27f642badf930c2700d771dc200917cf368a04a5a495df2327657dead19fc7d1

Analysis

max time kernel
161s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
Size

3.6MB
MD5

32e4a3599cd8198b69fa058a6525f3e0
SHA1

25dc426aa28385a84481b11e68ab7cff17fa9a88
SHA256

27f642badf930c2700d771dc200917cf368a04a5a495df2327657dead19fc7d1
SHA512

54b22619acb22667fba5fa684090e931217445f697dce6b7a343a16cd62f8502451f915c87a7c180eb06770bfc5f8c66f2d213bd8213e6d7352a911cbc75bf69
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp0bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
4296	ecdevopti.exe
4172	devdobec.exe
4496	devdobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXI\\devdobec.exe"	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDU\\bodxec.exe"	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4172	devdobec.exe
4172	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe
4496	devdobec.exe
4496	devdobec.exe
4296	ecdevopti.exe
4296	ecdevopti.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4296	4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe	91
PID 4932 wrote to memory of 4296	4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe	91
PID 4932 wrote to memory of 4296	4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe	91
PID 4296 wrote to memory of 4172	4296	ecdevopti.exe	94
PID 4296 wrote to memory of 4172	4296	ecdevopti.exe	94
PID 4296 wrote to memory of 4172	4296	ecdevopti.exe	94
PID 4932 wrote to memory of 4496	4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe	93
PID 4932 wrote to memory of 4496	4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe	93
PID 4932 wrote to memory of 4496	4932	NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.32e4a3599cd8198b69fa058a6525f3e0_JC.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\IntelprocXI\devdobec.exe
    C:\IntelprocXI\devdobec.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4172
- C:\IntelprocXI\devdobec.exe
  C:\IntelprocXI\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocXI\devdobec.exe

Filesize
337KB

MD5
b39ef5adb621990dafbdfbe20b901eea

SHA1
a5c3ccae2966c0f570dc6f05713f1070636c1e7e

SHA256
bcb156062a1ac199d0ad4b613aac24be0c4a7f834435cdafbf2bfd57c2ab778e

SHA512
12b2bf28ddfe749b4357cbee216f5d0b8fcddb368d992c52a7cec3cc818e47e4ebb5d26e5693a84038a992a8511d5dfa9581d76cf95921322b52fd6d5e9543de

Download Submit
C:\IntelprocXI\devdobec.exe

Filesize
3.6MB

MD5
7bd43a8d94f7a1e40c190817a0d0439c

SHA1
a5e714e06ff3cb5f918571e3d042ebb8ee0eb9c5

SHA256
66d7b040a54f691b4ad9548587a2302e36e59fb769d91fa747cf38825078ca79

SHA512
2dd07f28615e22495a12b09a7469ae5912929c3d8e554feafb98cfffce677d7fb9031104c137ccac7bfada9273088e9311ddefdfb4d79ce8dbbc800ae329aabd

Download Submit
C:\IntelprocXI\devdobec.exe

Filesize
3.6MB

MD5
7bd43a8d94f7a1e40c190817a0d0439c

SHA1
a5e714e06ff3cb5f918571e3d042ebb8ee0eb9c5

SHA256
66d7b040a54f691b4ad9548587a2302e36e59fb769d91fa747cf38825078ca79

SHA512
2dd07f28615e22495a12b09a7469ae5912929c3d8e554feafb98cfffce677d7fb9031104c137ccac7bfada9273088e9311ddefdfb4d79ce8dbbc800ae329aabd

Download Submit
C:\IntelprocXI\devdobec.exe

Filesize
3.6MB

MD5
7bd43a8d94f7a1e40c190817a0d0439c

SHA1
a5e714e06ff3cb5f918571e3d042ebb8ee0eb9c5

SHA256
66d7b040a54f691b4ad9548587a2302e36e59fb769d91fa747cf38825078ca79

SHA512
2dd07f28615e22495a12b09a7469ae5912929c3d8e554feafb98cfffce677d7fb9031104c137ccac7bfada9273088e9311ddefdfb4d79ce8dbbc800ae329aabd

