2a4e28ca900e4b66897c5937e22a1469284b3b70e20ffd78e60529a95d38011e

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7545cc010861ff8ad337c22050d3a620_NEAS.exe
Size

3.0MB
MD5

7545cc010861ff8ad337c22050d3a620
SHA1

d96b8806d218fcf99a8252e5050c19f83374d9e9
SHA256

2a4e28ca900e4b66897c5937e22a1469284b3b70e20ffd78e60529a95d38011e
SHA512

4428de7dc6e9c4c9ad9c7c83a011c12cca3827fa44f200292aa1cf7c316224f11884ba8945318f924691875672f5b5c6bdfba8222fbab5533ae8fa6b2402c31b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBFB/bSqz8b6LNX:sxX7QnxrloE5dpUpCbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	7545cc010861ff8ad337c22050d3a620_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
4688	ecdevbod.exe
4024	abodsys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvA9\\abodsys.exe"	7545cc010861ff8ad337c22050d3a620_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5D\\bodxloc.exe"	7545cc010861ff8ad337c22050d3a620_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe
1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe
1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe
1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe
4688	ecdevbod.exe
4688	ecdevbod.exe
4024	abodsys.exe
4024	abodsys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 4688	1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe	89
PID 1268 wrote to memory of 4688	1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe	89
PID 1268 wrote to memory of 4688	1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe	89
PID 1268 wrote to memory of 4024	1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe	90
PID 1268 wrote to memory of 4024	1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe	90
PID 1268 wrote to memory of 4024	1268	7545cc010861ff8ad337c22050d3a620_NEAS.exe	90

C:\Users\Admin\AppData\Local\Temp\7545cc010861ff8ad337c22050d3a620_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\7545cc010861ff8ad337c22050d3a620_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\SysDrvA9\abodsys.exe
  C:\SysDrvA9\abodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvA9\abodsys.exe

Filesize
2.4MB

MD5
bbf3789eaf5fb68082b28dc243247f17

SHA1
7915ca2ebddb0a801f756bc42a2261fdc56c7024

SHA256
e1c9f89491747540a02b6c0d565c507c18961045085a9054a8cb426f6c33de0c

SHA512
66db3afbb79fbbfebc702f30d8d31d21871323f7064284255154f30ad1584c891c85b6f34948ee4c02a286e4491e72241bb7fb843b1cef10c3bc2dfbf24ab9e8

Download Submit
C:\SysDrvA9\abodsys.exe

Filesize
3.0MB

MD5
6426a5b0ed98ec5a668ffa26859b2d6f

SHA1
f9c07469661f8ec502b7962bc9d2f91d960a963f

SHA256
99218e2c479a7d3e6e7c4e0ea4f29a15e501e07c12c1738b8a35b55bc8db2113

SHA512
be60c7213efd5cf0ab2a069778ce1bbbd5173d9c7fc56797b846f5806f43ba7e2d361c2e82d62e0f5c8216dbe3e345a01b61b66827edf147a38fcc6e186ea5ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
3519da917a748350357cad2c0eb6deb5

SHA1
cf60219cc324cfb25c6ba21e83ca63c78d6a000a

SHA256
9d0f984467e28e6de0bfe4f8b9a46ca6ef5531d2bd57880dc060276c6f604880

SHA512
d375722b501f4a7ae590f759a583962612c13df19d6c4ed6447d1e80d18adfa187b75576330becbfb1eaaf13c17af23f903c71b0e0927a3ffe51b91949554654

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
169B

MD5
083ebaf722cc15127ba98032e1a03bf5

SHA1
252cdd34d6b2dc8a32cb8bddd32984764dfe599e

SHA256
cb113a44ed84a1b00d9d663fdc4437d0010345fbd3295640ea20aee386baa434

SHA512
ecfeb7d8cb48c291c52105ff6f007bf1b376ce9372219fbabe701003d44a8d6dd515fdbc0175d05b00d05bb7dc8ee1486103be36147cff30204592ee6ec262d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
3.0MB

MD5
f89c4c9af5964314016d0314dbf49df3

SHA1
9c2000943c30b27c192a661931a988e23009faad

SHA256
f63fb37952a9ac07d1c36992b96755e46b60133de27674c7856a94dbfae307fa

SHA512
de0c6168e7be654d22e73794bb4cef1d5d0eaad3c649a4e7568eab8c37d6a7aae0537f6b55617769fc35abf456c8deb64010c03afc21af67f570649187446050

Download Submit
C:\Vid5D\bodxloc.exe

Filesize
3.0MB

MD5
a4b34d0448fb2f6471054a3a52000158

SHA1
27016625c7ae1cc066de741a2ee5d767e26fdd5d

SHA256
67ebb928e126ae4bfb200f4235c506244972bc3bd90003d0dbd0d50ba2f0d8e9

SHA512
426dc6e4786f3032d8941fd26e455fda77356e0dfa687f640d1ddd617ed8cc3ef0c9337de3fc77e40103f8392d016c79112b5fb30e7a70e302f91b5d68277174

Download Submit
C:\Vid5D\bodxloc.exe

Filesize
3.0MB

MD5
6ebf1c288c5d3a103d49f0e9176b3c1f

SHA1
9f2ab451bba5ea93923ca2e1a85904a759458d4e

SHA256
41595079a35f912274494362a23905acd988bddea3be5051767f91ff4707fc07

SHA512
c261206a257c3c50499ca039f9618725b85f0094dbace7f6632c91aef244d861d59a6bb0a8a83d8b28197c7d7db633afc24b21a92caa07e2739b8a7b040915d3

Download Submit