Analysis
-
max time kernel
121s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe
Resource
win7-20231020-en
General
-
Target
NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe
-
Size
307KB
-
MD5
ef70b147c0a5d36421a2e3a444d24f2c
-
SHA1
8c5aa0cbc8533bba3d010f2126a6a8b9424a29fb
-
SHA256
686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1c
-
SHA512
788101bf791f3cba949547b35eda3940e43dec2893343f0e4f75aa4479e6985452ab8d92e7e84b54b8597955431080208ed845f72e1f6230377668985696de56
-
SSDEEP
6144:a7bWZGyntnUkg3RqWJLdb54Y4y2egsM7u67LnAOZiZVvL:a7a9U/3RXJP4Ts8u67LGVvL
Malware Config
Extracted
stealc
http://77.91.97.146
-
url_path
/b5186114a247f330.php
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 51 2900 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe Key value queried \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation Utsysc.exe Key value queried \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation P6aAurfUFmnG.exe -
Executes dropped EXE 4 IoCs
pid Process 3828 Utsysc.exe 560 P6aAurfUFmnG.exe 4912 Utsysc.exe 2376 Utsysc.exe -
Loads dropped DLL 5 IoCs
pid Process 876 rundll32.exe 4936 rundll32.exe 2900 rundll32.exe 560 P6aAurfUFmnG.exe 560 P6aAurfUFmnG.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3872 560 WerFault.exe 102 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 P6aAurfUFmnG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString P6aAurfUFmnG.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4768 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4556 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 560 P6aAurfUFmnG.exe 560 P6aAurfUFmnG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4700 NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4700 wrote to memory of 3828 4700 NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe 89 PID 4700 wrote to memory of 3828 4700 NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe 89 PID 4700 wrote to memory of 3828 4700 NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe 89 PID 3828 wrote to memory of 4768 3828 Utsysc.exe 92 PID 3828 wrote to memory of 4768 3828 Utsysc.exe 92 PID 3828 wrote to memory of 4768 3828 Utsysc.exe 92 PID 3828 wrote to memory of 2636 3828 Utsysc.exe 94 PID 3828 wrote to memory of 2636 3828 Utsysc.exe 94 PID 3828 wrote to memory of 2636 3828 Utsysc.exe 94 PID 2636 wrote to memory of 3028 2636 cmd.exe 96 PID 2636 wrote to memory of 3028 2636 cmd.exe 96 PID 2636 wrote to memory of 3028 2636 cmd.exe 96 PID 2636 wrote to memory of 2828 2636 cmd.exe 97 PID 2636 wrote to memory of 2828 2636 cmd.exe 97 PID 2636 wrote to memory of 2828 2636 cmd.exe 97 PID 2636 wrote to memory of 1132 2636 cmd.exe 98 PID 2636 wrote to memory of 1132 2636 cmd.exe 98 PID 2636 wrote to memory of 1132 2636 cmd.exe 98 PID 2636 wrote to memory of 3140 2636 cmd.exe 99 PID 2636 wrote to memory of 3140 2636 cmd.exe 99 PID 2636 wrote to memory of 3140 2636 cmd.exe 99 PID 2636 wrote to memory of 492 2636 cmd.exe 100 PID 2636 wrote to memory of 492 2636 cmd.exe 100 PID 2636 wrote to memory of 492 2636 cmd.exe 100 PID 2636 wrote to memory of 2896 2636 cmd.exe 101 PID 2636 wrote to memory of 2896 2636 cmd.exe 101 PID 2636 wrote to memory of 2896 2636 cmd.exe 101 PID 3828 wrote to memory of 560 3828 Utsysc.exe 102 PID 3828 wrote to memory of 560 3828 Utsysc.exe 102 PID 3828 wrote to memory of 560 3828 Utsysc.exe 102 PID 3828 wrote to memory of 876 3828 Utsysc.exe 103 PID 3828 wrote to memory of 876 3828 Utsysc.exe 103 PID 3828 wrote to memory of 876 