f7a68eada250d02bde7961fb6caaa0ad90dd5f270e46a913ab61a071bd309cb2

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe
Size

3.0MB
MD5

ef4cce4ba61fdd3d9c96e82934709020
SHA1

add498674e48008f59ece65004906d83f5eda4e6
SHA256

f7a68eada250d02bde7961fb6caaa0ad90dd5f270e46a913ab61a071bd309cb2
SHA512

9e6e6025cdc325b7b1de1aa181ce6f1b04378057ec73a012968f84c75c3097707fbf8dd4587f3e45dc973247e97e41365620ed3168bd7901f25fa0debb4f9b27
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bSqz8b6LNX:sxX7QnxrloE5dpUpZbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	sysabod.exe
2776	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe
2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGC\\abodloc.exe"	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5K\\optiasys.exe"	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe
2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe
3068	sysabod.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe
2776	abodloc.exe
3068	sysabod.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 3068	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	28
PID 2568 wrote to memory of 3068	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	28
PID 2568 wrote to memory of 3068	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	28
PID 2568 wrote to memory of 3068	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	28
PID 2568 wrote to memory of 2776	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	29
PID 2568 wrote to memory of 2776	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	29
PID 2568 wrote to memory of 2776	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	29
PID 2568 wrote to memory of 2776	2568	NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ef4cce4ba61fdd3d9c96e82934709020.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\UserDotGC\abodloc.exe
  C:\UserDotGC\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint5K\optiasys.exe

Filesize
3.0MB

MD5
339dece672c61075752cc47b75165bc7

SHA1
1b52d9bd7a6696549f1726cdf4149e251966f64c

SHA256
1b88467f61d3d88f5c49fe30778b8c29ca669c0d706d3fc3a25fd51091826df0

SHA512
1d84528e22f3952d7075a1cc08ed4c0a05de98ce8cb5f9f35225f423a2ed7ef4996a0b5682c0342bec2eaae6d7e48de2065fb2ae078b2460e6a2e71cde01942c

Download Submit
C:\Mint5K\optiasys.exe

Filesize
3.0MB

MD5
5887346e2399f63b1fabdd25786a9ef0

SHA1
b65e0ecbd5138a7cbccb3acca7da29057adc19af

SHA256
e26ba3e3a7eaead1d266b64eb2243bcdd1fd500970432077e77b387c92c68588

SHA512
9d69c22b39e35729b8599026ea2cb7e867a3de44aa0d68e07b621649e7206929b2f7aae81da10b8e39720813f162c1a8c2c2a2f146def6503138a39e7791b35d

Download Submit
C:\UserDotGC\abodloc.exe

Filesize
979KB

MD5
b26731527bf433ce8d856eec80380dbc

SHA1
4f65aeb86b761cf4f1310c7cad5e0e04f065c3ae

SHA256
98e6654f48fc24477661449a77a52092a8c81aced810a566edcdf92d7b43c03a

SHA512
d1880bc17775d9bba3dbd87d64bd6ea264df3ef82b73d9c09954918fee3bdc734953605a2cb52468191ace59ea502fee466dbb402f25639e3d63b8d018007796

Download Submit
C:\UserDotGC\abodloc.exe

Filesize
3.0MB

MD5
7173562cff61cb4f1d00b93da1588aab

SHA1
877342411bcd6935c993ae4d7f0b3715edb3f520

SHA256
9b3b31ade33cf72b55eaaca61a06a8eb5018e2c748e7edfd6a2fed39d6255606

SHA512
7aac31034aa1576c38fa30690bb47ec46b21ec8349b87404634786d70fbdebe5ffd4ff8158a2bc9536f071f4e16b39c08be574eea8adae4b7da2b9b87a3a3b1a

