Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.551d883bdc28b7156ec1ff4884e944d0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.551d883bdc28b7156ec1ff4884e944d0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.551d883bdc28b7156ec1ff4884e944d0.exe
-
Size
7.5MB
-
MD5
551d883bdc28b7156ec1ff4884e944d0
-
SHA1
4d41b77ddf97bb3d1b06af996a7734249e450284
-
SHA256
a35d1e4e5339a9568a2ef066a66ece7a9c95dd130993789a2d980719d5151f20
-
SHA512
18ea69045f459de4115e133ceaf4c0989162617f52c2c6ae8c97282507159146bedfd7191d86128477c3f97e5911b9842c79501cb18305f2c77bcd308a793231
-
SSDEEP
196608:LspMRop2WowlB2sDfD+g+Sq/rUdDH60IXeDn3Se:LuMRe6wz2sDf1+Sq/4a0IuDn3
Malware Config
Signatures
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 2392 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1632 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Loads dropped DLL 1 IoCs
pid Process 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Obfuscated with Agile.Net obfuscator 9 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2164-4-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/2164-16-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/2164-19-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/2164-21-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/2164-38-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/2164-39-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/2164-56-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral1/memory/1632-199-0x0000000000400000-0x0000000000FA9000-memory.dmp agile_net behavioral1/memory/2164-278-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 1632 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3032 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 1632 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2164 wrote to memory of 1632 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 30 PID 2164 wrote to memory of 1632 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 30 PID 2164 wrote to memory of 1632 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 30 PID 2164 wrote to memory of 1632 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 30 PID 2164 wrote to memory of 2392 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 31 PID 2164 wrote to memory of 2392 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 31 PID 2164 wrote to memory of 2392 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 31 PID 2164 wrote to memory of 2392 2164 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 31 PID 2392 wrote to memory of 3032 2392 cmd.exe 33 PID 2392 wrote to memory of 3032 2392 cmd.exe 33 PID 2392 wrote to memory of 3032 2392 cmd.exe 33 PID 2392 wrote to memory of 3032 2392 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout /T 3 & del "C:\Users\Admin\AppData\Local\Temp\*.tmp"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\timeout.exetimeout /T 33⤵
- Delays execution with timeout.exe
PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD51659cfdb0d7df1a825719eea1b12837f
SHA18ca69bde4b8165b09e6fe8ae4a4bfe9c4a8d2c44
SHA25675ca24fe8e05914fae47210c7b9a5f9cd9ee89ccc05e69da3f81ab5d1283e312
SHA5127ab46b8cf8fb71edf0eddfa0609503b110db078026bba5757f4b0efd8dad4811a8e3cc456836ca0e7d062aab2e533a6ab53e516e77f6bc48b238a469e7b23090
-
Filesize
7.5MB
MD51659cfdb0d7df1a825719eea1b12837f
SHA18ca69bde4b8165b09e6fe8ae4a4bfe9c4a8d2c44
SHA25675ca24fe8e05914fae47210c7b9a5f9cd9ee89ccc05e69da3f81ab5d1283e312
SHA5127ab46b8cf8fb71edf0eddfa0609503b110db078026bba5757f4b0efd8dad4811a8e3cc456836ca0e7d062aab2e533a6ab53e516e77f6bc48b238a469e7b23090
-
Filesize
7.5MB
MD51659cfdb0d7df1a825719eea1b12837f
SHA18ca69bde4b8165b09e6fe8ae4a4bfe9c4a8d2c44
SHA25675ca24fe8e05914fae47210c7b9a5f9cd9ee89ccc05e69da3f81ab5d1283e312
SHA5127ab46b8cf8fb71edf0eddfa0609503b110db078026bba5757f4b0efd8dad4811a8e3cc456836ca0e7d062aab2e533a6ab53e516e77f6bc48b238a469e7b23090
-
Filesize
7.5MB
MD51659cfdb0d7df1a825719eea1b12837f
SHA18ca69bde4b8165b09e6fe8ae4a4bfe9c4a8d2c44
SHA25675ca24fe8e05914fae47210c7b9a5f9cd9ee89ccc05e69da3f81ab5d1283e312
SHA5127ab46b8cf8fb71edf0eddfa0609503b110db078026bba5757f4b0efd8dad4811a8e3cc456836ca0e7d062aab2e533a6ab53e516e77f6bc48b238a469e7b23090