7f610f8216bc3125be38d39ae5696cc8ef5fc0ce10e4e15256000aba4180a3b4

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b0553d71c40a60e184e969707f0a00_NEAS.exe
Size

3.6MB
MD5

02b0553d71c40a60e184e969707f0a00
SHA1

6d528aa5dc28352803b86fe4e03bff9015f1197f
SHA256

7f610f8216bc3125be38d39ae5696cc8ef5fc0ce10e4e15256000aba4180a3b4
SHA512

2d5940603b19cd1d3a6f17d658f3d4228c8a6addab3806a386817932c93dc51ff2e650d0120542c2de4e454868366ee6c0c1df20be1f323b157af1dd499109c9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpkbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe	02b0553d71c40a60e184e969707f0a00_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
1512	locdevopti.exe
2944	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
360	02b0553d71c40a60e184e969707f0a00_NEAS.exe
360	02b0553d71c40a60e184e969707f0a00_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNL\\aoptisys.exe"	02b0553d71c40a60e184e969707f0a00_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3F\\dobaec.exe"	02b0553d71c40a60e184e969707f0a00_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
360	02b0553d71c40a60e184e969707f0a00_NEAS.exe
360	02b0553d71c40a60e184e969707f0a00_NEAS.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe
1512	locdevopti.exe
2944	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1512	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	28
PID 360 wrote to memory of 1512	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	28
PID 360 wrote to memory of 1512	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	28
PID 360 wrote to memory of 1512	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	28
PID 360 wrote to memory of 2944	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	29
PID 360 wrote to memory of 2944	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	29
PID 360 wrote to memory of 2944	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	29
PID 360 wrote to memory of 2944	360	02b0553d71c40a60e184e969707f0a00_NEAS.exe	29

C:\Users\Admin\AppData\Local\Temp\02b0553d71c40a60e184e969707f0a00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\02b0553d71c40a60e184e969707f0a00_NEAS.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\IntelprocNL\aoptisys.exe
  C:\IntelprocNL\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocNL\aoptisys.exe

Filesize
3.6MB

MD5
f3a8a0920c5197b3caa2845ac75618cf

SHA1
095672772987b840a1e674df0c771c501a641094

SHA256
0aba5dc7190e8433f69f5c9015ff62e86cc719427e7c09687bb166526f6915c1

SHA512
1785aaaa87297b812c3a411b891f96086f104978d18f12fb655f510fce2c85634344e51ac5bc17f61cf490e390b25ddfa0b41717acd1563217bd8c82fc5c55f8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
174B

MD5
84668a88e8dbf89ab082ebbfc2b525c2

SHA1
7fb795fd939d72589bd66b547359eacb26c2fdb9

SHA256
10406df11f045a6abfbe2882458815b6dff4fc74d6b3c94f19e6850a57b14bc9

SHA512
c5c5c44faf182f3e2ee1aa081e147dfbbc6ac86fbc023ba8efb3cbbdc4abcd716272c276f418cc1ff5dfacc316c9471a87726cc521376307811bed563c304ef9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
c3328d3fbc688517a653d66a3875a5d3

SHA1
a9f7b506d391bb53fd826a675db988b5c692b227

SHA256
2c16199d4a712e3f3d1b9d09cb1a30bb14cd0e0073d87a8e847d6d2ac26c5faa

SHA512
66df7c38504e887a3bd31f442dbae592c8a974168a0d3ba0ce90feb0fc616c09dcbd6ab7487acbe9fa87e3115b90f11e3b3ea7a4c2c51ca7588f64001b48ca7d

Download Submit
C:\Vid3F\dobaec.exe

Filesize
3.6MB

MD5
d8c7dd12dce5df8358d2ca5caa15ea5c

SHA1
bcb7b46e0590ddf85aed12ac982388290542bfc6

SHA256
244b478eee355fdcc29d23a4d5dbe982a8d3d36e970a673dcfcd27f579c196d1

SHA512
dab9d2ae5a961d6834ca80c05c6dcda79558f4bd63f10d5b257c95a6e7c81cd9de5ad005b4dc9e84f29294dd3e3285b9ebb81dcf3e3178785512abf5f3dd3023

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

Filesize
3.6MB

MD5
0272a5217888d0ee9dfb524f9aa47b0c

SHA1
8dc02f4586e43f224d0e9c5c00d4b2274577986b

SHA256
880d2a8edf2be5a538c8c969fc9813c90a7aab782b9a140f50e1f687006cdfaa

SHA512
8d9ad40b3db7a3d9f8f69f4b9ec9437bd112db14ca495bc5a5b9cb3d37e02ddeb16720e4187e3d3629b06ce5ac640f463a7c6c87f99bdff39dd93939e9531c9c

Download Submit