ca1369df9e181069974d700a79258c3498ec4b6bbbd5aebfd07716136d8521dd

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f3f1aac64803193ac51fbde62003c3e0.exe
Size

4.1MB
MD5

f3f1aac64803193ac51fbde62003c3e0
SHA1

0e13a1ffdb0c4e87f3678eea8392061e992dee35
SHA256

ca1369df9e181069974d700a79258c3498ec4b6bbbd5aebfd07716136d8521dd
SHA512

25458818fe72d25779cb43409ab08241ad27428e070d5e044d16c5a66a1b383518a37e17e532a17b5158c09dea3a9945e92af11dacaa486f6f43427177ebed14
SSDEEP

98304:sxX7QnxrloE5dpUpGbVz8eLFcz1/wiAUc2:sxX7QnHoE5dbx9a1/pc2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	sysxdob.exe
1452	devoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe
812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotA3\\devoptiec.exe"	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\boddevsys.exe"	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe
812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe
2524	sysxdob.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe
1452	devoptiec.exe
2524	sysxdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2524	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	28
PID 812 wrote to memory of 2524	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	28
PID 812 wrote to memory of 2524	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	28
PID 812 wrote to memory of 2524	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	28
PID 812 wrote to memory of 1452	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	29
PID 812 wrote to memory of 1452	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	29
PID 812 wrote to memory of 1452	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	29
PID 812 wrote to memory of 1452	812	NEAS.f3f1aac64803193ac51fbde62003c3e0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.f3f1aac64803193ac51fbde62003c3e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f3f1aac64803193ac51fbde62003c3e0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\UserDotA3\devoptiec.exe
  C:\UserDotA3\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBFC\boddevsys.exe

Filesize
4.1MB

MD5
d982959ae4834e4f56e26254bb194e72

SHA1
9b4fcf25c96debf996f9ed243e437cad0e43459e

SHA256
a60d89dead1fa5d74bf746f94681cf19ad095283c25d78d45aca13a392b23085

SHA512
31737b75c62f214a83530d735a5b02a451cf4b946cc1c2cf98678c8a4a206c57d124e5f884fdc088cbbaa99569dbd104ca831a48fd385e7c21ddbca4a735b516

Download Submit
C:\KaVBFC\boddevsys.exe

Filesize
4.1MB

MD5
31e4ed3f6a18d5b9b817522e0763be1c

SHA1
d87586e9a43eb09ed59de6f53bac207583bf6c9b

SHA256
925a83a819aa1f3b7389c8b4bae7f30f65a6dc276c01f2c047190ecd5c258209

SHA512
2631e43296e4fe0cb115a20a6b5baf4af8f2f170fa10751fd29b37bfe5bd6bb81487804ed296c47f6524eebc37855c4229cc6d2e2fcb19b916b7b8c5e076de16

Download Submit
C:\UserDotA3\devoptiec.exe

Filesize
4.1MB

MD5
b90382fa4d0ebb705601122b4dba1c69

SHA1
b5325bd217a3451fe94226a0c2972996c2701eec

SHA256
ed276c8e209ef58723c132d2861edea1e4dff0e0298e2d2f2579c7013fecbc47

SHA512
3f9223d5594686a30d5584ab02241f5b4ddbbc7a092fa28c28cdd4f492438ecb2f9ec73ee2c94f934394e843acadbaeb5beedac5a1f39d423f496967cdfe1096

Download Submit
C:\UserDotA3\devoptiec.exe

Filesize
4.1MB

MD5
b90382fa4d0ebb705601122b4dba1c69

SHA1
b5325bd217a3451fe94226a0c2972996c2701eec

SHA256
ed276c8e209ef58723c132d2861edea1e4dff0e0298e2d2f2579c7013fecbc47

SHA512
3f9223d5594686a30d5584ab02241f5b4ddbbc7a092fa28c28cdd4f492438ecb2f9ec73ee2c94f934394e843acadbaeb5beedac5a1f39d423f496967cdfe1096

