4fa67b74231f1e0e1d09d7e8c63d4332595effc2761b9779cb381b9769a48fed

General

Target

NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
Size

487KB
MD5

08abe5dca7bdaf7be5ee635b64a5e4d0
SHA1

4ad4be48e71788e4cb9aa781f1445116029fa8f0
SHA256

4fa67b74231f1e0e1d09d7e8c63d4332595effc2761b9779cb381b9769a48fed
SHA512

b2d9b4cd15ae41e73c91e72e5b1b745f41504235e3776cf362b4967799f9b5a4a86717b1aa6cee0666fb15acc9a01463719731a4fbf8d218e0df3a615825e300
SSDEEP

6144:dMeftb6+Imb285B+zv0AtfwN+IhMdrOVfnPUQDW0/tCB6tPCUBejJL0KiNeLbpca:Octbhb2IB+3tI+sOCtAUBULlTnpcaP

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
4984	SearchHelper.exe
3076	com3.exe
4844	SearchHelper.exe
4932	com3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
4984	SearchHelper.exe
4984	SearchHelper.exe
3076	com3.exe
3076	com3.exe
2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
4932	com3.exe
4932	com3.exe
4844	SearchHelper.exe
4844	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4984	SearchHelper.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4984	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	87
PID 2652 wrote to memory of 4984	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	87
PID 2652 wrote to memory of 4984	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	87
PID 2652 wrote to memory of 3076	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	89
PID 2652 wrote to memory of 3076	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	89
PID 2652 wrote to memory of 3076	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	89
PID 2652 wrote to memory of 2672	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	92
PID 2652 wrote to memory of 2672	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	92
PID 2652 wrote to memory of 2672	2652	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	92
PID 2672 wrote to memory of 4844	2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	95
PID 2672 wrote to memory of 4844	2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	95
PID 2672 wrote to memory of 4844	2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	95
PID 2672 wrote to memory of 4932	2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	96
PID 2672 wrote to memory of 4932	2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	96
PID 2672 wrote to memory of 4932	2672	NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.08abe5dca7bdaf7be5ee635b64a5e4d0_JC.exe" silent pause
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
e4bb823703df7041b14b78f11a5aaa45

SHA1
96bd60943396d3e12dc171b211de1caf78f4df66

SHA256
7ea1e89af09c363495ac82df368e02a40ffa16d8e7463bea30fe905a7033cf68

SHA512
98517b4fb824a187ec617d9681404dad1240261d6950ff2712affb8a353d0fc81dbe545cc04262c5e3fbf8cb3e11070d344940754d8eb4727d77b4e4ddca738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
e4bb823703df7041b14b78f11a5aaa45

SHA1
96bd60943396d3e12dc171b211de1caf78f4df66

SHA256
7ea1e89af09c363495ac82df368e02a40ffa16d8e7463bea30fe905a7033cf68

SHA512
98517b4fb824a187ec617d9681404dad1240261d6950ff2712affb8a353d0fc81dbe545cc04262c5e3fbf8cb3e11070d344940754d8eb4727d77b4e4ddca738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
488KB

MD5
e4bb823703df7041b14b78f11a5aaa45

SHA1
96bd60943396d3e12dc171b211de1caf78f4df66

SHA256
7ea1e89af09c363495ac82df368e02a40ffa16d8e7463bea30fe905a7033cf68

SHA512
98517b4fb824a187ec617d9681404dad1240261d6950ff2712affb8a353d0fc81dbe545cc04262c5e3fbf8cb3e11070d344940754d8eb4727d77b4e4ddca738d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
c5b9cbcd8b75c2cc4db85d861352b949

SHA1
9c44e1418ec029674fb5dfb5bfc79164e563cec5

SHA256
a7a773297cd6b50f235545634063404304fa3a7bbb6eef6ee7e4a9f8d5544f97

SHA512
3aae57bf97df45fcce60dd0176659d5016f4f7c2cfc88a1fd9fb19e0a8819c573e604f3670563c2fd4b96e968464c48a76e96800404a7a84cacc168668a8d45a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
c5b9cbcd8b75c2cc4db85d861352b949

SHA1
9c44e1418ec029674fb5dfb5bfc79164e563cec5

SHA256
a7a773297cd6b50f235545634063404304fa3a7bbb6eef6ee7e4a9f8d5544f97

SHA512
3aae57bf97df45fcce60dd0176659d5016f4f7c2cfc88a1fd9fb19e0a8819c573e604f3670563c2fd4b96e968464c48a76e96800404a7a84cacc168668a8d45a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
488KB

MD5
c5b9cbcd8b75c2cc4db85d861352b949

SHA1
9c44e1418ec029674fb5dfb5bfc79164e563cec5

SHA256
a7a773297cd6b50f235545634063404304fa3a7bbb6eef6ee7e4a9f8d5544f97

SHA512
3aae57bf97df45fcce60dd0176659d5016f4f7c2cfc88a1fd9fb19e0a8819c573e604f3670563c2fd4b96e968464c48a76e96800404a7a84cacc168668a8d45a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
686734eef20b7164ba1ff82eaa823183

SHA1
d06bbc1b88b84b1e7b788e49c961877862dfa557

SHA256
ac02fbe93ae8ba6ecb7eb553a152b8962a4c7eecf03828a4967ca13d5e75f040

SHA512
bdd981873f034bff1be819037eaa8680644c549dc2ad9ea66fee37ccb0d017b222059a7f78ddf61aa1be0e642b8655d4d90ec5feb23fe73393585ac0de0b7361

Download Submit
memory/2652-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2652-50-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2652-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2652-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/2672-73-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2672-51-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3076-62-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3076-38-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3076-36-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4844-93-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4844-67-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4932-70-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4932-69-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4932-92-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4984-20-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4984-48-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4984-18-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing