7d27f194b965426f9a013c8d508321ae6769d3d5d4cbb7279821a0bb2dca157e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e108d0862cdbcb73c9f2051751d460_NEAS.exe
Size

4.1MB
MD5

63e108d0862cdbcb73c9f2051751d460
SHA1

88d1f13c81988e19fef21a4fb4b866c6d136904c
SHA256

7d27f194b965426f9a013c8d508321ae6769d3d5d4cbb7279821a0bb2dca157e
SHA512

144173c1eb0fe4ea6017ece816073a51d30abb5f0393f20a3aad15e96465a7b81564f9bfe47a02df3e5e233ce725a3845a22859e1730fa26e743d5fd02d6fa19
SSDEEP

98304:+R0pI/IQlUoMPdmpSpy4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmR5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesX9\\devdobloc.exe"	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH1\\bodaec.exe"	63e108d0862cdbcb73c9f2051751d460_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe
1732	devdobloc.exe
1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1732	1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe	28
PID 1240 wrote to memory of 1732	1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe	28
PID 1240 wrote to memory of 1732	1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe	28
PID 1240 wrote to memory of 1732	1240	63e108d0862cdbcb73c9f2051751d460_NEAS.exe	28

C:\Users\Admin\AppData\Local\Temp\63e108d0862cdbcb73c9f2051751d460_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\63e108d0862cdbcb73c9f2051751d460_NEAS.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240
- C:\FilesX9\devdobloc.exe
  C:\FilesX9\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintH1\bodaec.exe

Filesize
4.1MB

MD5
e82961ec12dba13e7299ed6e8213cd36

SHA1
dab5b0c5c5c6bb1b0cdd6cafaf8d7c9ee83a407f

SHA256
c59ab3a8d13d4efbb9b4b03db9f5e115825c8e116ab40a71aec5cb7b466dec10

SHA512
7617eab12b88cb39a31b74f1ea2e1a77886df4ce706aa0c6fb40c38154e0a9409f66380d8e5b57b875a6250abd6c6e2310fb4eeed2c06a57315e39cbf01f6123

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
fca125319ede6ec13331312f7dd55dcc

SHA1
fb54acde043c1c75660c1d907de18764e00f5564

SHA256
8c0ce321d01f9ba57e7ffee5bc5c813a90d7c7a164de1113ee673e0e891cd4da

SHA512
0358c24f8143425594e1f41382e78c99c6af3ac639585ecbd4ec6aa92c329e2edbca5f306b12b18f81ca34a06b1db0a0831a63af9a1a30e7840bf6884bf277bc

Download Submit
\FilesX9\devdobloc.exe

Filesize
4.1MB

MD5
eedaff5094d5be6d123d8cb50d79b2ad

SHA1
2cd5edc987e4df6a4afe89f3a50bc6de24069af2

SHA256
4c238a24b060700ab652460857731add23485d4d22fed1c577a06425d95eeb67

SHA512
026b4031dd9ce93ccf07076627202e2f03369f8906d917e6391e15b764f06ae79b8db225f639062fb2afb4d726fa1564d9e66c673b15981e653015a6fd414e46

Download Submit