c5bd60e1499f7fd1e9732a8a188d2dae2d7b1269ee3713f05dd39374bf97692d

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
Size

4.0MB
MD5

1efc0e1d03c7c7c3783aa5d49679a810
SHA1

2288313b7c092a0561cd788b64fd6a7c12a38288
SHA256

c5bd60e1499f7fd1e9732a8a188d2dae2d7b1269ee3713f05dd39374bf97692d
SHA512

39d75ec31cdf87ce402e72ee057cc5dba36f0a2a1e080063c67886f4a423e14c5f3dd8d3d5e32c1b476a60a4a3360cca74343de49577ce75064653499ac19526
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	sysdevdob.exe
2840	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocO2\\xdobsys.exe"	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxN8\\dobxec.exe"	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
2940	sysdevdob.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe
2840	xdobsys.exe
2940	sysdevdob.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2940	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	28
PID 3044 wrote to memory of 2940	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	28
PID 3044 wrote to memory of 2940	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	28
PID 3044 wrote to memory of 2940	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	28
PID 3044 wrote to memory of 2840	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	29
PID 3044 wrote to memory of 2840	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	29
PID 3044 wrote to memory of 2840	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	29
PID 3044 wrote to memory of 2840	3044	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\IntelprocO2\xdobsys.exe
  C:\IntelprocO2\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxN8\dobxec.exe

Filesize
4.0MB

MD5
b05b5613e612322a465fabd2adf4af99

SHA1
15c049d3c063d61a3745c114325184662185ac5b

SHA256
9eef1fdd39e5b54081a5a30316bcbbe42be7fb7ce7d598d17064b97098eae34c

SHA512
33e5b640d59e3e55d6ab316527bdda2f0b788578ea5b3c0c77146d672a822bc5070018be9529693608e6c87010f3835ff3fe7003068c8e21ee6fa9449620e3c4

Download Submit
C:\GalaxN8\dobxec.exe

Filesize
498KB

MD5
f9ecd1aa2003d67c0272a65171a3579f

SHA1
7635feb779ba1987b8051131ea132653cfd57fd6

SHA256
abc8e1267b5536aeec00e1536e6e8a430ad9a918d0750d6226b982eda7d3ffbd

SHA512
d9dfaec5463111650eff8cc25bf3b4371b6d34126c52e8a71eb770e789ad202fef179c34a659a018f7e8eba935f2a346f69ebd5e92544590fd56c904cf7ea975

Download Submit
C:\IntelprocO2\xdobsys.exe

Filesize
4.0MB

MD5
2be1d511a549dc5af2e3808927855d02

SHA1
34489ea24457fea68846809643f1f328d7bfe938

SHA256
673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

SHA512
ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

Download Submit
C:\IntelprocO2\xdobsys.exe

Filesize
4.0MB

MD5
2be1d511a549dc5af2e3808927855d02

SHA1
34489ea24457fea68846809643f1f328d7bfe938

SHA256
673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

SHA512
ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

Download Submit
C:\IntelprocO2\xdobsys.exe

Filesize
4.0MB

MD5
2be1d511a549dc5af2e3808927855d02

SHA1
34489ea24457fea68846809643f1f328d7bfe938

SHA256
673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

SHA512
ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
5ac1a10b8afee9424d364666cba8184e

SHA1
9fdc0313c3b3264382a402820c33f6f13811e48e

SHA256
bc898892e54b7a47d6583bc9f494d5ec63a4ac851fa6ddde5d69e7889b487bf9

SHA512
2a7cc6e0482c4ba0407b41a1451d0f8f7581145c3443c7e9f48a18aa8ec5bd5544d0b8b0bdfb87a977e2f0be0d21b1c08a27f8ad1a8e9f56f3d47e73877a4293

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
bd33eaad905f832d758379c8bab82667

SHA1
621653e41ddbb3f4249477fbb58b90f3360c93d6

SHA256
1fcaf3ebe3e79b438b5afaffbd235873aa1ea793d31cd6b7817669c91874c010

SHA512
9180cc4c42e15367d9604e5cb5ecd4dc3263e64fac36143e01037942fe69678f78ef7de2feb6a83979bc31df876cf572720636fff6a33b85d84e5f71c3e077d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.0MB

MD5
afac8c0bc6fcd0488bd74fb9687e6c69

SHA1
511d22e8077cfadd8faafa56f00f1dcfd8c91939

SHA256
47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

SHA512
9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.0MB

MD5
afac8c0bc6fcd0488bd74fb9687e6c69

SHA1
511d22e8077cfadd8faafa56f00f1dcfd8c91939

SHA256
47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

SHA512
9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.0MB

MD5
afac8c0bc6fcd0488bd74fb9687e6c69

SHA1
511d22e8077cfadd8faafa56f00f1dcfd8c91939

SHA256
47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

SHA512
9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

Download Submit
\IntelprocO2\xdobsys.exe

Filesize
4.0MB

MD5
2be1d511a549dc5af2e3808927855d02

SHA1
34489ea24457fea68846809643f1f328d7bfe938

SHA256
673a3fc2f20e91ec665c4356d78d29e426771527a7b516917c0924826f1e86cb

SHA512
ca6075802effebae9ee20be6674e88289a55c44f76c88ce55f0ed22cc9e870746a43a36e795f155d188490d0bc25d703dff5c7c8252cfc5f7ee00dc8ad2cd4d0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
4.0MB

MD5
afac8c0bc6fcd0488bd74fb9687e6c69

SHA1
511d22e8077cfadd8faafa56f00f1dcfd8c91939

SHA256
47c60d84f0f31b4b250b2f677adc9ef3f3b6f14dd82cb3efcb3419f1cfa4295a

SHA512
9c3f8e772a3efa85ee8ecfe1edaee8a51dd8ba5a2ddb861d85962020fc4d8a77684f5b55a3ef83c55f62b5a50cba56c36c3a6fa3fdafd87606c2ca323e793e97

Download Submit