Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 20:34
Behavioral task
behavioral1
Sample
NeptnExternalFree.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
NeptnExternalFree.exe
Resource
win10v2004-20230220-en
General
-
Target
NeptnExternalFree.exe
-
Size
3.4MB
-
MD5
bbedbbb87552cceb179e196588684cbc
-
SHA1
d1b7d2834140f503d7a7b92df30fadece473c29c
-
SHA256
b30dfb8608adf0c39754145ed1e8e8cf391ef1a5cafeb207bdb53dbfe80a4a08
-
SHA512
1e65d28aad644fc791a01eb55d3dc53d6f5c63c5fb5c9e52c96c384b5109499364a0ca433e09383972419b02e53662f15f9d238c4313aeb6842a4057be9429f3
-
SSDEEP
98304:i1NGlQS2DA5FlCPfvJj2wmfXWjY9sz985D:i1N+QXAHlohyP/WsA98B
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
NeptnExternalFree.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NeptnExternalFree.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
NeptnExternalFree.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NeptnExternalFree.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NeptnExternalFree.exe -
Processes:
resource yara_rule behavioral1/memory/2028-54-0x000000013F480000-0x000000013FD99000-memory.dmp themida behavioral1/memory/2028-55-0x000000013F480000-0x000000013FD99000-memory.dmp themida behavioral1/memory/2028-56-0x000000013F480000-0x000000013FD99000-memory.dmp themida behavioral1/memory/2028-57-0x000000013F480000-0x000000013FD99000-memory.dmp themida -
Processes:
NeptnExternalFree.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NeptnExternalFree.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
NeptnExternalFree.exepid process 2028 NeptnExternalFree.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1824 2028 WerFault.exe NeptnExternalFree.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C2D6D731-CA8B-11ED-9D2F-CED2106B5FC8} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1932 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1932 iexplore.exe 1932 iexplore.exe 572 IEXPLORE.EXE 572 IEXPLORE.EXE 572 IEXPLORE.EXE 572 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
NeptnExternalFree.execmd.exeiexplore.exedescription pid process target process PID 2028 wrote to memory of 1824 2028 NeptnExternalFree.exe WerFault.exe PID 2028 wrote to memory of 1824 2028 NeptnExternalFree.exe WerFault.exe PID 2028 wrote to memory of 1824 2028 NeptnExternalFree.exe WerFault.exe PID 2028 wrote to memory of 1800 2028 NeptnExternalFree.exe cmd.exe PID 2028 wrote to memory of 1800 2028 NeptnExternalFree.exe cmd.exe PID 2028 wrote to memory of 1800 2028 NeptnExternalFree.exe cmd.exe PID 1800 wrote to memory of 1932 1800 cmd.exe iexplore.exe PID 1800 wrote to memory of 1932 1800 cmd.exe iexplore.exe PID 1800 wrote to memory of 1932 1800 cmd.exe iexplore.exe PID 1932 wrote to memory of 572 1932 iexplore.exe IEXPLORE.EXE PID 1932 wrote to memory of 572 1932 iexplore.exe IEXPLORE.EXE PID 1932 wrote to memory of 572 1932 iexplore.exe IEXPLORE.EXE PID 1932 wrote to memory of 572 1932 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF62⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/xCRS6yyPF63⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 1322⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59d6d3883cad28b1016d06bbaf6ff33eb
SHA1dd9292702fdd363bff926d058691be485ebbd243
SHA2567757beb205d3767647b41135522c49bc7bd4b9266bcdf8d7b19c48aac476764b
SHA5125d989da4798fe4db8ee67f1dd6d80d1ea10c9fcdc21f5bfe874fec492cf770caead0d23cb992ed35366ad071122bd372b90c4d8d58adaa7c311eac2391076214
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD507718bff190253f7b60cbecf4357c12d
SHA152115e28c5fbc0f061f6d61ca307f38511b054e6
SHA256a5fa7627997c52bb52e74db1a64a6398688e24771b423165964362c1cb39ec85
