9b98873142862172c43bdd8a6828971c1b8732269c14b1cd10f02265baa73fe3

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 05:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

728603156bee195e5058a39f54bb2c50_NEAS.exe
Size

3.6MB
MD5

728603156bee195e5058a39f54bb2c50
SHA1

f2441403797c03f68a7ca6c2684d0f23ae23e06f
SHA256

9b98873142862172c43bdd8a6828971c1b8732269c14b1cd10f02265baa73fe3
SHA512

f35dd7106f8eae3a81de10a9acf4e60ee6aa04cda68f6e033ab899d2ef87ad1969b236f673d06d1bd6d915d5f3ef64bb78aa661a675d54c3b0016cc8a365f8d0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB0B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpfbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	728603156bee195e5058a39f54bb2c50_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
744	sysabod.exe
2748	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvEK\\devbodloc.exe"	728603156bee195e5058a39f54bb2c50_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWP\\dobaloc.exe"	728603156bee195e5058a39f54bb2c50_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3264	728603156bee195e5058a39f54bb2c50_NEAS.exe
3264	728603156bee195e5058a39f54bb2c50_NEAS.exe
3264	728603156bee195e5058a39f54bb2c50_NEAS.exe
3264	728603156bee195e5058a39f54bb2c50_NEAS.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe
744	sysabod.exe
744	sysabod.exe
2748	devbodloc.exe
2748	devbodloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 744	3264	728603156bee195e5058a39f54bb2c50_NEAS.exe	90
PID 3264 wrote to memory of 744	3264	728603156bee195e5058a39f54bb2c50_NEAS.exe	90
PID 3264 wrote to memory of 744	3264	728603156bee195e5058a39f54bb2c50_NEAS.exe	90
PID 3264 wrote to memory of 2748	3264	728603156bee195e5058a39f54bb2c50_NEAS.exe	93
PID 3264 wrote to memory of 2748	3264	728603156bee195e5058a39f54bb2c50_NEAS.exe	93
PID 3264 wrote to memory of 2748	3264	728603156bee195e5058a39f54bb2c50_NEAS.exe	93

C:\Users\Admin\AppData\Local\Temp\728603156bee195e5058a39f54bb2c50_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\728603156bee195e5058a39f54bb2c50_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:744
- C:\SysDrvEK\devbodloc.exe
  C:\SysDrvEK\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintWP\dobaloc.exe

Filesize
3.6MB

MD5
229a519142a82c2e7eed509e75911ad4

SHA1
10b62395acbbaaf551af18ccb699fa8ebf897a47

SHA256
b5d939f1274d5adf7c43a728c53f4ef3d520fe23f01882b7bc4a7ed53720d571

SHA512
99aec381d32c2f220346743eea3180626325f2f548ee8ce045f6b682e126c2ee0c20de11177e3229a18c151d2f5d6ab5c9b25edc8347b2d2663e2e9ae25877aa

Download Submit
C:\MintWP\dobaloc.exe

Filesize
39KB

MD5
bfa69df60797504c4fde5943de2ba3a5

SHA1
8c2083d9d91f77028cb42edbd747326b723a67a3

SHA256
d30f49839ff32dec0bf13a5f3b6297d4ecd268eecac3e0be65f32aaf00b7cee3

SHA512
1aaf43db1983c169b384e6e955bd884c7cd68905faad4d54358ba8bcb44e57385b6f46280d58ad72a90435c65545d7402e280ce676532dcee0fd7c3628b24d62

Download Submit
C:\SysDrvEK\devbodloc.exe

Filesize
3.6MB

MD5
c65977ef5395e3e521251321021d213d

SHA1
917bacdb00d109afe6370d14bcb926faf2f2a965

SHA256
4942c8e7965637165e378cd5933acba2d17522ccdfce77dcb1f0d3e6a2d3b961

SHA512
7582d7b16006159c3362d4393864b24b5d172b402d12c8ceba4b28397592d8510d9f4f13caffcbb22ec8de0f07a9adf84026fa6cd8dc9a9a8e46f3ac2e5a70cd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
e38c16a387afa01ce881d86aee63cde3

SHA1
a9ee5d1aa66bb2ce117bb016c69169f894fea9f7

SHA256
271f55445e741e83a5318654c53bdc4ec33b54eab36bd5fb60fd6b6263b694f9

SHA512
c0b70219689ccc117ce6c30e70527f7d4019e5b26c77a7226a69e21c11e208e993c27d133e5961539e7ffcca758949a19cdc435094e64f258517e9dfc95418e4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
171B

MD5
5c445e4c806a546d80160007850c3d32

SHA1
f831746aa196e0e2adbd1b8651471ea60c97d945

SHA256
7a137a093782aac66ee6294a3c7ffc09352b64b82c34674c9e2779bec3eb18fe

SHA512
51074dceff3be2fd6908951f947fc75a9d1814be5766357b9c55b45a1738fe36dad3ca9c2e6a6a56377639ad1cdc0e7ed7c14ce7fd38dec9212cab715e516c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.6MB

MD5
e327fc8de82068bb67c026d6d8a4da83

SHA1
16831fc6e860354ae0d464632c1fe8438d56a767

SHA256
101873c5af58fc85722b82b73189d7ce2df009eebacbc2d71fa6ba6841b37847

SHA512
b99bc6d54438c3f8748ccd0d966d995f3ef2b58dc73f5807f6392e97a9b98351db6aedde0a100888e6b1c91f4affca1069fe774d7f20f6f61f4e5171283ff4bc

Download Submit