02c0bd1a4d20f0ce63b7d3f57e50b6cb7fc031ca2a1ea00cfa152ff81f7ea3cc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8236c5d3036be136a84a4403fe4c0900_NEAS.exe
Size

3.2MB
MD5

8236c5d3036be136a84a4403fe4c0900
SHA1

85383ec051b8a36816827197dd772cb32d8d3344
SHA256

02c0bd1a4d20f0ce63b7d3f57e50b6cb7fc031ca2a1ea00cfa152ff81f7ea3cc
SHA512

35e756a71bfe36f71f1c54e13fa6547dc72fb73b4345b6996a939717f5b92ac1c225d4e7bd09b92dd931fe834363d9a24e359d0b419c2ebead166b4b2d9eb381
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpobVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	8236c5d3036be136a84a4403fe4c0900_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	ecxdob.exe
4928	xbodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBU\\xbodsys.exe"	8236c5d3036be136a84a4403fe4c0900_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZL7\\dobdevec.exe"	8236c5d3036be136a84a4403fe4c0900_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe
2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe
2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe
2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe
1184	ecxdob.exe
1184	ecxdob.exe
4928	xbodsys.exe
4928	xbodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1184	2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe	89
PID 2808 wrote to memory of 1184	2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe	89
PID 2808 wrote to memory of 1184	2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe	89
PID 2808 wrote to memory of 4928	2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe	91
PID 2808 wrote to memory of 4928	2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe	91
PID 2808 wrote to memory of 4928	2808	8236c5d3036be136a84a4403fe4c0900_NEAS.exe	91

C:\Users\Admin\AppData\Local\Temp\8236c5d3036be136a84a4403fe4c0900_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8236c5d3036be136a84a4403fe4c0900_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\SysDrvBU\xbodsys.exe
  C:\SysDrvBU\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZL7\dobdevec.exe

Filesize
3.2MB

MD5
68dc8635f4c97d51ba1a22d67ab68115

SHA1
71618a388b6dd038af1a43fc3a5864579fa8cbdd

SHA256
bf5d7c0b9118a3734524ad64ee10aa8277f68c96142cf4bbce9c956fa58849c4

SHA512
391dfb6c0b57a4f834e22c2003b878547105436bdddbb655ebe8764d7b7f2418b32885f544bce74107fd67703a708deada1ee292887cd4443c9d1fb69d267717

Download Submit
C:\LabZL7\dobdevec.exe

Filesize
6KB

MD5
c8190a91500bb1d9caa61e3b11eaf128

SHA1
ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684

SHA256
6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e

SHA512
bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b

Download Submit
C:\SysDrvBU\xbodsys.exe

Filesize
3.2MB

MD5
4a9b3dd727121de3615b89c6d7f24af5

SHA1
a34cec8bd71f504e6b8951b2ca41381fa10c039d

SHA256
d706ebb18685175b0f5154fa77c8aacdc6e4fec7b0d3ab83f99742e1696a2cc9

SHA512
44e5ab01b63b714a9d278260082d68884ffd34c18a7d22052f9a6cab2a13e66479b8668094ecfaa71e7df9aa2509f996caef91942f8a8b8fea4afa0f619a1c4a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ce74f1e5a22ea516df4089613662b67b

SHA1
7024a03246353610ef48f10fe0b0e7952d874dfd

SHA256
be4d5dc07824c8187b05fe0439a27e0025b2d605b7b7a0ba73aa4b1f47f5d3ea

SHA512
3e0e9edbaa8507aaf610b5b3c5b052ebbc560d9f78e97714c9e618567f7f62fa56c5a795c3c22e0083d2fce20a8dc842fc19cdc6051024bba2e8ecd4c1ef9533

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
f8f94075521cd80bcd51f9e46611ffe3

SHA1
af95178df36995b9869c99ceda32abe44ea2d457

SHA256
01c559c4d8fe414161578d72dae07c482464637e6bc651b786cf9a45e7fa17f4

SHA512
29782b35c5bda9b14e2ee81dd12536f4119a24f1f71f557591f1f3eba1388d6b8d9b45fafb2291c9352f2ad27325120df249e10fef643ed7751e58c57730d207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.2MB

MD5
891f227c153c70e4cc96ebca423009cd

SHA1
52f4d1a39931bf10738e2e72bd0a19e3635d0fc1

SHA256
1b4ed2d964aa903b8baa81ca203acf874d966242453e67e94a9c153be2fbfe5f

SHA512
6d1614045004e11d99019b8966149ec5b229ae120e1f7c51dc04d8f1d7b1c7692a59077ab7b90172aa302352b8efdfc9c1c8a156b6dc3d3c75d046c42353f3ca

Download Submit