e03b648982a7546e82f82a6aaaead0060c73bff7e2cec67afff436eb3779ee0d

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
Size

2.7MB
MD5

51b7f55c4015ac17fd17eeeca7952e80
SHA1

2e5af8978275f621842c2e2eb779382e592af982
SHA256

e03b648982a7546e82f82a6aaaead0060c73bff7e2cec67afff436eb3779ee0d
SHA512

c17da5e31fd1fa187eacd11a14a1244c9baefb4c2c16cf54285016478aabbe0c3bb8c41793fa133ac8462ea5fb80b8fece4c74b3560a0903a431e8081d4510e3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBI9w4Sx:+R0pI/IQlUoMPdmpSpK4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGV\\xdobsys.exe"	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVQ\\bodaloc.exe"	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
2012	xdobsys.exe
2012	xdobsys.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2012	4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe	90
PID 4556 wrote to memory of 2012	4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe	90
PID 4556 wrote to memory of 2012	4556	51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe	90

C:\Users\Admin\AppData\Local\Temp\51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\51b7f55c4015ac17fd17eeeca7952e80_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556
- C:\UserDotGV\xdobsys.exe
  C:\UserDotGV\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVQ\bodaloc.exe

Filesize
2.7MB

MD5
60b300d113dca8601486f2b3f3c7cef7

SHA1
ae95d574c43fd4d6dba04f946f7b250488697155

SHA256
29bef7df04d8127bf122bd6cef4f9ab042194437814d8185770e4c2df3dbbf89

SHA512
740ead10834022c25f96d168ca66f8b03b7af23d80ced6f6a3d1a4250d646976d6fbe3a36d023671863be1d0a413caf059717bd395f5570e24045dae4420ef36

Download Submit
C:\UserDotGV\xdobsys.exe

Filesize
2.7MB

MD5
1deebe9c510c10de4d75a1a46e9fd54f

SHA1
fa94e671d66a616e935af7196a4737cf027a40a1

SHA256
62e8e99b537e59d62772a3434cb0f3043b4780825415d7e799da382d229f392a

SHA512
5a2d8a2347fbec06775a802c95d78110088fd724643df4c75787ae3585aa2b2bb7a9475acfc4cb2f71b3b086d718ecd21b57c955bf1222dfd7a8b429b9815db5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
1e6ba739eed2369119dfdb25c1bf5e2e

SHA1
7a61fce3cd16439c31273b99c32fbd6323e31cf3

SHA256
bc2740da4134aef9252d69074cc567c59c0248058f017e6ff082524ac44abeb3

SHA512
dfcfb2251db17735df8160409e92e86c038417b644ff6236d8fbbd61fe28629b43b90409d6f5bbbafbf2a42682ed69a7b052002cd7398d8df0034a5c69e6a4d9

Download Submit