1e0e9f657f713f3acf625049e4684068fb80ea694db54b99340cf90ec6e71b68

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
Size

3.2MB
MD5

0d4828f4d62abfbfc484bd50cd793450
SHA1

64ca2dd6358ff0891d5cd4f08f3e00355019e85e
SHA256

1e0e9f657f713f3acf625049e4684068fb80ea694db54b99340cf90ec6e71b68
SHA512

6de9e3ef047e79db26710158324e6af32a25eabe7631f123159c96ad4dde6e918ce965fc5625ddcbb7da12a99d30101b44d0c9723bdc6d18ea38ecc6aa48ec83
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	ecdevopti.exe
2576	xbodec.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCG\\xbodec.exe"	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKF\\optixec.exe"	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe
2968	ecdevopti.exe
2576	xbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2968	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	28
PID 1636 wrote to memory of 2968	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	28
PID 1636 wrote to memory of 2968	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	28
PID 1636 wrote to memory of 2968	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	28
PID 1636 wrote to memory of 2576	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	29
PID 1636 wrote to memory of 2576	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	29
PID 1636 wrote to memory of 2576	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	29
PID 1636 wrote to memory of 2576	1636	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	29

C:\Users\Admin\AppData\Local\Temp\0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0d4828f4d62abfbfc484bd50cd793450_NEAS.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- C:\UserDotCG\xbodec.exe
  C:\UserDotCG\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBKF\optixec.exe

Filesize
3.2MB

MD5
b29863d39075e053048ac799b8d2a5f8

SHA1
016fd475d53c65458aeecfedc641794584a49ed5

SHA256
d1eef1374057f6aa0a02611358b0bc414f184ee7ac1e983d713f15bbe1c58050

SHA512
4d99215973dabb72cef9ae79749aa3b1d0846fddc36ceefb61350e1e3e14d3bb7a78c263117161563483b3768ce169e42e012af1280cd69e6dd82a7557d92657

Download Submit
C:\UserDotCG\xbodec.exe

Filesize
3.2MB

MD5
06b73944ed52bf8f301fad259e9e4ce1

SHA1
6ab54d60b9a7c38b0486df841e412882ee0cb6d2

SHA256
6c04c6edb326dc3978c3302ad3179532b5f77661a68e5b15e31fc5c16c4fdc96

SHA512
54c77402cbf5154e20d6ccd74c4ff9a3088d80c7dade18eacd2df5e64754d7636135118993a6c282c8c4d14efc052c04226ffa793eaacdd99aacce3f52a07107

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
8f08c6096469974b21afe15cddb6d793

SHA1
62f177d878eef50b21870db626aadf8c55f5da70

SHA256
efd0718aecfcb1f279f13c775226abf4df9ea963e1a2f4f978d4e3bb8b6af11a

SHA512
efdffdad9f42d4a2d761ca1a81713275760ffde76cb64c93c1a35c6830a1fa609c70f9ec7b920951f6c911f42abf59fdf7572b3b482c9d9a528b04368b6dda11

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
02eca9c19b712cb217858745bea9a4ba

SHA1
4c191464e9ff4afc151580276d963dafced14464

SHA256
5a83c49d902fe3b48ebd71570bff388a04f0b7fd0e899db9286bd02fc0f70cb0

SHA512
748ee91524726e38e230e85b9f7b029f2b067cb9e3cad16d04e1cb0896af60150bbdaa5987f090104bed014da5a7e460df26bc8e231db6cd3460c19c33bfef64

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
3.2MB

MD5
e87e4c0c16abcaeaa6b91109e9b8b1f4

SHA1
0d9f0687510a05d36542a013508fda89cb54f15b

SHA256
50b402c0c73fd66b374d44862a47b47d516ef7850d7fbb71326ae8d23570344b

SHA512
cbe0f574fd7ff8b6d3664d6944647cbf05f1ac03141c428f3bec8299fb269827ead89f3bec4d1df865f65d4c9bc592bc8dc207dd36acf70e21d049bdb61780c2

Download Submit