Overview

overview

9

Static

static

3

NEAS.48a8d...JC.exe

windows7-x64

9

NEAS.48a8d...JC.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

  • Size

    1.1MB

  • Sample

    231008-vw2lwaeg31

  • MD5

    71732eb5647b8cd8a12cd8cd68502255

  • SHA1

    f262f14249059df102414bfeaa5d61beffe13b40

  • SHA256

    48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e

  • SHA512

    b6df55e57e2c785bc713f92e1b1c6743810c0eebe7967c344f1a5a70ae9dc0c9a8843ff69903623a4b359b15ba9c121f6722f902dfd0b661d6ccb9f1853f790d

  • SSDEEP

    24576:Y7IvpH41Cl36RgrO/+6WdKHsJYrrg0H+2UbDC:Y72mVpOY3gH2UbD

Score
9/10
bootkitdiscoveryevasionpersistencetrojan

Malware Config

Targets

    • Target

      NEAS.48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e_JC.exe

    • Size

      1.1MB

    • MD5

      71732eb5647b8cd8a12cd8cd68502255

    • SHA1

      f262f14249059df102414bfeaa5d61beffe13b40

    • SHA256

      48a8de2b7c0d0366b5cda3eef79af0575424bb5ac079551593aa16d4861dea4e

    • SHA512

      b6df55e57e2c785bc713f92e1b1c6743810c0eebe7967c344f1a5a70ae9dc0c9a8843ff69903623a4b359b15ba9c121f6722f902dfd0b661d6ccb9f1853f790d

    • SSDEEP

      24576:Y7IvpH41Cl36RgrO/+6WdKHsJYrrg0H+2UbDC:Y72mVpOY3gH2UbD

    Score
    9/10
    bootkitdiscoveryevasionpersistencetrojan

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

Software Discovery

1
T1518

System Information Discovery

5
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks