dd9fedb90d2c42143fecaae8deb990fd6b28588bd0f897942833950cdfc5dea7

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe
Size

336KB
MD5

941c94bf1be5b75a8ee3eddefb938d70
SHA1

aaed3bc7d5e8b47d74e0736b0e7d0bade6e5e4a5
SHA256

dd9fedb90d2c42143fecaae8deb990fd6b28588bd0f897942833950cdfc5dea7
SHA512

7a3d33192cc5b17dc927c4833c7b25f98de7deaafec9be6001dfa3bf4f4f44bd0df79709232eb6c762c56dc4261a3f565ba9fb17a88ec05c3aa986a115d40fb0
SSDEEP

6144:jiSqjQ8stZ5x6kdQK2XwBlO+fdD+nPaI0OXH1lSfGnpPDxIr0S:nqENdQQBY+ft+PhXH1lBpurf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	58BA.tmp

Loads dropped DLL 2 IoCs

pid	Process
2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe
2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\atl110.dll	58BA.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	58BA.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	58BA.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	58BA.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	58BA.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	58BA.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	58BA.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	58BA.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	58BA.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	58BA.tmp
File created	C:\Windows\SysWOW64\explorer.exe	58BA.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	58BA.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	58BA.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	58BA.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	58BA.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	58BA.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	58BA.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONPPTAddin.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPCORE.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ACT3.SAM	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnOL.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnvpxy.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\MSGR3FR.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE	58BA.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	58BA.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSStr32.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnWD.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VVIEWDWG.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLACCT.DLL	58BA.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	58BA.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SOA.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL	58BA.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7tk.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL	58BA.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnv.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL	58BA.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM	58BA.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	58BA.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	58BA.tmp

Drops file in Windows directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll	58BA.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	58BA.tmp
File created	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUi.dll	58BA.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsecimpl.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounter.dll	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_x86	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonExt.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupEngine.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\sqmapi.dll	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	58BA.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AdoNetDiag.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MmcAspExt.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfdll.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Thunk.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.OracleClient.dll	58BA.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll	58BA.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1192	2196	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1192	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	28
PID 2196 wrote to memory of 1192	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	28
PID 2196 wrote to memory of 1192	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	28
PID 2196 wrote to memory of 1192	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	28
PID 2196 wrote to memory of 1448	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	29
PID 2196 wrote to memory of 1448	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	29
PID 2196 wrote to memory of 1448	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	29
PID 2196 wrote to memory of 1448	2196	NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.941c94bf1be5b75a8ee3eddefb938d70_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 136
  2⤵
  - Program crash
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\58BA.tmp
  C:\Users\Admin\AppData\Local\Temp\58BA.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58BA.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\58BA.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\58BA.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
\Users\Admin\AppData\Local\Temp\58BA.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
\Users\Admin\AppData\Local\Temp\58BA.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/2196-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2196-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2196-1-0x0000000000230000-0x000000000026D000-memory.dmp

Filesize
244KB

Download