Download Submit
C:\UserDotA3\devoptiec.exe

Filesize
4.1MB

MD5
b90382fa4d0ebb705601122b4dba1c69

SHA1
b5325bd217a3451fe94226a0c2972996c2701eec

SHA256
ed276c8e209ef58723c132d2861edea1e4dff0e0298e2d2f2579c7013fecbc47

SHA512
3f9223d5594686a30d5584ab02241f5b4ddbbc7a092fa28c28cdd4f492438ecb2f9ec73ee2c94f934394e843acadbaeb5beedac5a1f39d423f496967cdfe1096

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
485bc68239cdb682652cc0196136e44a

SHA1
b26d0612b172d84a2ba8416c34a88db2745cdf3c

SHA256
474df6ef0919782d682cd425711166a554594dd0cbc47bc38cfff2e0aca1ebf7

SHA512
e8fab0fda8eb770e3f366a629bf3d268f501fbbc6bb7dcb7d6d6cf5f1ce0b9af6fca41e2e06cf6ceb3e4e25e05b814ed4b1016a9b7d339c88ce07fa97eacb5fd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
3e3143decf7bdd90ab0ac8e83cdc627f

SHA1
aa6f64d8bd0dc45eef566cd1bfe1b68282d88261

SHA256
3b1e619d7f49f21c231f778335788e0c45a1b08c833c131f055aee4ed20ca317

SHA512
256947662e59b2fc2f3033551d9c8fc236c6e63843fb56df5a80fe1678f7b403cc4618831c46573732d370db51ddff5889feee71a2ae1262921a955138f280d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.1MB

MD5
4e87f5f1e39f31bc572b4ca4c7dc7521

SHA1
95f0ac1d1e61039543fd9a2171b4a04f2ae1fe81

SHA256
5c832117cde5473e9962e15d46d2778a7fe56070f6f4e7e455a3389a8ee4a9d5

SHA512
3739d429ad33e8959fa05de044f206a1aa497809ff52a66e1c674959b956dddc6cc34709ad910c8b5ca57063ae6be5e5c09d879bac9854f025ae00dda2fe537a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.1MB

MD5
4e87f5f1e39f31bc572b4ca4c7dc7521

SHA1
95f0ac1d1e61039543fd9a2171b4a04f2ae1fe81

SHA256
5c832117cde5473e9962e15d46d2778a7fe56070f6f4e7e455a3389a8ee4a9d5

SHA512
3739d429ad33e8959fa05de044f206a1aa497809ff52a66e1c674959b956dddc6cc34709ad910c8b5ca57063ae6be5e5c09d879bac9854f025ae00dda2fe537a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.1MB

MD5
4e87f5f1e39f31bc572b4ca4c7dc7521

SHA1
95f0ac1d1e61039543fd9a2171b4a04f2ae1fe81

SHA256
5c832117cde5473e9962e15d46d2778a7fe56070f6f4e7e455a3389a8ee4a9d5

SHA512
3739d429ad33e8959fa05de044f206a1aa497809ff52a66e1c674959b956dddc6cc34709ad910c8b5ca57063ae6be5e5c09d879bac9854f025ae00dda2fe537a

Download Submit
\UserDotA3\devoptiec.exe

Filesize
4.1MB

MD5
b90382fa4d0ebb705601122b4dba1c69

SHA1
b5325bd217a3451fe94226a0c2972996c2701eec

SHA256
ed276c8e209ef58723c132d2861edea1e4dff0e0298e2d2f2579c7013fecbc47

SHA512
3f9223d5594686a30d5584ab02241f5b4ddbbc7a092fa28c28cdd4f492438ecb2f9ec73ee2c94f934394e843acadbaeb5beedac5a1f39d423f496967cdfe1096

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
4.1MB

MD5
4e87f5f1e39f31bc572b4ca4c7dc7521

SHA1
95f0ac1d1e61039543fd9a2171b4a04f2ae1fe81

SHA256
5c832117cde5473e9962e15d46d2778a7fe56070f6f4e7e455a3389a8ee4a9d5

SHA512
3739d429ad33e8959fa05de044f206a1aa497809ff52a66e1c674959b956dddc6cc34709ad910c8b5ca57063ae6be5e5c09d879bac9854f025ae00dda2fe537a

Download Submit