Download Submit
C:\UserDotGC\abodloc.exe

Filesize
3.0MB

MD5
7173562cff61cb4f1d00b93da1588aab

SHA1
877342411bcd6935c993ae4d7f0b3715edb3f520

SHA256
9b3b31ade33cf72b55eaaca61a06a8eb5018e2c748e7edfd6a2fed39d6255606

SHA512
7aac31034aa1576c38fa30690bb47ec46b21ec8349b87404634786d70fbdebe5ffd4ff8158a2bc9536f071f4e16b39c08be574eea8adae4b7da2b9b87a3a3b1a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
c2fa3c28e25fe1a1fed06773c70b716e

SHA1
5a471afb511d91a05b560eb433602a2dfb07f929

SHA256
82175afe5b9a79ab9ae936f60ac4a1976fcfecc47ff051cb20beec96820846ea

SHA512
87db0804ac6bff636989c190328fad476969a34f2c3d433cb9ad5d8ab15581ce30f7b090038068bd335828ecd085785d3161c23e144e7152b6aad88adab5886b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
37088e53b2b72b7a76084c1a6a0f1651

SHA1
542e8d5c787e1480dc1cf7ef72d9969b7d5331c8

SHA256
40a7d1a92b70a8159f34cc2abd182ad4efc58a590cfa8635d4f639e5f4257755

SHA512
a605324bbe4249d630c3717a82d236f6de42b795edcc423f5e46aceba56f83ff9acc39155c91e2ad2a983e1c9bb0d2dffd5389553a98334e7131c7d0730b15e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
b86ea503dbb29c66a298bf8c1d8efd0d

SHA1
45cbdd662bdb182a87de7f02e95e14f0440c84fa

SHA256
fd38a70ffb1e9b48cfdbf89084ca099e00dd8e65789dc4487d58e2eb6ea85622

SHA512
0f302691eabca921e2cb424d1ed00ad2d590914aa38b4786794b472f3e0e6ff516a4bf518973be55750e1e1544fdd830b43f4fb61bde67e41180dd6e9e2ff899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
b86ea503dbb29c66a298bf8c1d8efd0d

SHA1
45cbdd662bdb182a87de7f02e95e14f0440c84fa

SHA256
fd38a70ffb1e9b48cfdbf89084ca099e00dd8e65789dc4487d58e2eb6ea85622

SHA512
0f302691eabca921e2cb424d1ed00ad2d590914aa38b4786794b472f3e0e6ff516a4bf518973be55750e1e1544fdd830b43f4fb61bde67e41180dd6e9e2ff899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
b86ea503dbb29c66a298bf8c1d8efd0d

SHA1
45cbdd662bdb182a87de7f02e95e14f0440c84fa

SHA256
fd38a70ffb1e9b48cfdbf89084ca099e00dd8e65789dc4487d58e2eb6ea85622

SHA512
0f302691eabca921e2cb424d1ed00ad2d590914aa38b4786794b472f3e0e6ff516a4bf518973be55750e1e1544fdd830b43f4fb61bde67e41180dd6e9e2ff899

Download Submit
\UserDotGC\abodloc.exe

Filesize
3.0MB

MD5
7173562cff61cb4f1d00b93da1588aab

SHA1
877342411bcd6935c993ae4d7f0b3715edb3f520

SHA256
9b3b31ade33cf72b55eaaca61a06a8eb5018e2c748e7edfd6a2fed39d6255606

SHA512
7aac31034aa1576c38fa30690bb47ec46b21ec8349b87404634786d70fbdebe5ffd4ff8158a2bc9536f071f4e16b39c08be574eea8adae4b7da2b9b87a3a3b1a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.0MB

MD5
b86ea503dbb29c66a298bf8c1d8efd0d

SHA1
45cbdd662bdb182a87de7f02e95e14f0440c84fa

SHA256
fd38a70ffb1e9b48cfdbf89084ca099e00dd8e65789dc4487d58e2eb6ea85622

SHA512
0f302691eabca921e2cb424d1ed00ad2d590914aa38b4786794b472f3e0e6ff516a4bf518973be55750e1e1544fdd830b43f4fb61bde67e41180dd6e9e2ff899

Download Submit