b7261550c5cd2e9818012d474474250172f6d5134cd57b6535dfe7505a13882e

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
Size

4.1MB
MD5

4ba9db4157d9ef487fe3986503a765a0
SHA1

827c4cf0aa0e53ade2d404f8c050262dd216e3e2
SHA256

b7261550c5cd2e9818012d474474250172f6d5134cd57b6535dfe7505a13882e
SHA512

91eaa6237c55da4f223df85291f6f4a286ee1ea4729b425040e570dbbbaf6dbd9050804dbc2612f447f1b7d8d9a45e17e7e3f2277da7e93a4b08d6430b538b57
SSDEEP

98304:+R0pI/IQlUoMPdmpSpk4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmf5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3840	abodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVW\\abodsys.exe"	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPF\\dobdevec.exe"	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
3840	abodsys.exe
3840	abodsys.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 3840	676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe	93
PID 676 wrote to memory of 3840	676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe	93
PID 676 wrote to memory of 3840	676	4ba9db4157d9ef487fe3986503a765a0_NEAS.exe	93

C:\Users\Admin\AppData\Local\Temp\4ba9db4157d9ef487fe3986503a765a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\4ba9db4157d9ef487fe3986503a765a0_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676
- C:\FilesVW\abodsys.exe
  C:\FilesVW\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVW\abodsys.exe

Filesize
4.1MB

MD5
b880443e220af97900e643119063adf5

SHA1
053299900b8862552037b5046b8b53f0fc74c80c

SHA256
5f58be4ff5687060db51f70af89ea89f45896fb4d12e58aad5802d9ee889eb89

SHA512
626eef3996094c01595258274d2ac2dca26862c1fb5526b13153a1197b472d5f6e4c72173c7c43b3c0eaa810bb0ff7dfe4d1208a7b9cbc1a634415f8ab598052

Download Submit
C:\LabZPF\dobdevec.exe

Filesize
4.1MB

MD5
f52ce7b0892bd37cf33238523b970c6a

SHA1
a72079c933329cec0b533c6806292363345abcad

SHA256
c870468b376cf42a16ec284f0233f8030995b9e7d3f68e012fa6cef1b8e7e743

SHA512
ccba82c3793786a88a79a1030b21966bcfd34d5be7f6d17e3c16483e86fd2bc9d7df6f232045e53280c4cf24df729c6b46cb4e038e39437d87a7d20f5c6dafa3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
1c3db5047bcf7e8ae18c626028d39052

SHA1
c2db602dbae59bddf093bbac45249a6671750058

SHA256
14b7661a890a6007722154dd3d2dd57559e1ffea22722cbe770b833a99aaeab9

SHA512
3d4a3c5c4dae4eb0374c38d39141f33844958c4e6dc882f6d4de0a0732e63ba5ad1910cd32b52e987651a538f41b2369a22c7e05f3a1b80c4742ca2b33459396

Download Submit