Analysis
-
max time kernel
105s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.551d883bdc28b7156ec1ff4884e944d0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.551d883bdc28b7156ec1ff4884e944d0.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.551d883bdc28b7156ec1ff4884e944d0.exe
-
Size
7.5MB
-
MD5
551d883bdc28b7156ec1ff4884e944d0
-
SHA1
4d41b77ddf97bb3d1b06af996a7734249e450284
-
SHA256
a35d1e4e5339a9568a2ef066a66ece7a9c95dd130993789a2d980719d5151f20
-
SHA512
18ea69045f459de4115e133ceaf4c0989162617f52c2c6ae8c97282507159146bedfd7191d86128477c3f97e5911b9842c79501cb18305f2c77bcd308a793231
-
SSDEEP
196608:LspMRop2WowlB2sDfD+g+Sq/rUdDH60IXeDn3Se:LuMRe6wz2sDf1+Sq/4a0IuDn3
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Executes dropped EXE 1 IoCs
pid Process 1528 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Obfuscated with Agile.Net obfuscator 9 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2744-7-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-14-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-15-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-17-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-21-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-38-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-39-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/2744-306-0x0000000000400000-0x0000000000F9F000-memory.dmp agile_net behavioral2/memory/1528-310-0x0000000000400000-0x0000000000FA9000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 1528 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4668 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 1528 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 1528 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2744 wrote to memory of 1528 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 98 PID 2744 wrote to memory of 1528 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 98 PID 2744 wrote to memory of 1528 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 98 PID 2744 wrote to memory of 4852 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 99 PID 2744 wrote to memory of 4852 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 99 PID 2744 wrote to memory of 4852 2744 NEAS.551d883bdc28b7156ec1ff4884e944d0.exe 99 PID 4852 wrote to memory of 4668 4852 cmd.exe 101 PID 4852 wrote to memory of 4668 4852 cmd.exe 101 PID 4852 wrote to memory of 4668 4852 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.551d883bdc28b7156ec1ff4884e944d0.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout /T 3 & del "C:\Users\Admin\AppData\Local\Temp\*.tmp"2⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\timeout.exetimeout /T 33⤵
- Delays execution with timeout.exe
PID:4668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.5MB
MD560170f5c6953f21f9dda2ce4c9a7a376
SHA119c18ca5f49a2920c61e8f5123ca8c91f305a9a1
SHA2568e6654fc8cdc31f4d3aa2f747f03d962dd0db9cc81a7b3c2bb4a435e6bac8c07
SHA512872d4c43a44b517bbcc7b8f40fc5b15649e829e831163a6befb6eade7e2419f48521a8dde25124a376a48a41341147c3636034efd7dbdfde8e438dc88fb9a971
-
Filesize
7.5MB
MD560170f5c6953f21f9dda2ce4c9a7a376
SHA119c18ca5f49a2920c61e8f5123ca8c91f305a9a1
SHA2568e6654fc8cdc31f4d3aa2f747f03d962dd0db9cc81a7b3c2bb4a435e6bac8c07
SHA512872d4c43a44b517bbcc7b8f40fc5b15649e829e831163a6befb6eade7e2419f48521a8dde25124a376a48a41341147c3636034efd7dbdfde8e438dc88fb9a971
-
Filesize
7.5MB
MD560170f5c6953f21f9dda2ce4c9a7a376
SHA119c18ca5f49a2920c61e8f5123ca8c91f305a9a1
SHA2568e6654fc8cdc31f4d3aa2f747f03d962dd0db9cc81a7b3c2bb4a435e6bac8c07
SHA512872d4c43a44b517bbcc7b8f40fc5b15649e829e831163a6befb6eade7e2419f48521a8dde25124a376a48a41341147c3636034efd7dbdfde8e438dc88fb9a971