c5bd60e1499f7fd1e9732a8a188d2dae2d7b1269ee3713f05dd39374bf97692d

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
Size

4.0MB
MD5

1efc0e1d03c7c7c3783aa5d49679a810
SHA1

2288313b7c092a0561cd788b64fd6a7c12a38288
SHA256

c5bd60e1499f7fd1e9732a8a188d2dae2d7b1269ee3713f05dd39374bf97692d
SHA512

39d75ec31cdf87ce402e72ee057cc5dba36f0a2a1e080063c67886f4a423e14c5f3dd8d3d5e32c1b476a60a4a3360cca74343de49577ce75064653499ac19526
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpBbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe

Executes dropped EXE 2 IoCs

pid	Process
4892	sysdevbod.exe
5024	adobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCO\\adobloc.exe"	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid14\\dobaloc.exe"	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe
4892	sysdevbod.exe
4892	sysdevbod.exe
5024	adobloc.exe
5024	adobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4892	2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	91
PID 2628 wrote to memory of 4892	2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	91
PID 2628 wrote to memory of 4892	2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	91
PID 2628 wrote to memory of 5024	2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	92
PID 2628 wrote to memory of 5024	2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	92
PID 2628 wrote to memory of 5024	2628	NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1efc0e1d03c7c7c3783aa5d49679a810.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\IntelprocCO\adobloc.exe
  C:\IntelprocCO\adobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocCO\adobloc.exe

Filesize
1006KB

MD5
dbfb0d56f4fb3b7aa519d2d66768cfc7

SHA1
324adb53ad7f4a3ec3a6ab4ccaf24150dfabc644

SHA256
4bc60f790de21f1acd38e5182cd6dd456327c96b42f5b80451e3040275f11b38

SHA512
8e8213ef829a8dd624d4563b4da73b4fa9bbb86610eb646c1ba193021a879a086532f57aecbca9dc23d948d646416fab41c1a7610a4c3e01bdbc9a0ca65fce01

Download Submit
C:\IntelprocCO\adobloc.exe

Filesize
4.0MB

MD5
2d3a4f6cdaffd90995e45ab532a4b04d

SHA1
ffa9a86e20092fff6379df2e0763bbda2c9eb80c

SHA256
9dd468cda77f1f4cf1c969cec3f5e39f782d6c934be02406b6f9d352a480aada

SHA512
7e303c37a6cb3d11341a34d3c21d46ea8637a0c3ab3ae96f6d5c67e768ef2841d98b790049b4035a9c164192c331895d9f00c50a7c03c8a788bdf6f21f21a269

Download Submit
C:\IntelprocCO\adobloc.exe

Filesize
4.0MB

MD5
2d3a4f6cdaffd90995e45ab532a4b04d

SHA1
ffa9a86e20092fff6379df2e0763bbda2c9eb80c

SHA256
9dd468cda77f1f4cf1c969cec3f5e39f782d6c934be02406b6f9d352a480aada

SHA512
7e303c37a6cb3d11341a34d3c21d46ea8637a0c3ab3ae96f6d5c67e768ef2841d98b790049b4035a9c164192c331895d9f00c50a7c03c8a788bdf6f21f21a269

Download Submit
C:\IntelprocCO\adobloc.exe

Filesize
4.0MB

MD5
2d3a4f6cdaffd90995e45ab532a4b04d

SHA1
ffa9a86e20092fff6379df2e0763bbda2c9eb80c

SHA256
9dd468cda77f1f4cf1c969cec3f5e39f782d6c934be02406b6f9d352a480aada

SHA512
7e303c37a6cb3d11341a34d3c21d46ea8637a0c3ab3ae96f6d5c67e768ef2841d98b790049b4035a9c164192c331895d9f00c50a7c03c8a788bdf6f21f21a269

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
28073a80e5e64503658f69177830fd9e

SHA1
9383996b85257584c12426088069d2314c827867

SHA256
9ae6b9394e23345ea8690a671508e3e2e2d1fb72c1a1c0b7d0c3e25ea3f621c5

SHA512
fd1265ec210d3373b12c5e036dd85d0393d5404a7550c7423270c18f7d6d6e282a39ddfa10bf5522a147f47c4783ba02fb8ae74c823ba02d82437af23b66d60e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
173B

MD5
fe896f77209cd3881c902ed5bd7f530b

SHA1
93d098b5dae45b2baa10a54aa1069f4200884ab5

SHA256
8f362fc9f20713566b7025381f9532bc4ed99ff83434784ca7e251322ecb8a9a

SHA512
cde0643473a7d73b642185a48a00175933c5aac6ad52ab5cab45e40207b31480e06c0e33810091242dc12100d80d083789ad154b20b156ed5ec426be38ef2086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.0MB

MD5
b6876319ac5a3f24c6163b7b476ac339

SHA1
f990990d8620bb47adf6dafef76cbe8310a1f0d8

SHA256
3f9a457c94ae30cf8b66ef0db282f19f6c6527e2bda9dcafbba9c03a31ae1b65

SHA512
2c3b5f4a5c5e5eced3d1d49463ea3be63466ef0d510b4ed9b2cd3428003f034b5c351c16faa27fddbf0e15fd8f20635289468f4c0166ad6200e5a33d0318c0ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

Filesize
4.0MB

MD5
b6876319ac5a3f24c6163b7b476ac339

SHA1
f990990d8620bb47adf6dafef76cbe8310a1f0d8

SHA256
3f9a457c94ae30cf8b66ef0db282f19f6c6527e2bda9dcafbba9c03a31ae1b65

SHA512
2c3b5f4a5c5e5eced3d1d49463ea3be63466ef0d510b4ed9b2cd3428003f034b5c351c16faa27fddbf0e15fd8f20635289468f4c0166ad6200e5a33d0318c0ff

Download Submit
C:\Vid14\dobaloc.exe

Filesize
414KB

MD5
d0a2b11d8a5a60062e76de0457b14526

SHA1
585b1db84b84acd3cf2f9db99e16100fda1d334e

SHA256
d75ad72eefd3cd9be65ffeb4ffbb74d7a2f197fcf6ec7a0ec9708c57bab55f36

SHA512
513a39e758cfd00f6fabfe925713fac7e66a6e02b4f37241c7709d954d32e017a07026068d0696b5fc02481cd1dd2309377990da81ffb3b3e0708fef0fcf4997

Download Submit
C:\Vid14\dobaloc.exe

Filesize
8KB

MD5
1c31992317278cbfbb062cd4732b9020

SHA1
b2953bc21d0bbd03b25aba4e7b3d56cc63708195

SHA256
0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0

SHA512
a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb

Download Submit