3828 Utsysc.exe 103 PID 876 wrote to memory of 4936 876 rundll32.exe 104 PID 876 wrote to memory of 4936 876 rundll32.exe 104 PID 3828 wrote to memory of 2900 3828 Utsysc.exe 105 PID 3828 wrote to memory of 2900 3828 Utsysc.exe 105 PID 3828 wrote to memory of 2900 3828 Utsysc.exe 105 PID 560 wrote to memory of 64 560 P6aAurfUFmnG.exe 111 PID 560 wrote to memory of 64 560 P6aAurfUFmnG.exe 111 PID 560 wrote to memory of 64 560 P6aAurfUFmnG.exe 111 PID 64 wrote to memory of 4556 64 cmd.exe 113 PID 64 wrote to memory of 4556 64 cmd.exe 113 PID 64 wrote to memory of 4556 64 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1cexeexe_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:4768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3df9cdab86" /P "Admin:N"&&CACLS "..\3df9cdab86" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "Utsysc.exe" /P "Admin:N"4⤵PID:2828
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "Utsysc.exe" /P "Admin:R" /E4⤵PID:1132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3140
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3df9cdab86" /P "Admin:N"4⤵PID:492
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3df9cdab86" /P "Admin:R" /E4⤵PID:2896
-
-
-
C:\Users\Admin\AppData\Roaming\1000004000\P6aAurfUFmnG.exe"C:\Users\Admin\AppData\Roaming\1000004000\P6aAurfUFmnG.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Roaming\1000004000\P6aAurfUFmnG.exe" & del "C:\ProgramData\*.dll"" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
PID:4556
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 21364⤵
- Program crash
PID:3872
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\491b681d623b85\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\491b681d623b85\cred64.dll, Main4⤵
- Loads dropped DLL
PID:4936
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\491b681d623b85\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2900
-
-
-
C:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exe1⤵
- Executes dropped EXE
PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 560 -ip 5601⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\3df9cdab86\Utsysc.exe1⤵
- Executes dropped EXE
PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
307KB
MD5ef70b147c0a5d36421a2e3a444d24f2c
SHA18c5aa0cbc8533bba3d010f2126a6a8b9424a29fb
SHA256686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1c
SHA512788101bf791f3cba949547b35eda3940e43dec2893343f0e4f75aa4479e6985452ab8d92e7e84b54b8597955431080208ed845f72e1f6230377668985696de56
-
Filesize
307KB
MD5ef70b147c0a5d36421a2e3a444d24f2c
SHA18c5aa0cbc8533bba3d010f2126a6a8b9424a29fb
SHA256686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1c
SHA512788101bf791f3cba949547b35eda3940e43dec2893343f0e4f75aa4479e6985452ab8d92e7e84b54b8597955431080208ed845f72e1f6230377668985696de56
-
Filesize
307KB
MD5ef70b147c0a5d36421a2e3a444d24f2c
SHA18c5aa0cbc8533bba3d010f2126a6a8b9424a29fb
SHA256686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1c
SHA512788101bf791f3cba949547b35eda3940e43dec2893343f0e4f75aa4479e6985452ab8d92e7e84b54b8597955431080208ed845f72e1f6230377668985696de56
-
Filesize
307KB
MD5ef70b147c0a5d36421a2e3a444d24f2c
SHA18c5aa0cbc8533bba3d010f2126a6a8b9424a29fb
SHA256686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1c
SHA512788101bf791f3cba949547b35eda3940e43dec2893343f0e4f75aa4479e6985452ab8d92e7e84b54b8597955431080208ed845f72e1f6230377668985696de56
-
Filesize
307KB
MD5ef70b147c0a5d36421a2e3a444d24f2c
SHA18c5aa0cbc8533bba3d010f2126a6a8b9424a29fb
