Analysis
-
max time kernel
172s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.6b1d60aa99642cc2ec8f135045b02060.exe
Resource
win7-20231020-en
General
-
Target
NEAS.6b1d60aa99642cc2ec8f135045b02060.exe
-
Size
582KB
-
MD5
6b1d60aa99642cc2ec8f135045b02060
-
SHA1
9e1a0d02469b47f3478afe160d3d1c4b17d00128
-
SHA256
25871bf8a488d6b5d30604bdb65a6f9b37dccf7914ec7ed7172214dde6db89b7
-
SHA512
a56fede25faa21a180db5ac097265dac144f2deb99395ff353c56eba1e24ca085dfb40d6123aec118ac52ecd61c155098066ee20d51c81d79ce8a6b432221ef4
-
SSDEEP
12288:wRCwxW0udWTRW8fdeAISKGKHgshux0wJmWsx6:NwxbuETRW8fdeAIS6AsLwJm1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5060 F30B.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp F30B.tmp File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api F30B.tmp File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll F30B.tmp File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe F30B.tmp File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe F30B.tmp File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\EmbeddedBrowserWebView.dll F30B.tmp File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api F30B.tmp File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe F30B.tmp File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d F30B.tmp File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll F30B.tmp File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe F30B.tmp File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\msedgeupdate.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll F30B.tmp File opened for modification C:\Program Files\7-Zip\7z.sfx F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL F30B.tmp File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe F30B.tmp File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe F30B.tmp File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe F30B.tmp File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api F30B.tmp File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll F30B.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1084 wrote to memory of 5060 1084 NEAS.6b1d60aa99642cc2ec8f135045b02060.exe 89 PID 1084 wrote to memory of 5060 1084 NEAS.6b1d60aa99642cc2ec8f135045b02060.exe 89 PID 1084 wrote to memory of 5060 1084 NEAS.6b1d60aa99642cc2ec8f135045b02060.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.6b1d60aa99642cc2ec8f135045b02060.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6b1d60aa99642cc2ec8f135045b02060.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\F30B.tmpC:\Users\Admin\AppData\Local\Temp\F30B.tmp2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_809DE37BF6F91747203FF7559791C460
Filesize471B
MD5c97729e2b44e500be22bffd54e4bf58a
SHA178f4bbdc38ed588359887e051b306ba6c6c58082
SHA2561816a9de15b036535c9c6ca3c344f8c6f640481517feb98048f86b1a47c2c9a8
SHA512d25ac18030a0caf738e30cd5465bfbaf7e55b39e0b592870e77be89a32392e6275c1093809dad038ddbe39517731b00ef13ceb2e116de48134e5f021899873fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD5d5dca730df319f765eb1b1cee9c3708d
SHA1933b4c5ceb314e4d8c2fc332355a9c17d7b2c0e5
SHA256d3f39b6306671bf1eaae163b2c478e5e9900273187893da4eb8be7e72bcee2cc
SHA512e20e60c3447b567a90deab7a554d631f1e70cad91933ffe9e2c8e1e1e8ad3102f1a5f27e92a9688c049b8fbe15d6d5070f246d874cb2853f7725a00622c02912
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_809DE37BF6F91747203FF7559791C460
Filesize404B
MD55d7c60a56133fdfdcaa3f38b03eeb558
SHA1545db7a232d193dfb7d87833a6a529f39fbf1848
SHA256863cbaeb3391635479aa33c743af47350e5b3ff97c64b8b796c4760a3dd96844
SHA512d2591662c0fbea5f8bd0aff58d97a4a58966449c751e64aa9b0877c2ffef01d91c47b81416c6b581fbbd5a3e33403154bca65910fa0643220e203b059668bb0d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD597e723031aa274b5147735ac6af483c0
SHA18fe4fc9033a0546fb83f964d568f9cae28a83848
SHA2563a4eba2309d722830a3f0a5af740bd657e0ba237f0e722dad53c3cac99198081
SHA51275db178c8a0299f5a39d8496ffc4fe8555103f77cbcbce5e04df5de1a543eb8859f03b26136fed321c6850cce8b2e0aac83a434c6bccbe47c002094eff1fa3a6
-
Filesize
145KB
MD5c610e7ccd6859872c585b2a85d7dc992
SHA1362b3d4b72e3add687c209c79b500b7c6a246d46
SHA25614063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA5128570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666
-
Filesize
145KB
MD5c610e7ccd6859872c585b2a85d7dc992
SHA1362b3d4b72e3add687c209c79b500b7c6a246d46
SHA25614063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041
SHA5128570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666
-
Filesize
3KB
MD5f99e2cb678a33310336f1375052e9ef5
SHA1ae0b828f198d06240f27e21d727583034c99f445
SHA256bf527c103bb330772aae2dfcfb9ffecf51840ac744560c45b575cedbdba4b66d
SHA512661dca2b8802019a507abd6cf192cf209406498d0558137d7c0a24db8cb6edf072cf9fd4fca76107de0e0bba6b25c863b7c2dc50860b92039c6dc7879568ef78
-
Filesize
17KB
MD57127539702867af35c2eb9757b191480
SHA1b3b28103397d7bd2ef27010d5ea328ac047c6569
SHA256ff14c841276ab90280ae4af4eaf2d7604e41e37d1925436a70f6faeda8e318f5
SHA51212c124510b971e1ed546bb6d0276a327d8153bed6c96efa9a573190a37cccaca03338e5e219303094f4ef0895681776ac81dcee33d65009132747e4a8a9be2e0