757cf80aad63352123a7210a4d8bab08716efd19b06f4fb65c595532e387a72c

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
Size

4.1MB
MD5

ed8d850cb5ceb21698781bdba05049c0
SHA1

7b293306394e4f8cd7513b46fd093ec3785a54ae
SHA256

757cf80aad63352123a7210a4d8bab08716efd19b06f4fb65c595532e387a72c
SHA512

2dfda056dcbac6546fb2447fd4c6c6b84e29d07d61b392b58e5947fe239ecebfa36b02bb54fad3604ca4986766a3515a763098a987576591a48f7e8c4c2942cb
SSDEEP

98304:+R0pI/IQlUoMPdmpSp54ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdma5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3516	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXW\\xdobsys.exe"	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8L\\boddevsys.exe"	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
3516	xdobsys.exe
3516	xdobsys.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 3516	1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	91
PID 1340 wrote to memory of 3516	1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	91
PID 1340 wrote to memory of 3516	1340	ed8d850cb5ceb21698781bdba05049c0_NEAS.exe	91

C:\Users\Admin\AppData\Local\Temp\ed8d850cb5ceb21698781bdba05049c0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ed8d850cb5ceb21698781bdba05049c0_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340
- C:\SysDrvXW\xdobsys.exe
  C:\SysDrvXW\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB8L\boddevsys.exe

Filesize
4.1MB

MD5
f93a9eea0064e5af6bc80f47e36dad54

SHA1
ef82a017984925caaa0c1df9de81d806f6716ef8

SHA256
ad5198c2ad0127a8cc3966648aef224778414337d8b4a9e3b73b94b9e4bdf880

SHA512
756cb8b5e58780667c6fd012fe492fd042969c05a9e596e407e107f969dd2993ab461f9da0a8ff7cf0d9e5c4bbd43b8483018271a4ea8188db08239216d13caa

Download Submit
C:\SysDrvXW\xdobsys.exe

Filesize
4.1MB

MD5
6d3e5f6eb09e9969b4089b44c5534fd3

SHA1
e1db9b03c818a587a1dcf0123b07e274d08dc476

SHA256
0510a2144ef18fc0a73aa3b102a7a4d91b9ccf05feb69b3466bca8acc98eacae

SHA512
a2cca83cf1b895fa96564ceb995a4fd5f0677ed4164dfd4d0c0ba98c345d2f9f56ba2bbda1b9e3d1edec452a7f26dbe267c20e998f4b0bf3ce0b9912f516b0bc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
3592f3b269411a4a08a3304fdd7010cf

SHA1
3ff8800cbb14b0b32654b9999b105fdfe149d860

SHA256
172be73c2e4f593b29cf1c30afd1bf0ee883fb37d214b39127d572c567b0b53d

SHA512
1a38c82e5ff706e8401fae0eeedf8d809320b2d68cdd6ad2bd00d9df6f9b7731e633d0099727c9f6e98bce83a12eb93f1b0c589a858cf66e8f121f86505cb070

Download Submit