96d626714b756098ab2def3ef568b1d0956fb22249591f0fdf5d6fae5ce6c5d7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48c3d091f51da30601244ca44a51b6a0_NEAS.exe
Size

2.7MB
MD5

48c3d091f51da30601244ca44a51b6a0
SHA1

5a670351d7479c50a13837043757e96aca6d40d4
SHA256

96d626714b756098ab2def3ef568b1d0956fb22249591f0fdf5d6fae5ce6c5d7
SHA512

885028b6bc5e94e18502e2c61dcc9f52dfdf0ed1a40df9fc7b952aa8136ad19eabfddc313dac479aa56976ffd204eaeaf0487ba7491ea5611e9b41db3b25e610
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBH9w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVP\\devbodec.exe"	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8N\\boddevec.exe"	48c3d091f51da30601244ca44a51b6a0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
2332	devbodec.exe
2332	devbodec.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe
3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2332	3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe	90
PID 3720 wrote to memory of 2332	3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe	90
PID 3720 wrote to memory of 2332	3720	48c3d091f51da30601244ca44a51b6a0_NEAS.exe	90

C:\Users\Admin\AppData\Local\Temp\48c3d091f51da30601244ca44a51b6a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\48c3d091f51da30601244ca44a51b6a0_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3720
- C:\FilesVP\devbodec.exe
  C:\FilesVP\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVP\devbodec.exe

Filesize
2.7MB

MD5
3fd1f67163ef8fe507a917159045c16b

SHA1
6c1fe693b0cfc9d7eef4778da711213beae26b91

SHA256
c937751ae84ded3ff7986325eb38f622a254cd263b6590341dad701f96bf8c09

SHA512
57921376c7e0913ec62771bb3a037d1b9d8ebc6c4dae24b7ff4ba26e5b3a674842cbc02a0bf19604a1efedaa404481c8d4628d269a9a40ea7593e40c5135fe83

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
8a7c4ad3fbff7a975d332a8074bb1b1e

SHA1
cd31596c293b7bcd08b2c96cc6cfd57ad12c8489

SHA256
c4b7911a8613fe26fa2d3ee2a35d819315f36b624142661d95b4a975c2a8c7f1

SHA512
fa344d70a461b08da993e037fe8d396af5737a20efee195bcf04cae26f1950f3b54af6bf1cb3c3ad00e869035a1922c0a5a0f7e2507f3cfdd23b548a39675515

Download Submit
C:\Vid8N\boddevec.exe

Filesize
2.7MB

MD5
02b4ad75913f60273f23a0d73bd45761

SHA1
2146498577f9b98a209830f50d2503f7fd186b6d

SHA256
350cf0a2389d34e371a06d5818e2101fadad279f2bf7b0715635618be77627a3

SHA512
8a3465efee81ccd5e3bb73eaf7008e3ee9e872b781f8c1b05f9eab1e71cfa7b49ba0bec19d95e432d7c6e9b051cd128a49c688a6f142bc1a0c85249f7b62ce9d

Download Submit