SHA5120581b0507e02fa54d84a645f94ef8ff9089eba1c880fc4e2811e6d3b8e05bb5584c1f357b0a37460efabae9ff5b581d3686b74e3a913bf62158f5b875d26cd55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5f7db0a97d28035a54043d34fb2a54cdd
SHA118ee0bb56453915a7766472f59836e9548a186e7
SHA2565081226a5c52bc07c66b0b9fb38cd51be258191e96e4cd5c90f90e6f204dbd10
SHA512176083401e344b484059ab25c0712263f6cc681622db5ea5fccd3b3663f49147cb12a1dabd687ff787529f5815ce2996da5911d62de1731ae83a564e161a76c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5dae42e881062180b7b307995f6d7a8c2
SHA135fa86c3bb93b7cf026538e737659fef5b4f59bf
SHA256c88bb008bcd9f134e9f7c0f85fdea3b7a95b1f47638f9db01ef6c893fc3e1bca
SHA5128a526765935d89d4720b90b1153fbcc9a0a23b3ebc50f75dad021fa893102417a2a21c26781d2489942ae1a9304d4373d649a608d7fffbca2115864ecca2156c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD536deb7bc4badd19959738ab2d562cc75
SHA11829ad7639be8f8d87865f463928d2d81ed4a148
SHA25623f0e234f0cb46900efc15e9630eabd7881e2a279f3d129a94b7bc3fd827b696
SHA5121101aac7aac76f2c2db2c6afaf0f01d1c99efcf9fce5f21acc2b2df4968ad4b66c63eaa3604478855c2e7ddd6505798e273d270c85f336bad14f8c4b75fe263f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5174a5a11d9e04acbbf169e1de0f85b33
SHA1eeba2efcac859e642c7a035c45deeb5c3caa20e6
SHA256ec274d7beb4f09669ff7ecaa1b8044f03e57a20738e1fa17c21ad8d613457d44
SHA512ef7ca6e7531dca76425a8a9b17cc3716b98a2768666939c1091fa4756ec26efd03b27ec8aff518071de583d723da14431fe96485fdcad5193f922eea1039f264
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5d9dd8bd4bffa87e13ea34af94c880559
SHA14b39c71e5e69b60fde8565e2cca1a1b5b72af96c
SHA256d25af4076138ef9c32d0e7c2f09f6affc283e9b0999fafb1fa3d6a2617afa151
SHA512992c1dda5005ab8f1f91f800d555469d88cbe1a3870562a0e38c19de566450b893f7b7109f1186550db534ec9586a8e39c1f71ddc2e7919cc6b6e9793d7f46e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD57a82b4ff40d73b635fae36f94f3af9fc
SHA13bd70a37e16e59916069faf20121e3a66e9c578b
SHA2566faf7d24f46bdd4b83d9e2a0ed4ad97915f51b5284efc10728472a6e3a402692
SHA512fc6f48a81ae9af0a96cc300c2ebc66782645d81ae76a0c24aed2bdb7995ea69c78bd2e7612d75756475efa2dee72f6b1a99e979d870557f8a3ff8dc5e340688f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD536dd399d2cbafd782b5567a9ee4c9724
SHA1db4f24c4b2d6780c0cb2e9a6405d40e2a75ef52f
SHA25684fb119132e7bf392ff313ea0ff1f01db841009a83dba128b270f18a528638ef
SHA51206985f96b20349f94c5cbac0544c68fd4587c854b6a5f98c3cff974e2fd87cebd35b9cfd5fc85698840578b9c1005e73a4c606f4f790d5a1fff6583f67a83f67
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p734dsx\imagestore.datFilesize
28KB
MD54f1d17b54f5f76e6381677afe53111e4
SHA19cab697436bdbffede5408885eb4bcf13e7693e2
SHA25666be396d47dd65262d2d4511d20d28d50ec1fe848d52d796327391b65a360601
SHA512e166dc48ff355a37ef9fff75f99f1af39bf691a4ab88ec430ae339b11836a5edaac202a69f76c6bca74c656bd6afb2223aa93f307ae00a1ab401553f2e800b41
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\ec2c34cadd4b5f4594415127380a85e6[1].icoFilesize
23KB
MD5ec2c34cadd4b5f4594415127380a85e6
SHA1e7e129270da0153510ef04a148d08702b980b679
SHA256128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c
-
C:\Users\Admin\AppData\Local\Temp\Cab73EC.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar73ED.tmpFilesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
C:\Users\Admin\AppData\Local\Temp\Tar752B.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
memory/2028-57-0x000000013F480000-0x000000013FD99000-memory.dmpFilesize
9.1MB
-
memory/2028-54-0x000000013F480000-0x000000013FD99000-memory.dmpFilesize
9.1MB
-
memory/2028-55-0x000000013F480000-0x000000013FD99000-memory.dmpFilesize
9.1MB
-
memory/2028-56-0x000000013F480000-0x000000013FD99000-memory.dmpFilesize
9.1MB
-
memory/2028-68-0x0000000001B30000-0x0000000001B31000-memory.dmpFilesize
4KB