SHA256686843d48819c4c53e03cb1eca5a4a40082fe24c201b01ce6c0eecbe7c5a7e1c
SHA512788101bf791f3cba949547b35eda3940e43dec2893343f0e4f75aa4479e6985452ab8d92e7e84b54b8597955431080208ed845f72e1f6230377668985696de56
-
Filesize
78KB
MD56b3f25022391bce8f9b2008561592026
SHA10fea086bd7644ce2f849abf82613aee41dbbcd79
SHA2565a6a2693a20e0e1e0e75d55e2fc7623a13a951125ba7a46ff72a5c26a5a33d16
SHA51233460ed1043915be2ca2c8376ce7585004bb956654308698d7ae06d4c59adbf3df4ba8ae9203ca991f2e48226bb66bd25cffd59e34c18331a9fe21d42c5a0a0f
-
Filesize
237KB
MD52272d1fd724998ca2962707b07db30af
SHA106e34f84cc20f9c0a62e168e0abdac9e8d2b8873
SHA256fad272c7c89b882083723b28fe821e59e089863d5b2b1f23a1a531cca59c4e24
SHA51223fc7f0bc19e88fc7acf3932c8319390804e5fb54db5a44af457ea5387b0b82ec1a3011dd648c6c912bff9fccf66705518c9f5ac4934abc299434ac38d103ff4
-
Filesize
237KB
MD52272d1fd724998ca2962707b07db30af
SHA106e34f84cc20f9c0a62e168e0abdac9e8d2b8873
SHA256fad272c7c89b882083723b28fe821e59e089863d5b2b1f23a1a531cca59c4e24
SHA51223fc7f0bc19e88fc7acf3932c8319390804e5fb54db5a44af457ea5387b0b82ec1a3011dd648c6c912bff9fccf66705518c9f5ac4934abc299434ac38d103ff4
-
Filesize
237KB
MD52272d1fd724998ca2962707b07db30af
SHA106e34f84cc20f9c0a62e168e0abdac9e8d2b8873
SHA256fad272c7c89b882083723b28fe821e59e089863d5b2b1f23a1a531cca59c4e24
SHA51223fc7f0bc19e88fc7acf3932c8319390804e5fb54db5a44af457ea5387b0b82ec1a3011dd648c6c912bff9fccf66705518c9f5ac4934abc299434ac38d103ff4
-
Filesize
102KB
MD5ed15379ed0c9f2e2cc0c105fc8f08896
SHA1eb19214f7242ffa308fb1366f619a6293ab5c2e9
SHA2561ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
SHA5129c3563fc4f16b124053d21937aabb0be32deda3c673ea04505df662d972352b62ea7488f3d0177d8cc868e9cdda49b298db6ac589a71799025f8bcedd5e70fcd
-
Filesize
102KB
MD5ed15379ed0c9f2e2cc0c105fc8f08896
SHA1eb19214f7242ffa308fb1366f619a6293ab5c2e9
SHA2561ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
SHA5129c3563fc4f16b124053d21937aabb0be32deda3c673ea04505df662d972352b62ea7488f3d0177d8cc868e9cdda49b298db6ac589a71799025f8bcedd5e70fcd
-
Filesize
102KB
MD5ed15379ed0c9f2e2cc0c105fc8f08896
SHA1eb19214f7242ffa308fb1366f619a6293ab5c2e9
SHA2561ab121c22361884aa13cc654a4e79a6e70240d3ef60bc1e660aeef7bde168aa3
SHA5129c3563fc4f16b124053d21937aabb0be32deda3c673ea04505df662d972352b62ea7488f3d0177d8cc868e9cdda49b298db6ac589a71799025f8bcedd5e70fcd
-
Filesize
1.1MB
MD57d6c819c7accbd9abe8f6c4eb087eea2
SHA16b6b4bc3c0bc152cbea590c83dd55b2101abb130
SHA2562d93ffc4f232bcc5f7c2a19d8fcbaa50884e60a027804fcecc3c40d120eedc8c
SHA512cfbc2bf4d5417d066ba8c845c8117306650347648c13fac51d65f6610493b81af8317051268c8152b2c6011cf4baeffcd2bc928c5334842b6147d70173ac8e8a
-
Filesize
1.1MB
MD57d6c819c7accbd9abe8f6c4eb087eea2
SHA16b6b4bc3c0bc152cbea590c83dd55b2101abb130
SHA2562d93ffc4f232bcc5f7c2a19d8fcbaa50884e60a027804fcecc3c40d120eedc8c
SHA512cfbc2bf4d5417d066ba8c845c8117306650347648c13fac51d65f6610493b81af8317051268c8152b2c6011cf4baeffcd2bc928c5334842b6147d70173ac8e8a
-
Filesize
1.1MB
MD57d6c819c7accbd9abe8f6c4eb087eea2
SHA16b6b4bc3c0bc152cbea590c83dd55b2101abb130
SHA2562d93ffc4f232bcc5f7c2a19d8fcbaa50884e60a027804fcecc3c40d120eedc8c
SHA512cfbc2bf4d5417d066ba8c845c8117306650347648c13fac51d65f6610493b81af8317051268c8152b2c6011cf4baeffcd2bc928c5334842b6147d70173ac8e8a
-
Filesize
1.1MB
MD57d6c819c7accbd9abe8f6c4eb087eea2
SHA16b6b4bc3c0bc152cbea590c83dd55b2101abb130
SHA2562d93ffc4f232bcc5f7c2a19d8fcbaa50884e60a027804fcecc3c40d120eedc8c
SHA512cfbc2bf4d5417d066ba8c845c8117306650347648c13fac51d65f6610493b81af8317051268c8152b2c6011cf4baeffcd2bc928c5334842b6147d70173ac8e8a