321152eca4c3fac8830c42b70185ddf4c7d9102f44baa2db6738d71b23dfc3e8

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
Size

4.1MB
MD5

10e69ce0fc97f60789411b40dbb697f0
SHA1

3ad744f8c26594f0d73c4758d9a0735fb449f50a
SHA256

321152eca4c3fac8830c42b70185ddf4c7d9102f44baa2db6738d71b23dfc3e8
SHA512

10bc76832f97055e406a3c706c409e953d7f4c2059185068a08a62569f723b39752b121d52fdf46db1eda2077f17088ea516ed924f42828cc50f0b3c51f9fdee
SSDEEP

98304:+R0pI/IQlUoMPdmpSph4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdma5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	aoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVD\\aoptisys.exe"	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRP\\dobdevsys.exe"	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
2936	aoptisys.exe
1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2936	1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe	28
PID 1460 wrote to memory of 2936	1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe	28
PID 1460 wrote to memory of 2936	1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe	28
PID 1460 wrote to memory of 2936	1460	10e69ce0fc97f60789411b40dbb697f0_NEAS.exe	28

C:\Users\Admin\AppData\Local\Temp\10e69ce0fc97f60789411b40dbb697f0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\10e69ce0fc97f60789411b40dbb697f0_NEAS.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460
- C:\FilesVD\aoptisys.exe
  C:\FilesVD\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZRP\dobdevsys.exe

Filesize
4.1MB

MD5
442bb2a8b9904c8c3c5bf5f6eaadd024

SHA1
1a28d27b5944a106c2908e8d4ff4da87eaf3cf46

SHA256
5337d7573590714f8bf024701ef5c118130221b3ec4272ab2432160e13204491

SHA512
61ec174b8758ef75dd73446818c2f3c2fa2a245d4d994aa8268f078e655412fa990fa85af388318384e9f1943e864364fdfdb81094da3399cfe4e97ba2f41ced

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
1b26ece461ad555192865254d236fc2f

SHA1
460b0451f67d63f052f27afd50c4df23814f34fc

SHA256
8a7bb532ff57e226a786bfbdf710d8f4089c21450ba4de4ffa765e8d343633b4

SHA512
fdaaa654035547503c6f80e6e97459f4e6cabddbe7dbc4356244c4ae647583a6f71ab03afa1abbf8c56084d1976e723a710003904171aa3df1073faf8e1fbfb8

Download Submit
\FilesVD\aoptisys.exe

Filesize
4.1MB

MD5
de2bc7af178f756082b169cdc6ebf1ff

SHA1
e1e067d486cd7e03ab28f5eaa94f9e2926b86ab2

SHA256
859ae0849a7bd3a27a90044be6e85fc6fcf9514cd561d9d81c89317c484fc5b5

SHA512
21af208e538d76f0c775244aa86fe431011b12e114f57b7d2690cb9c89ec8261a6f457f9f2b7e4e6775c24764a707082d8949fc7fba0afa65deca6da82cb538d

Download Submit