Overview

overview

8

Static

static

3

NEAS.8dac6...JC.exe

windows7-x64

8

NEAS.8dac6...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2023 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.8dac60126622aa3c7dc96d3dce9e3d96_JC.exe

  • Size

    119KB

  • MD5

    8dac60126622aa3c7dc96d3dce9e3d96

  • SHA1

    9765a97d89eb7e9bc780774309cd859c3ff3b339

  • SHA256

    aaf81b1bccda6e62369db3267fdcd6c72478c94ed758151f96327dcb67b6837d

  • SHA512

    b49dca7f6eccc412a18d2e2dab7166d5ebcb1d3708d642a24ebb23416c31098c5085919f9b20e18d0c9e0055ea9ec889dca08aaf3126e0a44576fab77fa9daae

  • SSDEEP

    3072:HOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:HIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.8dac60126622aa3c7dc96d3dce9e3d96_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.8dac60126622aa3c7dc96d3dce9e3d96_JC.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    57e3bd9cd4d9fc5e26c97ee0b7a7d5f8

    SHA1

    ea01ea1be5042a8bcfa01f1a2eca37b6315a6400

    SHA256

    6ad2cb9b2dea4dc3f3f025c24937133c739fa96c26ae633910ef14514f020559

    SHA512

    5bdc1e88de870cad56b87d3254f49647a354d0ab3dfdbeadd494ce698bc28c1561a3b25362f7d720b7cefa5c902c2fa910737a806c3f25c78c6585074020155d

    Download Submit

  • C:\Windows\SysWOW64\ctfmen.exe
    Filesize

    4KB

    MD5

    57e3bd9cd4d9fc5e26c97ee0b7a7d5f8

    SHA1

    ea01ea1be5042a8bcfa01f1a2eca37b6315a6400

    SHA256

    6ad2cb9b2dea4dc3f3f025c24937133c739fa96c26ae633910ef14514f020559

    SHA512

    5bdc1e88de870cad56b87d3254f49647a354d0ab3dfdbeadd494ce698bc28c1561a3b25362f7d720b7cefa5c902c2fa910737a806c3f25c78c6585074020155d

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    119KB

    MD5

    5774fb04efcfcfc9cb12b8df63cd6507

    SHA1

    55c46be66e7ff2ed1b9f0443d98c410b0eee0cd6

    SHA256

    433e21744171c00d85e91352580ab846995472c792df052c4ceb713b81319f55

    SHA512

    1b8e28247f1b116494faee8b2734018d4deb8ba0f4bdea383800a8e4b5ebe46d2cd0077d98c517c45cc841d54199eec12d937b4d4b77dc0ecd086377acb232f7

    Download Submit

  • C:\Windows\SysWOW64\grcopy.dll
    Filesize

    119KB

    MD5

    5774fb04efcfcfc9cb12b8df63cd6507

    SHA1

    55c46be66e7ff2ed1b9f0443d98c410b0eee0cd6

    SHA256

    433e21744171c00d85e91352580ab846995472c792df052c4ceb713b81319f55

    SHA512

    1b8e28247f1b116494faee8b2734018d4deb8ba0f4bdea383800a8e4b5ebe46d2cd0077d98c517c45cc841d54199eec12d937b4d4b77dc0ecd086377acb232f7

    Download Submit

  • C:\Windows\SysWOW64\satornas.dll
    Filesize

    183B

    MD5

    acba38a3d03abe2728372c51887bbeef

    SHA1

    f61b85add1ededadc334a907a175c8acab95bda2

    SHA256

    d4494dab533cbd0e35e7be11f0800dfb3398aeb8c0f4d88486c26babca5422d2

    SHA512

    3cb1945eeacdb31e65a19a539a4eace34397bde029114d9d3b61832682457e917211e7664dab6cee30c3df3efa790e58c7deda4184742981b2b7ec630edea6c9

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    6ba7f59d2b1eb3c1bb6585a392f4fcb3

    SHA1

    f8c3f37ff6d99e33a5403c945893d9f6cd24d937

    SHA256

    2feb54179282ef09be502e0b13c18ac7049ed4898a61ebd423d9f93ea5a2079d

    SHA512

    3da90dd7ceafe0e0511f022b89648973e77b62616ccf5c250eb6370a7578d09f5239f9f3670f26130f2cf87e35903238a3c6642efc37e0da48190cd89f16921f

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    6ba7f59d2b1eb3c1bb6585a392f4fcb3

    SHA1

    f8c3f37ff6d99e33a5403c945893d9f6cd24d937

    SHA256

    2feb54179282ef09be502e0b13c18ac7049ed4898a61ebd423d9f93ea5a2079d

    SHA512

    3da90dd7ceafe0e0511f022b89648973e77b62616ccf5c250eb6370a7578d09f5239f9f3670f26130f2cf87e35903238a3c6642efc37e0da48190cd89f16921f

    Download Submit

  • C:\Windows\SysWOW64\shervans.dll
    Filesize

    8KB

    MD5

    6ba7f59d2b1eb3c1bb6585a392f4fcb3

    SHA1

    f8c3f37ff6d99e33a5403c945893d9f6cd24d937

    SHA256

    2feb54179282ef09be502e0b13c18ac7049ed4898a61ebd423d9f93ea5a2079d

    SHA512

    3da90dd7ceafe0e0511f022b89648973e77b62616ccf5c250eb6370a7578d09f5239f9f3670f26130f2cf87e35903238a3c6642efc37e0da48190cd89f16921f

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    119KB

    MD5

    5774fb04efcfcfc9cb12b8df63cd6507

    SHA1

    55c46be66e7ff2ed1b9f0443d98c410b0eee0cd6

    SHA256

    433e21744171c00d85e91352580ab846995472c792df052c4ceb713b81319f55

    SHA512

    1b8e28247f1b116494faee8b2734018d4deb8ba0f4bdea383800a8e4b5ebe46d2cd0077d98c517c45cc841d54199eec12d937b4d4b77dc0ecd086377acb232f7

    Download Submit

  • C:\Windows\SysWOW64\smnss.exe
    Filesize

    119KB

    MD5

    5774fb04efcfcfc9cb12b8df63cd6507

    SHA1

    55c46be66e7ff2ed1b9f0443d98c410b0eee0cd6

    SHA256

    433e21744171c00d85e91352580ab846995472c792df052c4ceb713b81319f55

    SHA512

    1b8e28247f1b116494faee8b2734018d4deb8ba0f4bdea383800a8e4b5ebe46d2cd0077d98c517c45cc841d54199eec12d937b4d4b77dc0ecd086377acb232f7

    Download Submit

  • memory/3064-23-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3064-22-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3064-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3064-12-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3504-30-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3504-35-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3504-37-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3504-38-0x0000000010000000-0x000000001000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4308-26-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4308-21-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download