e6a9e265fcf756c6cd0d50899d1ade8feea40933ee0f8c1f48625ff71b11da46

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
Size

3.1MB
MD5

4bf9b3895f53d39ef73c56a9d31e5220
SHA1

3ae614c93f23e2fb305d00c060faa193c99d6d67
SHA256

e6a9e265fcf756c6cd0d50899d1ade8feea40933ee0f8c1f48625ff71b11da46
SHA512

3f6360088ec782760437dead352b4bb044475a5902557617ddc1f6d2c5dd099dc6acecf311a55acbdfdab0c35a7baddf301d3be9e3cb017218f69f9e6d9f524e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpSbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	locxbod.exe
2908	xoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBR\\xoptiloc.exe"	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVJ\\dobdevloc.exe"	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe
2196	locxbod.exe
2908	xoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2196	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	28
PID 1924 wrote to memory of 2196	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	28
PID 1924 wrote to memory of 2196	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	28
PID 1924 wrote to memory of 2196	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	28
PID 1924 wrote to memory of 2908	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	29
PID 1924 wrote to memory of 2908	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	29
PID 1924 wrote to memory of 2908	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	29
PID 1924 wrote to memory of 2908	1924	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	29

C:\Users\Admin\AppData\Local\Temp\4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\UserDotBR\xoptiloc.exe
  C:\UserDotBR\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotBR\xoptiloc.exe

Filesize
3.1MB

MD5
075336e329f25935a68b26028e1f8dc9

SHA1
bacaca398da9cbe977cd112e48311930a522c041

SHA256
01905f745378d129fbdc232bd08e222e080f763dbcc2ae62f7d21baae20241a3

SHA512
089c681fb2622e89ca659dca26949fb005bf2eae2c247924d2f7a7c76f93aef27cd50a9675813fe99f7ce2b24b1338f490c716159cd5d1e9c000ffb9f5ed8610

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
fc290eacf3f2291ad65f112e32454d83

SHA1
9eb7eadbcea8a35203475108077fdd714f7d7c5d

SHA256
f084521778d0fd3412c65a5abf1f863aa241386cd621e29eb4f403a44ab3a352

SHA512
e6bb8f3fa01f4a1608edb0e623615594763d11907a3dd7b7b5e392839a43b22d05ef1f6785f6fab39ae58cdcf299418006eaf2dd17375c650ed31f2e3af1a621

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
2385e1709353e4e0eef7a3d2de3d0abc

SHA1
9d08a127b835805a62e3056c8961221d69e58009

SHA256
1810e9fb9b7abcdebe30135208671a984b3aee6e2b911e941851e9df480c5406

SHA512
fb4b29dbfc9bf4b3db5f53bcf18667a1cadfbec35a19afb29ddd0697b9a6fe67ec314a1633735648cdc0bc0b3062c506dd44124a7e0b548297dbca3f603c4d24

Download Submit
C:\VidVJ\dobdevloc.exe

Filesize
2.8MB

MD5
f857b1641e05ad88b5f3578ad6428e72

SHA1
6b552e0d36150f0ef666356b5c0f88e7dd3ec3d0

SHA256
cd7717b26319437b0b4041fc535e5bfd325f2dcbe54dc81bffa7dbfc1c1b1f4a

SHA512
0b6ca3a3bb67c4e2de15047a30b80bae8bb20985c011f0621c245e30967f42cb102e6012fdc55877921989b65cdb7e5a787682a1c88d8db283a3ba0fc591b188

Download Submit
C:\VidVJ\dobdevloc.exe

Filesize
3.1MB

MD5
1f5e91a65829245c6df16def3a290d84

SHA1
c6260d544baf7b619750a8d9a7df03d2804e9bba

SHA256
a3ff81b4f3ea941477d2021483b4c9e15a1dc32d16630e97b19dc8358093f114

SHA512
6811173916354401f5bff24bb2ab41be774c49a622017056e00be1ba5a122f898095f1d61cee21c50089000411950104e46c5901f154461b121e3263b7c2bba6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe

Filesize
3.1MB

MD5
fff1f668ce83dda87ec0823bd9eb725e

SHA1
2e40f0b51af09b8084d9087df27131613fcab4ca

SHA256
76ee34ebd0cc57334480674cabf59f6b5cf76c1c9df3674e62b46091da8042e4

SHA512
863502eab943793412986100abfbf1beb2e822dd738df28806ab63972cfdbcb4a55ed04f988cda54688c6fe346ad9eabc68574caf97509feb00e3036e2688990

Download Submit