9be5390217c892e0c188238eb99c1e6191d82560d4a5548b843b28e13ace673d

Analysis

max time kernel
159s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
Size

3.3MB
MD5

06e39601dade42d7f2afdcc5e1d18885
SHA1

dbfab9aac699a55c0de4f2c529ff5255d4bbc58e
SHA256

9be5390217c892e0c188238eb99c1e6191d82560d4a5548b843b28e13ace673d
SHA512

352aaed4a9a1ad7464686cedefa059928af52aad1192a4760f03ebfe3c8654a54198a4bfdb401ad0450c5c58ebc9e870a4bca183d29f3bfc69aeac9b52d009f3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20tq/:sxX7QnxrloE5dpUprbVz8eLFcz1/

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	locadob.exe
668	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidH3\\dobxloc.exe"	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3P\\devoptisys.exe"	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
1940	locadob.exe
1940	locadob.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe
668	devoptisys.exe
668	devoptisys.exe
1940	locadob.exe
1940	locadob.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1940	4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe	91
PID 4300 wrote to memory of 1940	4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe	91
PID 4300 wrote to memory of 1940	4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe	91
PID 4300 wrote to memory of 668	4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe	92
PID 4300 wrote to memory of 668	4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe	92
PID 4300 wrote to memory of 668	4300	NEAS.06e39601dade42d7f2afdcc5e1d18885.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.06e39601dade42d7f2afdcc5e1d18885.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.06e39601dade42d7f2afdcc5e1d18885.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- C:\SysDrv3P\devoptisys.exe
  C:\SysDrv3P\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv3P\devoptisys.exe

Filesize
2.9MB

MD5
a1d97ea17bdf95d83e2a3f3a634f597a

SHA1
5188d0555bb14356b95d94eaec17c9c748c67643

SHA256
52cc378753b2e0820530b13ce1e4e0229ad4b1443e19ebc168053df8ac5ec2c8

SHA512
0c1bf84ec2c0a43461454126d5ff925fd4fc0a3888f9c304604e5c91ded1a73fa4be0ed198a2e0a0eac4ab9f1195fb3aaff61827047aebfe6f0fce21cb090211

Download Submit
C:\SysDrv3P\devoptisys.exe

Filesize
3.3MB

MD5
96ae67e281d3961ad9ccd72ee5b18391

SHA1
dd4b7ce59a9453c9d9f227d748e75f14d2b47cdc

SHA256
4c104a61c8d253ac4182d8d7bb59137e4227642bd81180f681d8cbf080b725e8

SHA512
dd328947820c40d276a7ba2f13f8b034b60e8b0ec2c5721929f30fe6590969dbfc156c55a51d956a90b01a677bd0231cc22a3cf71a1c043cea2526ce34eb3bfc

Download Submit
C:\SysDrv3P\devoptisys.exe

Filesize
3.3MB

MD5
96ae67e281d3961ad9ccd72ee5b18391

SHA1
dd4b7ce59a9453c9d9f227d748e75f14d2b47cdc

SHA256
4c104a61c8d253ac4182d8d7bb59137e4227642bd81180f681d8cbf080b725e8

SHA512
dd328947820c40d276a7ba2f13f8b034b60e8b0ec2c5721929f30fe6590969dbfc156c55a51d956a90b01a677bd0231cc22a3cf71a1c043cea2526ce34eb3bfc

Download Submit
C:\SysDrv3P\devoptisys.exe

Filesize
3.3MB

MD5
96ae67e281d3961ad9ccd72ee5b18391

SHA1
dd4b7ce59a9453c9d9f227d748e75f14d2b47cdc

SHA256
4c104a61c8d253ac4182d8d7bb59137e4227642bd81180f681d8cbf080b725e8

SHA512
dd328947820c40d276a7ba2f13f8b034b60e8b0ec2c5721929f30fe6590969dbfc156c55a51d956a90b01a677bd0231cc22a3cf71a1c043cea2526ce34eb3bfc

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
bd9ad128cbe4a173a0bd807f1135b352

SHA1
1b37d01f7d246db99642a57fc4691e894f926c48

SHA256
65792f4a928eb398f014b3af9f03dc9f7e92a4cd3ef20b3b1288a11adf17e989

SHA512
de7277367ecd161b5dd80eda49f42a1392668c6be4751beac95a87c67c63ba7f442321b1ff75d8126bc4a0636d39d2ec6ddc0f42b6a465d8ca112054be16e250

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
5820dbc562fc7f14c5cf55517cc4379d

SHA1
f246bc59779639f48b09aa055f84bc9e5f6182f3

SHA256
a5f2d9ce0419834823c152a5fc7ff5cdcb99c29d63a2fb4f4b3697083dc76711

SHA512
a87bcff865bf2191ae111eb691f4c80a51efa7618193dd2063f9a8db010413585f289ece03628b48be9efca17be94637d27e0392e1a509fe9758d23173a8e422

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.3MB

MD5
94c92f8f3ad6207bb663e02fdc995103

SHA1
617131f335cc6ce41da97b10aa85aa7ed20f1bf7

SHA256
4316702ac63e6c3eac777026a1d54310c1a205fd7374c2fd5a2022117f8f2cf4

SHA512
5ce9310f4109d32da74c4adc1c60f2634907f54202d324d3a6b322a11ec1aa1c2d85e36a3cbb7f5c43dcaa0e0dd5e85b8cb735217541f5dd9f461a99b5343b65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
3.3MB

MD5
94c92f8f3ad6207bb663e02fdc995103

SHA1
617131f335cc6ce41da97b10aa85aa7ed20f1bf7

SHA256
4316702ac63e6c3eac777026a1d54310c1a205fd7374c2fd5a2022117f8f2cf4

SHA512
5ce9310f4109d32da74c4adc1c60f2634907f54202d324d3a6b322a11ec1aa1c2d85e36a3cbb7f5c43dcaa0e0dd5e85b8cb735217541f5dd9f461a99b5343b65

Download Submit
C:\VidH3\dobxloc.exe

Filesize
86KB

MD5
75391c55397dcf2fb66511ca0ced7d9d

SHA1
44748bdad55bfe6e4737f0c5773d553f0b147f8c

SHA256
6dd6eb6910674b58e1dbc95ef28172ad543500a01111509c373ea0a7d72439b1

SHA512
01ddec563de678a0bd819caf9c87cbb98ffcf400eec9f0dfc83b065644b38732cba4404dae173f58cbb6b52f6c184fd63f71c7af575839dcd119ad8b8b145d71

Download Submit
C:\VidH3\dobxloc.exe

Filesize
320KB

MD5
b3b477d81641cf2c0b48a5bd7c976d5c

SHA1
943c5e7afd751489a057db07f4c651ec4dc5f517

SHA256
d013744c82e0619d0ab902b73c1fd3f4bb7e5ce60c8c2a5657d8fe1da174eb09

SHA512
94d786608295e06296089c153aa08ce91213c6701fa708ee5ae6b63d1bc250daeef15fc17de1ebc89063ab3056a269f09e489eeb525670b6a8a7f64f182c8e14

Download Submit