7f610f8216bc3125be38d39ae5696cc8ef5fc0ce10e4e15256000aba4180a3b4

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b0553d71c40a60e184e969707f0a00_NEAS.exe
Size

3.6MB
MD5

02b0553d71c40a60e184e969707f0a00
SHA1

6d528aa5dc28352803b86fe4e03bff9015f1197f
SHA256

7f610f8216bc3125be38d39ae5696cc8ef5fc0ce10e4e15256000aba4180a3b4
SHA512

2d5940603b19cd1d3a6f17d658f3d4228c8a6addab3806a386817932c93dc51ff2e650d0120542c2de4e454868366ee6c0c1df20be1f323b157af1dd499109c9
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8:sxX7QnxrloE5dpUpkbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe	02b0553d71c40a60e184e969707f0a00_NEAS.exe

Executes dropped EXE 2 IoCs

pid	Process
3356	ecdevbod.exe
392	devoptisys.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGF\\devoptisys.exe"	02b0553d71c40a60e184e969707f0a00_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE1\\dobasys.exe"	02b0553d71c40a60e184e969707f0a00_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe
2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe
2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe
2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe
3356	ecdevbod.exe
3356	ecdevbod.exe
392	devoptisys.exe
392	devoptisys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3356	2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe	90
PID 2356 wrote to memory of 3356	2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe	90
PID 2356 wrote to memory of 3356	2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe	90
PID 2356 wrote to memory of 392	2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe	91
PID 2356 wrote to memory of 392	2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe	91
PID 2356 wrote to memory of 392	2356	02b0553d71c40a60e184e969707f0a00_NEAS.exe	91

C:\Users\Admin\AppData\Local\Temp\02b0553d71c40a60e184e969707f0a00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\02b0553d71c40a60e184e969707f0a00_NEAS.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\IntelprocGF\devoptisys.exe
  C:\IntelprocGF\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocGF\devoptisys.exe

Filesize
2.2MB

MD5
be65daf6a4fd4fe845f68fcf8ace245c

SHA1
3751fd1d33c312453caa4915da77903017b55573

SHA256
a780475bbe63da802ec93ec51197af5d0e8798dd7243102b46091b13c43ef4c9

SHA512
d37d9f0e728494f12f2616a47bfb53d55de8ea26e63b71cde9284132f1dcf3187f562137365dfd61e20b848372aa21fd65ecc88f2a9909984f6f87a34944c093

Download Submit
C:\IntelprocGF\devoptisys.exe

Filesize
3.6MB

MD5
511b247ed176ab12add3cb52da2f76e0

SHA1
6c23f21a5e56fdfd490daf6760ce9bae7a54727b

SHA256
a2ad1edc8eadbebf80f5f9187ec0954ff53aa339a50d6bddff34c7815681ec38

SHA512
fd0a10040d7f47132e9186e449dca0d4f8444591da6bab9b91b902d747709fc2f7caf24fbb4ee76bfcef0bffdbe6742fd0aea57fee4580ffa3ae7fc98eef9062

Download Submit
C:\IntelprocGF\devoptisys.exe

Filesize
2.1MB

MD5
edfd7eb881b0dbc964961f820407a738

SHA1
e3fc21e2ea22287854a039784f6222e1979b1124

SHA256
591a4f78e97ec2b505d476f93a7f97ccf9d3e22f94dba3b26bcaa0b485907c61

SHA512
8e0e0d04543d431710d054c80c1b30db5fa35ee6f5011c6b48b645a0321dc92cb5109ecca07452a7df3236875a6cf4632a617f4ff4ae3c36d72424e3f3bb5a5c

Download Submit
C:\KaVBE1\dobasys.exe

Filesize
2.8MB

MD5
73a69a22029250cb08594175d0b00fa2

SHA1
9edc49c91fb21e4a4e2fe6d619a846c6bf70dca4

SHA256
510754cef33d03d11d32ab9dfc2b953eea43d68eb0898163c9a1cb0ecddd3521

SHA512
44902fd8054d6f7977314e809eb77f0c5fb44d277996f3827d335bbe40b968cd71061d84f4a5320b99bc5697dff493b1eaab2c0c4d9646e303709069c473aaec

Download Submit
C:\KaVBE1\dobasys.exe

Filesize
2.5MB

MD5
184ceb56010b7cb2783ec2444d9d077f

SHA1
d0c555b74962dcdfc0feeea27b927b79548fc3a9

SHA256
6f9bc70cd684009faff9e3276aa4d5c54d133a16b9f09987f071a8fddf2c3f00

SHA512
08f8b45a41b6b10353a7e1957fa34bcd440345192455677f68d6c05b69867c023193a55fce66896264ce936bb67bf85152b0ceccb6725bce2ff84920fbc22151

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
b6dba8c7c6824ef15fd3313ee60babcc

SHA1
a1fe81e4e609d2bdeea65a0b414d5be633269926

SHA256
6aabb55e97949eb95af0b7f78849fd9cda32ba44cb272e2849d23b88e269fa35

SHA512
8d81a8d7aa53e87bcbb194672ad80da174b326809ecade6f51712967ab213f129ab84256f3b784dd96ccca58ff697869a2836a08bb2cd4046d2009bd4c6482ad

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
176B

MD5
af556a6660af8026a4fa0de9b3a50c24

SHA1
885ca295665140f75820aefb6b9cb6758cfd0cb8

SHA256
2f8b78b89b7c35e8ec2c3253e04c3586c162c2b7f2e958f58020c3b5a1ada4f3

SHA512
82e6b7849c6a57b98b73ec0a0e3de62879d029bb086b70df5eeea0da5a6a95b86c38ae9e0f6e066c49e1c613651a71fc1b43baed3f5ad81300293e4242ad06d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
2.1MB

MD5
c9a3edd9360b8e6b31311c91884fedc7

SHA1
6b08c62676ba82634f97efdc0b483a4da9046ea6

SHA256
2488a0e809a21204707651cc5596df5d471e0a504c45e0a2384a3fe431a59576

SHA512
26df10a05133b18af88e178a09931c088e0ff0ed7a1354171765c2eac4987d1dca559b6b90d822094aa87efccd56bb64cc8e0f8d90761d64d4c6237a4e167642

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

Filesize
448KB

MD5
f226324fef5c8a829e14c9190ee5925a

SHA1
6fb65aec2773479b7c53956c072a791d648a770c

SHA256
aa6ae7c96b8893a0c5bc7b8557ea1a3262d6ec6cbb7fe1049bc7a7bb19e09661

SHA512
6538e42b761bde05883732f4f4f706bc3275a4d7bc3b72a68feaf5614fcc56f533adbac2c8bf4b5a0790beb7c4315a8fb0cd95fb85e7a6135eb3c2e2ecf59644

Download Submit