606d3057346457a803c665ab8d0efe7990754bf8989b10e05855f623e1b62b81

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6139ab6b612fc332c911450420a9e4b0_NEAS.exe
Size

3.0MB
MD5

6139ab6b612fc332c911450420a9e4b0
SHA1

ae1e1c6ece9f0350955e1cdc2da45ade23cebda7
SHA256

606d3057346457a803c665ab8d0efe7990754bf8989b10e05855f623e1b62b81
SHA512

aeefe878e8dc03ea6541133a3ee2538e776c15fd4e590f55656f0763530797b1b29d088e9d6fd44fae391ccd930000ea72f7d504ca597df0bdc9650e8460ba9f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNX:sxX7QnxrloE5dpUpvbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	6139ab6b612fc332c911450420a9e4b0_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
2956	ecxdob.exe
2880	devbodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAW\\devbodloc.exe"	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQR\\bodaec.exe"	6139ab6b612fc332c911450420a9e4b0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe
2956	ecxdob.exe
2880	devbodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2956	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	28
PID 2940 wrote to memory of 2956	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	28
PID 2940 wrote to memory of 2956	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	28
PID 2940 wrote to memory of 2956	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	28
PID 2940 wrote to memory of 2880	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	29
PID 2940 wrote to memory of 2880	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	29
PID 2940 wrote to memory of 2880	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	29
PID 2940 wrote to memory of 2880	2940	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	29

C:\Users\Admin\AppData\Local\Temp\6139ab6b612fc332c911450420a9e4b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\6139ab6b612fc332c911450420a9e4b0_NEAS.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- C:\AdobeAW\devbodloc.exe
  C:\AdobeAW\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAW\devbodloc.exe

Filesize
3.0MB

MD5
1d1c0b2c5565e573e8c53a0f20a31ab0

SHA1
9ce4655a1ddb8e2e756202d6834a97af79c0402c

SHA256
b3d2556c1d7c40907ade29d5939d297686efd9667d6f249bb7aed0c717f20958

SHA512
3ca6701a69ccf59629c7a53c9141c73a4d69614aeb1bde9b49d00b108e3aff5ecbcf4e78c55a58483937e3237f4f4d78d4c4dda9ec123e68af17385d13875315

Download Submit
C:\LabZQR\bodaec.exe

Filesize
3.0MB

MD5
de2068cedb5d8be7e896c54c3d77c838

SHA1
18da016d3366a64d599a8f539297e8c9079d9c66

SHA256
0b160ff57789413fdb89bab7dbfedc16f9f32869be8c579be9dc051fb05126d6

SHA512
0f54adcaa114e5f4384edb6027bfc606ee2fe1556311623a7f52e08c4110bdb0fc432a37b02546d2d2113cd60b94f03a0ab5d6830605afe08946d519084ed017

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
4d0cb26a66fb4328a90157cbbf50a9c4

SHA1
929c86a795109805ee50d2ed3bed49da44dd4e68

SHA256
c430ca05a3157f87fb82b36f16219046e5fc4f98c86597ed1a005f3b5cc42719

SHA512
ff9bf4f9851e22535a6088a5bba68010b76038b87fc5b4f3a425b45f47a0eef82f02426eff8ffb7c71da8f71cc87c814e2b8545fd5d2bf7a295d3e1c91dae85a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
8e7d756383efe5dede9bc5f14e8775aa

SHA1
b74beaf57f1cb2aac9b2573a4d642568742e1403

SHA256
f2187c89b57d071d60c3a06d06522c315fbbbe4cb7f0d797de877af7659566d7

SHA512
9b52490fc37473bca079ff9011da97d700e4304bb5bae1b97a65a5fe136d802e8e61e0de1ea506d00ef93e3d2fa2ce9e3916ae530e4b8a3a78669ac9f4affcc4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.0MB

MD5
98a8a6922c9b93c21c0c29a92a573e5b

SHA1
6d7579ba562adb9b45906fdf9bb890a71890ddb8

SHA256
3197254e7a6d9e1142c7b9371f0bf072f152a8e1f4965b7def8e94d1846eef17

SHA512
c48a8f46f897d00d9fdcded1167f8628633b01ef3d21a2d25535d76d74bcf25217b154ef458e059f871aaab5d25843147064b14b3c1afae4c09c7693da852b09

Download Submit