Download Submit
C:\IntelprocXI\devdobec.exe

Filesize
3.6MB

MD5
7bd43a8d94f7a1e40c190817a0d0439c

SHA1
a5e714e06ff3cb5f918571e3d042ebb8ee0eb9c5

SHA256
66d7b040a54f691b4ad9548587a2302e36e59fb769d91fa747cf38825078ca79

SHA512
2dd07f28615e22495a12b09a7469ae5912929c3d8e554feafb98cfffce677d7fb9031104c137ccac7bfada9273088e9311ddefdfb4d79ce8dbbc800ae329aabd

Download Submit
C:\LabZDU\bodxec.exe

Filesize
50KB

MD5
5a5665c7137dbb99c240364297a4a512

SHA1
382969d394b80571fb04064003528f6f7cb81c89

SHA256
43da80304f219af92d96cf484c45a88d31282f654bab20c3b544a38bc2b1bf0c

SHA512
33b15087e7796b5765f6e892f3aed8ca9515db91a47d84744d014014ed36b1a91df2e1fe0609dd04eb0f54498f460a4cf2af8d67cc9f898e606ba34323841b95

Download Submit
C:\LabZDU\bodxec.exe

Filesize
417KB

MD5
64c647d457ab111d382ea01966f1d670

SHA1
b0b947fe6ba7724ad3ae45812d40f12aaa037a09

SHA256
3b0e4283d4a8fd968fa9233b9489e4b1308a3929861662db24b07bdebb7287e1

SHA512
46e93150ae0082e222d029933b7eaab9f9d2c3bdf731c5a7973c4b41992ee9dd9abc7ebb490f4edb5b489aa41e6bf845afbaad2ddaae97286b9cd9f0ce796cbf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
64d483095f8580372cf799ff609d1c22

SHA1
eac45b979c91fc6f35f2505456a4ca493a83df76

SHA256
07aa4e8f647805cd3f6e82f9f9681b19ffe88cbfcbafccca64d4fb5a83508c7c

SHA512
e386b1917642eb8310f1cad3536380c845fff918bfaed68f0a00a7f6e6c3d47135e1a0b095475cd2c139f0c8c03dddc0bd5001b777a5fce8c5e85b749bc02117

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
174B

MD5
ea5a94313048976c1251f503c409067a

SHA1
f1e835871977d95deae0862ad49006197659b3bb

SHA256
e5cd15afe5db485afbcfe9a3aedd4ba4706c565c375bf8f449b1fb8efeb14bab

SHA512
6ccacafa185412c7d6ebf7f7e7a56de53529a4fceb778141cc49b28950ef9aa3ebe5444f515f23dd4bef3947f90e5981c1fb2542dc1b085900533929357aaeb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.6MB

MD5
1fe7c3653e501ec0d261ac674f074d8e

SHA1
9133285cc5eb8afc94f251ffbf7b960d8345d50a

SHA256
f83e97b07e8813465041ed7899ae7ea44c8bebec2cf265bf227b433c8789623b

SHA512
4ad108baac12c41dd8a4799044e5d880825ab04d85acc2a58f0cb50def87ae98f03967ffb73601933b8ac0a21e6e885be196453a59749f1015071f8db37cd57c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.6MB

MD5
1fe7c3653e501ec0d261ac674f074d8e

SHA1
9133285cc5eb8afc94f251ffbf7b960d8345d50a

SHA256
f83e97b07e8813465041ed7899ae7ea44c8bebec2cf265bf227b433c8789623b

SHA512
4ad108baac12c41dd8a4799044e5d880825ab04d85acc2a58f0cb50def87ae98f03967ffb73601933b8ac0a21e6e885be196453a59749f1015071f8db37cd57c

Download Submit