d3b0283b3dd0d63e5f8b868e109e7b5edff560f520be63e89210f40504d53833

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
Size

4.1MB
MD5

aea2d56caa51aa5aeaf7407b90ac87f0
SHA1

05ed1b0408b359b4e266881b714e9000565954a2
SHA256

d3b0283b3dd0d63e5f8b868e109e7b5edff560f520be63e89210f40504d53833
SHA512

1a0387accef5bcbeec74e74b36cb861ae9d5bc0333b3684207d6b7064c066bb092dfa684d5a1d442cd870f748b3e771f40b2f0223dbb11d0948bbe9a2d5b2d2a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpV4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm65n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2104	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9E\\devbodsys.exe"	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1I\\optixsys.exe"	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
2104	devbodsys.exe
2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2104	2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	28
PID 2956 wrote to memory of 2104	2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	28
PID 2956 wrote to memory of 2104	2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	28
PID 2956 wrote to memory of 2104	2956	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\SysDrv9E\devbodsys.exe
  C:\SysDrv9E\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax1I\optixsys.exe

Filesize
4.1MB

MD5
e5ce5d073512e7fecd366fe88cd224d4

SHA1
e042efc61c2cea0bd17185f7314fc496bbacb757

SHA256
2081dd0d015cf5e1e10bd7f534b083a500461aef5acf1884e054f6cd5c49bc84

SHA512
735eb0a2e59d1547552e04f575a045f275e3474eb8982397fe2198879367da2e4c3583ef8fa9a771a3b1f937ed2248d1bf415f45efc2e4e651f62f753a5c298c

Download Submit
C:\Galax1I\optixsys.exe

Filesize
4.1MB

MD5
e5ce5d073512e7fecd366fe88cd224d4

SHA1
e042efc61c2cea0bd17185f7314fc496bbacb757

SHA256
2081dd0d015cf5e1e10bd7f534b083a500461aef5acf1884e054f6cd5c49bc84

SHA512
735eb0a2e59d1547552e04f575a045f275e3474eb8982397fe2198879367da2e4c3583ef8fa9a771a3b1f937ed2248d1bf415f45efc2e4e651f62f753a5c298c

Download Submit
C:\SysDrv9E\devbodsys.exe

Filesize
4.1MB

MD5
a310091eb75342e088e8003173336324

SHA1
5877d3f5566e3ac73c0b8bd5e5fdadefdc905999

SHA256
f5ed5c0f92ce5367776f1ac16bc42dc6a60e29a0fc858c6f1a4683c7b19fed81

SHA512
fd9c809c7be71f16b502eb1ad8182cafce1efac12f5197fd847ce4dd260340f91ad14ee9223497f9f9f74edaf3c3beb897322f5b4e71c73a8c3241e9a856111f

Download Submit
C:\SysDrv9E\devbodsys.exe

Filesize
4.1MB

MD5
a310091eb75342e088e8003173336324

SHA1
5877d3f5566e3ac73c0b8bd5e5fdadefdc905999

SHA256
f5ed5c0f92ce5367776f1ac16bc42dc6a60e29a0fc858c6f1a4683c7b19fed81

SHA512
fd9c809c7be71f16b502eb1ad8182cafce1efac12f5197fd847ce4dd260340f91ad14ee9223497f9f9f74edaf3c3beb897322f5b4e71c73a8c3241e9a856111f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2c98adf1b183c95a9d0063b3e3d6bafb

SHA1
21e47fe0a4744e3a4d1b0ce810691e02415985f9

SHA256
5d97f3c1928d3716df07b7b270dd903e06f24d836f2d5b27650f82dc61b95874

SHA512
f3e7e2ba8f70a18f1dca589cbcf9722bd2226bfe4c4e7215e22157c5c9a7e703b9455b02a406fc9130037d83904075000d7e864793c86b6550ce570281e40c65

Download Submit
\SysDrv9E\devbodsys.exe

Filesize
4.1MB

MD5
a310091eb75342e088e8003173336324

SHA1
5877d3f5566e3ac73c0b8bd5e5fdadefdc905999

SHA256
f5ed5c0f92ce5367776f1ac16bc42dc6a60e29a0fc858c6f1a4683c7b19fed81

SHA512
fd9c809c7be71f16b502eb1ad8182cafce1efac12f5197fd847ce4dd260340f91ad14ee9223497f9f9f74edaf3c3beb897322f5b4e71c73a8c3241e9a856111f

Download Submit