e2330974fc94324d093c90479588370c92c8507ff92f20812695f6ec7f74cfd6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
Size

4.1MB
MD5

3aca4bacfae2f60d69f29e4c5b89f7e0
SHA1

4fb315acc3e96e76a570588add6cbbaf287638c0
SHA256

e2330974fc94324d093c90479588370c92c8507ff92f20812695f6ec7f74cfd6
SHA512

77891ac1f4152a5f68004415b2d39556e6f590caf5d5831be0505001f1819b1d90b4a6decba24eb40b0ecb6f8cadfcfc8c6e46fe370ec52e985b10ed09b1b5fb
SSDEEP

98304:+R0pI/IQlUoMPdmpSpB4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmC5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot78\\xdobloc.exe"	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid02\\bodaloc.exe"	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2932	xdobloc.exe
2932	xdobloc.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2932	2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	95
PID 2220 wrote to memory of 2932	2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	95
PID 2220 wrote to memory of 2932	2220	3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe	95

C:\Users\Admin\AppData\Local\Temp\3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3aca4bacfae2f60d69f29e4c5b89f7e0_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\UserDot78\xdobloc.exe
  C:\UserDot78\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot78\xdobloc.exe

Filesize
4.1MB

MD5
0e6f2c1e3b90145dd1cb73fb29ef3032

SHA1
12e4b9ddbafedece6dabebd9138595e475b446f7

SHA256
980c1a41c044d2a31ad31798e76b2523148ba18cd12f315c24a9a5056ecfe470

SHA512
0156c13b874dfe59c423bbe405db731d233b7799f5b2b5ab8277522af4bfda30683662f1b6f77af3b827eb111d66e1051227713fb11a6497788ff3d3f63d26b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
d391bad1706ac98594c717b4502884c2

SHA1
38d4ad59deaf837a660024c23aabb7a9b0060249

SHA256
17f23f0efef9e8a112c49b2ba14945227a98a08feb70ac984580f127333aeb18

SHA512
aaddb2205d8ebd452430aeda18cd3bf3d0edcfb3a2d6ad7d87786fade0e7b9cf3e7b3931e4b8df9627f5ef1ee3597ffdf1990facf28515de71181d2ab7882dfe

Download Submit
C:\Vid02\bodaloc.exe

Filesize
150KB

MD5
8cb0495469f12701bb0c72e638c5161a

SHA1
6a36375d69c558709edeb5ea0b82881e3e6f5d49

SHA256
ea2b2b99fd5ea37d3369dd34b156b87b7fc623d3af3b8781dcbe3a3abc8d44cd

SHA512
9663f62a56209b3de6b98ca0554b977b409f3a7df5c3e7a90538ac01b864217d8a25d1de1e8cd1d38073bb245f090cb2fe87199320784bab40297f95a2630a85

Download Submit