48f17bd3175abc803c7b718ca786f14be60e612a860d7561b67845e08f48f01d

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a77887d32d6d84032c5200e667cb05d8.exe
Size

752KB
MD5

a77887d32d6d84032c5200e667cb05d8
SHA1

6595d8aa9829d772135540ca08aba7703da61f83
SHA256

48f17bd3175abc803c7b718ca786f14be60e612a860d7561b67845e08f48f01d
SHA512

c1ae5c0a5c5d46cc3566db0c8f817ba35a232c6612220ce6f4481e7f0c4feec1ea2e7b7f8a2a51bd3df63cfbb23026efdf3edcfc8f5518b37c5ec2a3ccb496b7
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSdUwYXLGKRSHc:71/aGLDCM4D8ayGMZo8/oTtWq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1392	kdoyx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kdoyx.exe"	kdoyx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1392	1776	NEAS.a77887d32d6d84032c5200e667cb05d8.exe	91
PID 1776 wrote to memory of 1392	1776	NEAS.a77887d32d6d84032c5200e667cb05d8.exe	91
PID 1776 wrote to memory of 1392	1776	NEAS.a77887d32d6d84032c5200e667cb05d8.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.a77887d32d6d84032c5200e667cb05d8.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a77887d32d6d84032c5200e667cb05d8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\ProgramData\kdoyx.exe
  "C:\ProgramData\kdoyx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe

Filesize
752KB

MD5
6f7cc80ae39c25f09600e195d7a7bfa8

SHA1
32fc8cc323b4b2c42893c63561f30e088d870b8a

SHA256
a139a3601f7c799986b3aec7e4c914c7e0d9e353b3521c22334af816006ae549

SHA512
dea850ba5531225c5843755353469e5a8d07c04635e1ea2f88b3b5c2d7ee456e59481e62b9a9b87400cd5eb99c821883bc90afe9bd6ace43140efe5a29d79a46

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
71e38cb8371fa644436922e0eee6040d

SHA1
6e9e897cb95fd8434891e87a584f5f1b9482cae2

SHA256
2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

SHA512
852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

Download Submit
C:\ProgramData\kdoyx.exe

Filesize
274KB

MD5
4579d03f6eab08d14513e038ee93f9ea

SHA1
2215e872d57cfc73dc2705ddd75136c83043263b

SHA256
2b9247623b4f6168942eb2b50ee3d5e519ed8621a195a94ab2cea80a389a8e90

SHA512
0ddc2aee45a0ae204d582449bb875c62acf142a1ffd4767422241cfc90c2713d6a772b7ec8b09e3c40ad64dd7c5b48ad472702bb277ee25ac5374f0dd17bef18

Download Submit
C:\ProgramData\kdoyx.exe

Filesize
274KB

MD5
4579d03f6eab08d14513e038ee93f9ea

SHA1
2215e872d57cfc73dc2705ddd75136c83043263b

SHA256
2b9247623b4f6168942eb2b50ee3d5e519ed8621a195a94ab2cea80a389a8e90

SHA512
0ddc2aee45a0ae204d582449bb875c62acf142a1ffd4767422241cfc90c2713d6a772b7ec8b09e3c40ad64dd7c5b48ad472702bb277ee25ac5374f0dd17bef18

Download Submit
memory/1392-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1392-162-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1392-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1776-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1776-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1776-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads