e6a9e265fcf756c6cd0d50899d1ade8feea40933ee0f8c1f48625ff71b11da46

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
Size

3.1MB
MD5

4bf9b3895f53d39ef73c56a9d31e5220
SHA1

3ae614c93f23e2fb305d00c060faa193c99d6d67
SHA256

e6a9e265fcf756c6cd0d50899d1ade8feea40933ee0f8c1f48625ff71b11da46
SHA512

3f6360088ec782760437dead352b4bb044475a5902557617ddc1f6d2c5dd099dc6acecf311a55acbdfdab0c35a7baddf301d3be9e3cb017218f69f9e6d9f524e
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBRB/bSqz8b6LNXJqI:sxX7QnxrloE5dpUpSbVz8eLFc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
4360	locdevbod.exe
3132	adobec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotU3\\adobec.exe"	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB46\\bodaloc.exe"	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe
4360	locdevbod.exe
4360	locdevbod.exe
3132	adobec.exe
3132	adobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4360	3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	90
PID 3680 wrote to memory of 4360	3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	90
PID 3680 wrote to memory of 4360	3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	90
PID 3680 wrote to memory of 3132	3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	92
PID 3680 wrote to memory of 3132	3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	92
PID 3680 wrote to memory of 3132	3680	4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe	92

C:\Users\Admin\AppData\Local\Temp\4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\4bf9b3895f53d39ef73c56a9d31e5220_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\UserDotU3\adobec.exe
  C:\UserDotU3\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB46\bodaloc.exe

Filesize
3.1MB

MD5
e0ea4d00445e43baeb68d9a3c4c5ac31

SHA1
04566f9453034883fdfc35ffac4fdd57219d07e9

SHA256
fdeb01ad208cedd7d87ce916254f277e354ee710e3b32045b04e1dec4eec3421

SHA512
46c90bb6f722aa02223a7ae2b446cd032e5744bb3863e33e7b3c447e942155e4371935da609d01dd7b01a62e2975304a874f7625e719b8d61dce70f13457194d

Download Submit
C:\KaVB46\bodaloc.exe

Filesize
3.1MB

MD5
6b9f46160160e0d1775e8f6ed41fb47c

SHA1
962245de08cdc5f07c56e4ac2a061683ace277dd

SHA256
b7ba090f0ed875c69fbca3fd82857df5f531381a5d13fabb270f55828bdd60c6

SHA512
4d55ee9601e9ad3705a919d50ba13cad224cdcad32c655a9a02abdd4e96604f08d567bf80a483db585772267db45af18a685f100876a2322b8da752d136da529

Download Submit
C:\UserDotU3\adobec.exe

Filesize
3.1MB

MD5
cf7f6b8b1d4fac42a5e225f33db9b4e4

SHA1
8a4dd88442a92ab73dc10dd29702efed86930426

SHA256
5b62abd74d3728e6612ad8907b70ab2a980b551772c274ce0b851f22f22dde71

SHA512
ee4a76a581eebaa741db6570a486d5a885564b399deca12c1bf520fa952626975ddda4325cedf3f0972e6bff627df4cde591258bb4bd93b6f7c9bcd6eb3358b4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
a43cd991a393fea6a17f06310eeaf3e8

SHA1
27484973c19e0d722bf3a9b1722ca2c225b8e279

SHA256
b46e726cc1d9e5383838c1bd27b0f78635332e89b02d22a187275729081974f0

SHA512
7552f5502efe7adc0fadd933923bf760474efe9f017725d86d3b654d2643bfb89b247b695e3d778c92b234fc4dd0bddd86084d671ea5618ee6e079656c0f6fa9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
70ba3bbd8b4ee17e5f012b636ec2786d

SHA1
b76ea46c4db13620a96dac6712211010cc2fb557

SHA256
77363f15388c3e5a31da5e4bfddbc8a58f3b65d3d27c3ebefb8a323132b673d9

SHA512
a3897824893673bb722512c605dfa434da2ff9978245eeec8c5a7cba6b009ee3fdecda813e7e067b864501a97a81a7165107b8a26377af2cf7318d38fe3dd0c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe

Filesize
3.1MB

MD5
5c359af958f0d8b928c1aab773a8ee5f

SHA1
578dfaf0ede437a24674f354913b1bc66f26447d

SHA256
f705378d76969e8c9c95bcb2d1ea56c3593056eae85909429cb15717bf9597ce

SHA512
23deb85cff242c3b556a3b272eba2fa22531669b40ff578a97d7dbd856ab84ae74c5fc8cc9e747eca9dbb9c0098e17f26bb233bbd3ca1615bbc67f7ac03f147b

Download Submit