d5199a194fe63ca89767512fbf5b0543effd9e226b72db3f6aa573d7feaed7ee

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
Size

2.7MB
MD5

e8492f4b9a85cd18d2d15fe6191acb00
SHA1

9448a34ae14ce6c9556b06ad7892a6c03cb92344
SHA256

d5199a194fe63ca89767512fbf5b0543effd9e226b72db3f6aa573d7feaed7ee
SHA512

8348b1c21c01ab79d38a8ebfc3b8d7518d8e4fcc7c32f95104a6ed1f874e2b4d3c1bb85f552e977231694c248c739ada073114dd5bb92da8a4a8585d7b7f1020
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpr4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3164	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3A\\devoptisys.exe"	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAN\\bodxec.exe"	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
3164	devoptisys.exe
3164	devoptisys.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 3164	2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe	95
PID 2720 wrote to memory of 3164	2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe	95
PID 2720 wrote to memory of 3164	2720	e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe	95

C:\Users\Admin\AppData\Local\Temp\e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\e8492f4b9a85cd18d2d15fe6191acb00_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Adobe3A\devoptisys.exe
  C:\Adobe3A\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe3A\devoptisys.exe

Filesize
2.7MB

MD5
ce554a1c9877fa832e6283934c36ff33

SHA1
170ab0d55712e647d9f3368e802a7886b771983e

SHA256
be99a77f43bb3fbfc83dfe4b9fd78f014968e1ab559f3c8d3de71c237a79bae2

SHA512
531a86bd50fd210b9525cde2a1dac2fc9bd71a6bcc4927ee4fdbac3fac62dd090a6a269b10cdf774e527328c358511fa52e10ed34c86ab65ff01183a4310cea1

Download Submit
C:\KaVBAN\bodxec.exe

Filesize
2.7MB

MD5
2495facd753ca02766c2ef03140a2b06

SHA1
28327647976f3c657a87ce3f2dace9ea1696f886

SHA256
4f818e23b082fcf225108d8af2d42c94461638483a75bfe3a662ca9ee5e1e8f5

SHA512
900701222888e52d05b593649902498264912a9da4d2d9be0dcfe3485a87e75e6c2dae70b1a05a773149092445f6ec4f77ad10d7d855a4000a7e26eee7ae1fc9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
e1cc0c8b5f641c39d46d736863149823

SHA1
1001a164bda9e6b31be14bee17085f11bc6c30ab

SHA256
1397c275608acf7b91ab8ca9fde1d40e88703bf7b815e431b0d3c0089a8e2a83

SHA512
558d76189905154f3f6e7b9dc7b1dc14dc8b77bc06dd6db0edb9417ab4842338656ad87fe841cd92801d47523a89c4c9d7e54255c85ee142213e55d691bc9b7d

Download Submit