606d3057346457a803c665ab8d0efe7990754bf8989b10e05855f623e1b62b81

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6139ab6b612fc332c911450420a9e4b0_NEAS.exe
Size

3.0MB
MD5

6139ab6b612fc332c911450420a9e4b0
SHA1

ae1e1c6ece9f0350955e1cdc2da45ade23cebda7
SHA256

606d3057346457a803c665ab8d0efe7990754bf8989b10e05855f623e1b62b81
SHA512

aeefe878e8dc03ea6541133a3ee2538e776c15fd4e590f55656f0763530797b1b29d088e9d6fd44fae391ccd930000ea72f7d504ca597df0bdc9650e8460ba9f
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNX:sxX7QnxrloE5dpUpvbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	6139ab6b612fc332c911450420a9e4b0_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
4960	ecdevbod.exe
3764	abodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAE\\bodxsys.exe"	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWS\\abodloc.exe"	6139ab6b612fc332c911450420a9e4b0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe
4960	ecdevbod.exe
4960	ecdevbod.exe
3764	abodloc.exe
3764	abodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4960	1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	89
PID 1988 wrote to memory of 4960	1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	89
PID 1988 wrote to memory of 4960	1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	89
PID 1988 wrote to memory of 3764	1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	92
PID 1988 wrote to memory of 3764	1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	92
PID 1988 wrote to memory of 3764	1988	6139ab6b612fc332c911450420a9e4b0_NEAS.exe	92

C:\Users\Admin\AppData\Local\Temp\6139ab6b612fc332c911450420a9e4b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\6139ab6b612fc332c911450420a9e4b0_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\UserDotWS\abodloc.exe
  C:\UserDotWS\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAE\bodxsys.exe

Filesize
3.0MB

MD5
f72548619d372968353b281a5e68ac54

SHA1
8b42741ff8b089fbd89b795834cd53e51640f06b

SHA256
cb113554e11d17e67e036b141a680643f74919bc0fe5c6c0d72111ba6c0f0a03

SHA512
14fa21f77aba79ae1a17aca36168a16d924fff76f20b4725a8e6251dbc8a97bcf2f9c0b8516db6e7a5e18f381e1ad16c5b2e44a9874942797c77ac842ddf030e

Download Submit
C:\GalaxAE\bodxsys.exe

Filesize
3.0MB

MD5
044cd640a6c0f9cb87fa79f33b66b323

SHA1
1c3f47e893b47d13a984e57ddbc2f9b1782c8e65

SHA256
491277769cd1d3c7d24586856b0ee11e12ec4333d58c15e0403d3c004996b93b

SHA512
a43a3a810bf51fdccc599c30f1936eacfdbb6d32662e7ce9330a2e148b1cf624b5cafabed6ae82cbe72ad6afbebc60c5f9b7ed5a4d776cba2dc1b590517d16c4

Download Submit
C:\UserDotWS\abodloc.exe

Filesize
2.0MB

MD5
c0588597d487d53fdbc313d7cc652f95

SHA1
603174c116145fdcfe1b76fb828c7236d5e0f961

SHA256
8eeff05a5c6ae08c067880f363b2b32183c29d9719f61c2098687fbbcdda47b4

SHA512
759c44aabda99c7dc1ea2d9ec08bf07dd9c6c1946c492231f5d9f45d5060c5bed593a814fd6988046f07693c7e235458e22a8bb9941f63fcefc77a1305a90d4f

Download Submit
C:\UserDotWS\abodloc.exe

Filesize
3.0MB

MD5
89b64bf98dcbbc9ba110311dfa5afa54

SHA1
70e34a90fbc11470a9ddea8ced158f4a7f2bb904

SHA256
7546fc824e8db60393cc9c6c2b7b6e2e15ed1496302673d2ee3af53290803c1f

SHA512
713806c4f6331898d6774831c8c4f02869cff8c9d0d3b759bcf04f25d027d291458caf5ac9130d2b8ef3c1015b96e75590c61f71ed7f4e848330c0c8533080b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
df306219ad067a9b9923d52fb511f2eb

SHA1
1f0a6f6e2748d34d6bb4abe176e0a58bf615180a

SHA256
894162b39725b9dfc426026f84e8192dd115ba471fd62680387df46f672b6d70

SHA512
eb8f9077b770b2aad98ec0dbe661002355e9e79f37543f734b862d10c93cf26dca255a6f59e3483c45edee4303375cd6fcdfefb1e3826a061961116a1bbdb47d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
e04dea62123b4d1a55b1a48def0a0573

SHA1
6dab19f93d98b094f99b28ba88c172df615878d7

SHA256
916c434ce745c98b05c9240b842eee90aeff668df37188cfe253df96e2972402

SHA512
07f0a21d413afad56febc96baf9c54959f4274bb5fddce448f97cdefe36190da72a9feadd07c718e23e0d8da7104e41b301f4bb65bdbb3804e33005cfc56e8a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.0MB

MD5
e37e0bc27cd3ed1563255912f56256c4

SHA1
106453cb73d30d544968b2eb63e30250fe0e613e

SHA256
80601048c919e56629d56f36fcee5280af41bebe4930a37edc76136ac9874f43

SHA512
505cbfc575c7ebf8255eecc70df021beadbc6b729d763db6965cec1cdc1e1e8f85a655fa0e33b2f7e36d42a57e1aca308d4ea7f21e3a40d22a47147d2b125e1d

Download Submit