d79f7b0eb8ea0e616b5b7

SHA512
d4a9164559d5681b8675d5ce3cde809b8f574a2fe057a5b06ca42d4c8a4cb0181a464e1ea28ad606befff6120318137f2e4534834aa4d7f12c01a50249e5f44a

Download Submit