1e0e9f657f713f3acf625049e4684068fb80ea694db54b99340cf90ec6e71b68

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
Size

3.2MB
MD5

0d4828f4d62abfbfc484bd50cd793450
SHA1

64ca2dd6358ff0891d5cd4f08f3e00355019e85e
SHA256

1e0e9f657f713f3acf625049e4684068fb80ea694db54b99340cf90ec6e71b68
SHA512

6de9e3ef047e79db26710158324e6af32a25eabe7631f123159c96ad4dde6e918ce965fc5625ddcbb7da12a99d30101b44d0c9723bdc6d18ea38ecc6aa48ec83
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBzB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
4512	locxopti.exe
4212	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7Y\\devoptisys.exe"	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIX\\dobxec.exe"	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe
4512	locxopti.exe
4512	locxopti.exe
4212	devoptisys.exe
4212	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4512	1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	94
PID 1300 wrote to memory of 4512	1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	94
PID 1300 wrote to memory of 4512	1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	94
PID 1300 wrote to memory of 4212	1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	96
PID 1300 wrote to memory of 4212	1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	96
PID 1300 wrote to memory of 4212	1300	0d4828f4d62abfbfc484bd50cd793450_NEAS.exe	96

C:\Users\Admin\AppData\Local\Temp\0d4828f4d62abfbfc484bd50cd793450_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0d4828f4d62abfbfc484bd50cd793450_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Intelproc7Y\devoptisys.exe
  C:\Intelproc7Y\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc7Y\devoptisys.exe

Filesize
3.2MB

MD5
070336f43257b168773adc10875e1a65

SHA1
56023e8b34b67cbfa8c3cfaf8d9e41f5001e1360

SHA256
85748c351f03c71034c0a5f22f284d3380d5b26c39f04336b60b35570f4b2149

SHA512
60f4a85396fd612dbb094903e9cc5f25f211b96aa89831edf7d2e86daf503c60c08dc38b979e0746409ba2c61d7fff2d42dbf0938cf61294fd120e03e5b00ad8

Download Submit
C:\LabZIX\dobxec.exe

Filesize
311KB

MD5
c8ef5f0e1ad240af26f0b2dd47fda4e4

SHA1
9ec223caae25f09620e8efda61780c680bef4589

SHA256
a98040ca5df536e7e2767df77775eb2d6a743484d31e2e2a17a5a030dca4d75b

SHA512
8dbcba60c629d0ee172a15be9a2ef927c6908b2b5de7684acfce75d9dbbd1b087df781f62193b70239ac7dd14c48af61e10eca2d039e73f77be655378f754b3e

Download Submit
C:\LabZIX\dobxec.exe

Filesize
32KB

MD5
b49076433c0bf84919c9872909ac9b4c

SHA1
62ccebdcdf26aab3095a02caf388459acba54554

SHA256
047965653df12ad8344f021b1f08bcf8f2c1d61ab509d61b8d166ad7b0aabb99

SHA512
13bf6e46756787aacb11302c4300040db7eb4fcb38e7f33accfd48dab2ec6ed3056a5caf7212b585485fd71396d534800f9bef245d814f3af4489df0ab3f07e7

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
c082de9d6d84aa576a0d743e9a7db407

SHA1
c28632f4db9bf06b45f8a8bae4b8741c00ba4b7e

SHA256
559964282f48af4a2b4d083828fdc7b5732ffa8f2ae4061060030cc36695a691

SHA512
b8feb6635abe0cb49f0b43aefb20e26b3d0f3e1be87066cf2b8dce91f54c141538101b6ec81a45fe4bb22c30f3d2bf340b1f9e2b0e4b4d029621005cf4868aff

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
c3dbe4dcc5d6add54dc7cd4817fea2f7

SHA1
c5dfa41669361c203ef8f2e0d045944db42a5d55

SHA256
272427ff6ba508b697e738a1ca277515ffe91b432d19f344887cda9ea133cefc

SHA512
12dd6885d7514e6fc9c6e4f853227bd739cc2b59f7e9d6a16208eaf825ae364e08d4a0b691201a7c42e260533b4a5e4b72a018e741094ec08ccbee4b955ff2b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.2MB

MD5
9e033fcdb841e6751a462596e9e2f4a4

SHA1
2798fa1a8ba6a2d6002b22e1a38ed91de3096ad3

SHA256
a9efcc6221585b88ed0009998ddf0ea94807e4ead22ddcddcb208b68d0502943

SHA512
e83093b5bd215fa8e69046115cf85edb6abc4ef37eb1be312cc3eb29f35172a930d03960b84a11baf59b8d869ae19da2ea376c0d9dd3a647ed360775b4006b27

Download Submit