15ec51a20c1128917780b603dbcc5de3e1553a096c0ba3868a45d19030bd9bb6

Analysis

max time kernel
144s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
Size

293KB
MD5

28557efe9569df01cdc32c9996ab9fd0
SHA1

a69785dee80e93459a1796f4bc3263595e9f12ae
SHA256

15ec51a20c1128917780b603dbcc5de3e1553a096c0ba3868a45d19030bd9bb6
SHA512

bd28467a0d16625088484e14e396fe43647df210101bf9c55766c2f5af5214726a4759d0c7bd6072e92ac25c87552310f40504997cea4beaed906246b4833fde
SSDEEP

3072:QoW4d9Io7Zf/cc6mcUKmXFessLRp3Bok8kukm4gT/15/eL/D734aobRKlM+:QSdZ50KNevRbo7/7D834aobRKlv

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Shohdi.hdi	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	C:\Windows\SysWOW64\Shohdi.hdi	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Java\jre7\bin\javacpl.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\ssvagent.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaws.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\VideoLAN\VLC\vlc.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\Mozilla Firefox\firefox.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\Chess.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SETLANG.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\VideoLAN\VLC\uninstall.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javacpl.sho	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2212	NEAS.28557efe9569df01cdc32c9996ab9fd0.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.28557efe9569df01cdc32c9996ab9fd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.28557efe9569df01cdc32c9996ab9fd0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
ff770d586e13c91bed490bccb6d32f44

SHA1
c1b717a80647fa60713c3abc2df863af9c7f332b

SHA256
8ca6788c055e9298de1c6225b1947876c0b67f6c5726b4b35d6d27fd1ae30e6c

SHA512
4e6413d9282936c66c2ef2b85c4d9326a357ff7882341fdca6bb63b029598f3f4a7777289c6a0fff8a0592b52140b6bac342e3ef77e1f19dcdae66476ca2cf4a

Download Submit
C:\Windows\SysWOW64\Shohdi.hdi

Filesize
293KB

MD5
76cb50779499d825dfa48f425a4d6c01

SHA1
d4fa3e75f2107a28243bb5862dddbe55dd4a9add

SHA256
719c869579e4f626da2df752c53cfc3327feee1ae0f336b9c98f8def0ddcd912

SHA512
a97d84be65fe8cd60db5d7bbc30054126504b52a6fe0c754e1ddb9c4e478ed329b49fd342d5b4f7f0d51a86827aadb01bb31aa327c51e5a07e8427deeef8155c

Download Submit