4fa67b74231f1e0e1d09d7e8c63d4332595effc2761b9779cb381b9769a48fed

Analysis

max time kernel
151s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
Size

487KB
MD5

08abe5dca7bdaf7be5ee635b64a5e4d0
SHA1

4ad4be48e71788e4cb9aa781f1445116029fa8f0
SHA256

4fa67b74231f1e0e1d09d7e8c63d4332595effc2761b9779cb381b9769a48fed
SHA512

b2d9b4cd15ae41e73c91e72e5b1b745f41504235e3776cf362b4967799f9b5a4a86717b1aa6cee0666fb15acc9a01463719731a4fbf8d218e0df3a615825e300
SSDEEP

6144:dMeftb6+Imb285B+zv0AtfwN+IhMdrOVfnPUQDW0/tCB6tPCUBejJL0KiNeLbpca:Octbhb2IB+3tI+sOCtAUBULlTnpcaP

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
2064	SearchHelper.exe
2580	com3.exe
2900	SearchHelper.exe
2408	com3.exe

Loads dropped DLL 7 IoCs

pid	Process
1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2064	SearchHelper.exe
2580	com3.exe
2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2900	SearchHelper.exe
2408	com3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2064	SearchHelper.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2064	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	28
PID 1100 wrote to memory of 2064	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	28
PID 1100 wrote to memory of 2064	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	28
PID 1100 wrote to memory of 2064	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	28
PID 1100 wrote to memory of 2580	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	30
PID 1100 wrote to memory of 2580	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	30
PID 1100 wrote to memory of 2580	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	30
PID 1100 wrote to memory of 2580	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	30
PID 1100 wrote to memory of 2432	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	32
PID 1100 wrote to memory of 2432	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	32
PID 1100 wrote to memory of 2432	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	32
PID 1100 wrote to memory of 2432	1100	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	32
PID 2432 wrote to memory of 2900	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	33
PID 2432 wrote to memory of 2900	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	33
PID 2432 wrote to memory of 2900	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	33
PID 2432 wrote to memory of 2900	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	33
PID 2432 wrote to memory of 2408	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	34
PID 2432 wrote to memory of 2408	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	34
PID 2432 wrote to memory of 2408	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	34
PID 2432 wrote to memory of 2408	2432	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe" silent pause
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
265e9e5b067547003933ad00bc8f823e

SHA1
2a6e2a0eca7314ecd59d8bd0bbfed1045108f430

SHA256
9021113ac7bb0db631413353db75918b6c359d0f108d6c959f50ef02543a6025

SHA512
18978d5d1090e30162f7411baf970120bd6eef223ba7557022c84041e15bcec61a5ec2d01ce26970e27226fc6aaaf0bb222480f2c25589982ba79405ddce93ad

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
0a090cafa5a1c6a4cf766691f418cf27

SHA1
6ccf97499447bade867a834fcb4ae6c88216eea8

SHA256
852bbcb530d3b9909c7a56c002e6f4ecf0b3e90723c244d608c40e57efc998ab

SHA512
014054c6df4f091aa9db48a9e1383d8f8d573745fdc73e6478d5d887a74b7432391679bb2c985e281d03690ab2b1cfe9a10859e6124cbdeceda3134ca59b5084

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
29e1fa5653189a98db1de64b4930fe5f

SHA1
a5274041fff080886e4894597835497322836019

SHA256
64a5ec5943eb054a7c83bb695c1510c071d46110cd3c19ce7193119c3885dad1

SHA512
59fdbd3fe1f7cbb463cd452378d0260823a9cd9e19efdc3afda1bd28ecafadf999f2ad703fdc37b0303af1f626da4e1deebd13042d6d28324786233c153076fa

Download Submit
memory/1100-60-0x00000000006E0000-0x0000000000749000-memory.dmp

Filesize
420KB

Download
memory/1100-41-0x00000000006E0000-0x0000000000749000-memory.dmp

Filesize
420KB

Download
memory/1100-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1100-62-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1100-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/1100-38-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1100-23-0x00000000006E0000-0x0000000000749000-memory.dmp

Filesize
420KB

Download
memory/1100-16-0x00000000006E0000-0x0000000000749000-memory.dmp

Filesize
420KB

Download
memory/2064-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2064-22-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2408-92-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2408-110-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2432-63-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2432-86-0x0000000002000000-0x0000000002069000-memory.dmp

Filesize
420KB

Download
memory/2432-82-0x0000000002000000-0x0000000002069000-memory.dmp

Filesize
420KB

Download
memory/2432-84-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2432-116-0x0000000002000000-0x0000000002069000-memory.dmp

Filesize
420KB

Download
memory/2432-117-0x0000000002000000-0x0000000002069000-memory.dmp

Filesize
420KB

Download
memory/2432-118-0x0000000002000000-0x0000000002069000-memory.dmp

Filesize
420KB

Download
memory/2580-75-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2580-48-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2900-89-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2900-111-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download