757cf80aad63352123a7210a4d8bab08716efd19b06f4fb65c595532e387a72c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
Size

4.1MB
MD5

ed8d850cb5ceb21698781bdba05049c0
SHA1

7b293306394e4f8cd7513b46fd093ec3785a54ae
SHA256

757cf80aad63352123a7210a4d8bab08716efd19b06f4fb65c595532e387a72c
SHA512

2dfda056dcbac6546fb2447fd4c6c6b84e29d07d61b392b58e5947fe239ecebfa36b02bb54fad3604ca4986766a3515a763098a987576591a48f7e8c4c2942cb
SSDEEP

98304:+R0pI/IQlUoMPdmpSp54ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdma5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7V\\devbodsys.exe"	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBY1\\optiasys.exe"	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
2108	devbodsys.exe
2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2108	2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	28
PID 2872 wrote to memory of 2108	2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	28
PID 2872 wrote to memory of 2108	2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	28
PID 2872 wrote to memory of 2108	2872	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	28

C:\Users\Admin\AppData\Local\Temp\ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ed8d850cb5ceb21698781bdba05049c0_NEAS.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Files7V\devbodsys.exe
  C:\Files7V\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBY1\optiasys.exe

Filesize
4.1MB

MD5
778e9e1c9797ee755943ce8e42414482

SHA1
d7c4980322e3aa5a94b12ddb74b50a6fdeae4e4a

SHA256
49f15d83e9d0fdb1ac8eff5b8cad01a7bfd04c5f08a530afcd82e465087d81a1

SHA512
c7913b55c0e968a1366da79f239c4fefdf84750ebdd58bc86901e7e9f1b11810f1e7fc090b66ab52fb7a5974f67834d0bd549c10205f51bc0401b345844a21a8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
b21821c4fb941cc73616ffba5d994f6f

SHA1
35997ab1b3a9c879909dda3025757a9aad6dcd82

SHA256
a23266c6e32fee46da18178663f3a642400be3b429992e139ee8a1ca83c1fd0a

SHA512
788ad8c8bb5e9264f67527bca896734df1fb8cc1e4881e66003c33285379edee1f417bbd63e55a8392471fe12ccba19d7b86bfdf180cbd58abf808a6977968cd

Download Submit
\Files7V\devbodsys.exe

Filesize
4.1MB

MD5
e3f3032d66df2bef42ab328e3b29fdb4

SHA1
23cdc1e493a8bb98b97138bf72f40c5a9f3e27fc

SHA256
8fb1a835e8e615b379c2fc6651594a8d5ec4a551aaec8a3732e678ca5faf65cf

SHA512
f334db97394f37402881cd67862d9751723e51329a355fe051de105314b75aee2a6e4438509a22f5281d623539f796ae2c593ee842536aff3e31ed9493db2254

Download Submit