e2330974fc94324d093c90479588370c92c8507ff92f20812695f6ec7f74cfd6

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
Size

4.1MB
MD5

3aca4bacfae2f60d69f29e4c5b89f7e0
SHA1

4fb315acc3e96e76a570588add6cbbaf287638c0
SHA256

e2330974fc94324d093c90479588370c92c8507ff92f20812695f6ec7f74cfd6
SHA512

77891ac1f4152a5f68004415b2d39556e6f590caf5d5831be0505001f1819b1d90b4a6decba24eb40b0ecb6f8cadfcfc8c6e46fe370ec52e985b10ed09b1b5fb
SSDEEP

98304:+R0pI/IQlUoMPdmpSpB4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmC5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQ1\\dobdevsys.exe"	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGE\\xdobec.exe"	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2944	xdobec.exe
1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2944	1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	28
PID 1460 wrote to memory of 2944	1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	28
PID 1460 wrote to memory of 2944	1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	28
PID 1460 wrote to memory of 2944	1460	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	28

C:\Users\Admin\AppData\Local\Temp\3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460
- C:\AdobeGE\xdobec.exe
  C:\AdobeGE\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQ1\dobdevsys.exe

Filesize
4.1MB

MD5
e3c18e548d3774c6be1917f15fa96a0a

SHA1
801e16ceeab5c1efa02ef6fa2d83f99acf4cdcdd

SHA256
be4248174edea68925e6ae56d32fac1bc49ab474984db13b874b407b8b3e60e7

SHA512
ac63b8a1e8afea4e18f77d28c683d4e00b5b6146b73aa3ebae466388302aee2183cb9cf63a2ccde53c532c0571f2b6819c1585e88db195db12768c528b40060b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
0bc55695583b5a926afae74adb596331

SHA1
761bfb0a476d4ca1feb6fa0457ea735c832ca4db

SHA256
f184d33447f03a0bf135ed4dc30292e30e3be8610e9ed9989b121417b7178980

SHA512
58a9311bfb86ffc49f621068dd3739dce68debdd861bb1fc37b46f2f8ff500e5d9cbc9d14547209db4c1157cbbd8df1a4ff8488969bad50473112c897d4658c2

Download Submit
\AdobeGE\xdobec.exe

Filesize
4.1MB

MD5
9944097b656b3641d3cba5ca01be7dcc

SHA1
e960c79d396d5de6d6a78afcebda4624aa0da1bf

SHA256
d3a79f269f14a5c3b878c53c7ba16588b54986c595a758b71a7ee7a978383aaf

SHA512
77edc6e5a439cbd391e9f3f6fc85bf7f5fa2de75684e3a1d5a4a8f1598f740631c13b2f7b1b22690a1fe9fbc40b3042d95b970fdebc6a71d4025d740e3868bd7

Download Submit