d3b0283b3dd0d63e5f8b868e109e7b5edff560f520be63e89210f40504d53833

Analysis

max time kernel
213s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
Size

4.1MB
MD5

aea2d56caa51aa5aeaf7407b90ac87f0
SHA1

05ed1b0408b359b4e266881b714e9000565954a2
SHA256

d3b0283b3dd0d63e5f8b868e109e7b5edff560f520be63e89210f40504d53833
SHA512

1a0387accef5bcbeec74e74b36cb861ae9d5bc0333b3684207d6b7064c066bb092dfa684d5a1d442cd870f748b3e771f40b2f0223dbb11d0948bbe9a2d5b2d2a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpV4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm65n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4412	adobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesE9\\adobsys.exe"	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6Z\\optixec.exe"	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
4412	adobsys.exe
4412	adobsys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 4412	3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	83
PID 3408 wrote to memory of 4412	3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	83
PID 3408 wrote to memory of 4412	3408	NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe	83

C:\Users\Admin\AppData\Local\Temp\NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aea2d56caa51aa5aeaf7407b90ac87f0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3408
- C:\FilesE9\adobsys.exe
  C:\FilesE9\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesE9\adobsys.exe

Filesize
4.1MB

MD5
2377b94ffe44aa5408324320f56494a8

SHA1
cffa472b4677ea84969ca9ba40f84d95aa088aa2

SHA256
113a84f61faa1a9a397f04668903f629f92837ca1ede6a4f5b38dff72dea23c0

SHA512
f12e4bb59f168029bba62cca7be1c33fb54674552af37ab1ac2610209660e446532d62ec111533e6f7f56f030baa7bb73797ced05679cf1396ed26350f6d79e2

Download Submit
C:\FilesE9\adobsys.exe

Filesize
4.1MB

MD5
2377b94ffe44aa5408324320f56494a8

SHA1
cffa472b4677ea84969ca9ba40f84d95aa088aa2

SHA256
113a84f61faa1a9a397f04668903f629f92837ca1ede6a4f5b38dff72dea23c0

SHA512
f12e4bb59f168029bba62cca7be1c33fb54674552af37ab1ac2610209660e446532d62ec111533e6f7f56f030baa7bb73797ced05679cf1396ed26350f6d79e2

Download Submit
C:\LabZ6Z\optixec.exe

Filesize
4.1MB

MD5
e05938873faa96f2bea0d7f0d281f989

SHA1
e710353b549331954e9c25b9068590cf65e059c6

SHA256
0f0041b7166ee5db295442b018ca0b9b5f9dd68a09b0f41104b53f8e470f09b2

SHA512
061508fc6205531cbdff9a00a242ceb3d8aaeedd0ad1e76da4f34215cba4c617ad00441d79ce63aca9cdd1af18cec3a3c8455dd623dac932f163b0b26364057b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
136642c0fcb177cfad1d1d3e8aa02d1f

SHA1
192991282110c3841cfa780043db33956bb2416e

SHA256
4203e3e23c9687b12017dcf8b2548235aa527be8f4667403d795624ddfb5348f

SHA512
90396741c996e0872507efa28a14e8b10015bc2b55cb89d71e4519cbd531ff0de1dc23b024ebc9d5d5d7f129aee63492a44154d6218ecd12dc3112539d85309a

Download Submit