b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
Size

2.7MB
MD5

cd0ca0638c55733ab66d7ab1769fa3a1
SHA1

ad726ce6bcb025a7ed4d1b38f7fdc3a8bc34f40b
SHA256

b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964
SHA512

ae4861d6a724a99cabb1876c4ddc7fb07d59e702cc3a697ecf82a3872bdcbaa84d397bef352039f990a6604acb43fca0194b50468730d137c49a72b152883013
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Sx:+R0pI/IQlUoMPdmpSpl4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxK6\\optidevloc.exe"	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotB6\\devbodec.exe"	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
2220	devbodec.exe
2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2220	2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe	31
PID 2284 wrote to memory of 2220	2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe	31
PID 2284 wrote to memory of 2220	2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe	31
PID 2284 wrote to memory of 2220	2284	b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe	31

C:\Users\Admin\AppData\Local\Temp\b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe
"C:\Users\Admin\AppData\Local\Temp\b830ee43dcbaac6d8ecc9ccde3bcfb84ff9cbb6c7f9bd8dd8ae3b6ba465cb964.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\UserDotB6\devbodec.exe
  C:\UserDotB6\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxK6\optidevloc.exe

Filesize
2.7MB

MD5
5d6a1bd6277cbdf2e1323a541e8a36a6

SHA1
eaef8d5b3fd5e6978c57e0b31703de1440b971cf

SHA256
0f96d05f933586515c05910f4284d88a00422868827074add0432005f17f52be

SHA512
2fcf5d0cb65e8434eb3eca5535858d3e821256785a0696624b98e089b5c8618118e974813d3d5239d5d1907a5fc5300d56e6bdba0ab8bfc39fd76333a8146041

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
743490ac88a81ea310f0f4c309d491da

SHA1
a05f2586295285ab5ea02c0ae89909eb51f7c46c

SHA256
88d22f245c155644812deacd7b0a3c7846c887555f78f3cc986b224aae793073

SHA512
1e693599d9c1757209de69d94c2e90eaea85f367ef3707bc78ab619dbd39571bd079b675dd2ee20819d744a256d5cdc8f0b83393c8782763a776690ca5169665

Download Submit
\UserDotB6\devbodec.exe

Filesize
2.7MB

MD5
a8d9bbdeee68165303839ab4e008de4e

SHA1
6557b202a236f8f483c643e71e2eb82089f6af79

SHA256
d8dcb599dfbcec9ffd37795f57c76bdfefb88315300396d185590dfcb4fe0236

SHA512
829fc7eb96da229450698c348b5919ecdd55eece7ab67fe17786d87a566221836c03ec0d72aea279ecf912967897bb9b73189ebaee4c6dd1194552248a35caad

Download Submit