e463fb8cdc45089cd1a31d01f70a4f8ea835a0a3ca10071c29f116f3fb5b59b5

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eac17b17743a1e491d66d72e4a35150_NEAS.exe
Size

4.1MB
MD5

8eac17b17743a1e491d66d72e4a35150
SHA1

6feb1586f6da68ae2318494a7abbf893c9f41057
SHA256

e463fb8cdc45089cd1a31d01f70a4f8ea835a0a3ca10071c29f116f3fb5b59b5
SHA512

0b717f6f9d91f9e7e2a842a1296c3e3093ff01b94eb3c992c2ce1eddc3e042dba425261c4bd733778442d64381d663b199cb9405bec1f48806c9957c273ef9ec
SSDEEP

98304:+R0pI/IQlUoMPdmpSpi4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm55n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQ4\\devoptisys.exe"	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXH\\optialoc.exe"	8eac17b17743a1e491d66d72e4a35150_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
2780	devoptisys.exe
2780	devoptisys.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe
4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2780	4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe	85
PID 4372 wrote to memory of 2780	4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe	85
PID 4372 wrote to memory of 2780	4372	8eac17b17743a1e491d66d72e4a35150_NEAS.exe	85

C:\Users\Admin\AppData\Local\Temp\8eac17b17743a1e491d66d72e4a35150_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8eac17b17743a1e491d66d72e4a35150_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372
- C:\UserDotQ4\devoptisys.exe
  C:\UserDotQ4\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZXH\optialoc.exe

Filesize
20KB

MD5
ec02e1553906bcafe9527a5d2faccf08

SHA1
bba3f83fe2b48ed714339591b128319c3384c229

SHA256
143bf87d19a3f081ad4f58bef70f0b7016084523e127f51a4642813c48588590

SHA512
b67c92dba24c091b7a0b5a8053b07c47b85598b1660528d7f2d137379720a28e5f943ff454e943c8e6294efb5f1af2b2710f8a18f9811fbb2a7d1ae4e1ea7a59

Download Submit
C:\UserDotQ4\devoptisys.exe

Filesize
4.1MB

MD5
eb522430d99d2fdf35844036d8c532ae

SHA1
71e9e77a649f7dc482fe663d1473e885794ae384

SHA256
34ca46d23117e37463e564d83a679a049860be55d735762cc0ee71a6218bdcd4

SHA512
4ce282aa4a8d9d2fc341e60771dc0ad1084e4765edc8b58d8f2ef87de68fcfe6d0144bc7704957fd4ddffb8a73ac63d8d36b343e85efdc30486a9e6eea49284c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
b6c7eafc38601880c17b291e42587912

SHA1
5a4cb6457cb9e4375109915f1aaa007d185a58e2

SHA256
22a31f2da3d374c1d155c06a25775cb4886361ea5928f7e0571fe493740ce4e2

SHA512
06c9ff40e8976ca48972fc24849a35ff867c810f3ea19e9a534b5978f912716b87a57f0f26a62355778ee07b2dc31c73dbe84c1e9ff41042c20d0159bafd4be9

Download Submit