a1790f5638a1b69236e184a1edbd3703e3234a0d933e85f681c35df0e1e4ccbc

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
Size

2.7MB
MD5

8e4e7aee7656cada75436e6d2af4d820
SHA1

5281c3fbe362344fa2917069990dd616a876706d
SHA256

a1790f5638a1b69236e184a1edbd3703e3234a0d933e85f681c35df0e1e4ccbc
SHA512

09955bda9a8645e46aca415a924b9852f439bd920c441197447d04833ce35f91dc2379834400d7815adb6308e25a60393a5302e57b68bf01d01ecd582efc5558
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4Sx:+R0pI/IQlUoMPdmpSpn4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ60\\boddevloc.exe"	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot96\\devoptiec.exe"	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
2904	devoptiec.exe
1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2904	1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe	28
PID 1960 wrote to memory of 2904	1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe	28
PID 1960 wrote to memory of 2904	1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe	28
PID 1960 wrote to memory of 2904	1960	8e4e7aee7656cada75436e6d2af4d820_NEAS.exe	28

C:\Users\Admin\AppData\Local\Temp\8e4e7aee7656cada75436e6d2af4d820_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8e4e7aee7656cada75436e6d2af4d820_NEAS.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\UserDot96\devoptiec.exe
  C:\UserDot96\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ60\boddevloc.exe

Filesize
2.7MB

MD5
0111b8ed984c40dbbebf4494528d8c73

SHA1
ee2aa0caba03f69e82088523b46bf154abcc5daf

SHA256
bd2123f8c7ecab3d1f2fb133423d28ce9f242ee283f3f64bcd895064de318985

SHA512
5079d22dc63cb77cfcbbb879e1a3a985a828e5bbab0221c2c09137ef2ce0fc6e53aab616aaf44069910a512ffdee049bc2b145412627d34f405527fb902b820e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
92891a37b2da4acd62b4bbdc29a7ccc7

SHA1
473b6aa0ee685007c38649cca60ad23418f7157f

SHA256
5f69243f6259c605457ca91779226a5c4300cc5a71f5c8d04b3466c8c7bc7c58

SHA512
3a16f47970c5506fd61adf76789dd170a0f70b7973ce790c326457a3ee43605390abbf74447376ee0bd7afbcb3c5a5ad60d3b39d50f6adf5d740ba94a28f2156

Download Submit
\UserDot96\devoptiec.exe

Filesize
2.7MB

MD5
3976b89dc0403aaa6fddc5afa622324b

SHA1
a78056163eccfc045f77261c783ec189b257c12f

SHA256
723ef9000f0400a17e1da8cd54f5c233323fb9805668c75eb0629c1427651756

SHA512
859e75155b72c653fa31ba4770b9dd55976e82e8fa4f84a9aabe7a401d6147776c53995b6e3604242f2b64b1f72d21e13701ca897042d709976ba70a1bcba57e

Download Submit