Overview

overview

8

Static

static

3

NEAS.0fdf2...10.exe

windows7-x64

8

NEAS.0fdf2...10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 08:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.0fdf2c09bb6f7036de3a580502016510.exe

  • Size

    119KB

  • MD5

    0fdf2c09bb6f7036de3a580502016510

  • SHA1

    c736459d2f33fc56fd67758ab61c549b383547ae

  • SHA256

    1988b49750512f213f05bca7a51bc64cd59278872fb25657576b963427400e4b

  • SHA512

    01437b1234757becb0d9491a81761e2f1ca85e8d492e24e87e6e4f225ef872e586444879a6b80ed44dd07fc63172992dee97263470df3b3bc1332d49ff20b4de

  • SSDEEP

    3072:OOjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:OIs9OKofHfHTXQLzgvnzHPowYbvrjD/E

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0fdf2c09bb6f7036de3a580502016510.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0fdf2c09bb6f7036de3a580502016510.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1564
          4⤵
          • Program crash
          PID:2996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2728 -ip 2728
    1⤵
      PID:1612

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\ctfmen.exe
            Filesize

            4KB

            MD5

            ecb001934820903c8f33b12274771dfe

            SHA1

            c4d672696cfe688c9edb49bfd4724cfc2f6394f0

            SHA256

            72d86df103286415ac69fcd66bd7a450b629e205207908ee74bf83dcd7a52577

            SHA512

            e5dbf14833be83e13969cfdf1eee1595a7a57e3c0f5e59f15bca4f709b4e7b5cce7620417843c213af5c0e70cd217d78cc216f00ec64a91ad60616c34c1abf59

            Download Submit

          • C:\Windows\SysWOW64\ctfmen.exe
            Filesize

            4KB

            MD5

            ecb001934820903c8f33b12274771dfe

            SHA1

            c4d672696cfe688c9edb49bfd4724cfc2f6394f0

            SHA256

            72d86df103286415ac69fcd66bd7a450b629e205207908ee74bf83dcd7a52577

            SHA512

            e5dbf14833be83e13969cfdf1eee1595a7a57e3c0f5e59f15bca4f709b4e7b5cce7620417843c213af5c0e70cd217d78cc216f00ec64a91ad60616c34c1abf59

            Download Submit

          • C:\Windows\SysWOW64\grcopy.dll
            Filesize

            119KB

            MD5

            a1a96bc13c55c2a1eab8e69be01ffa78

            SHA1

            9c337e113b698e60fdac08ab6259638917b71907

            SHA256

            849cbf57effea0ca3b34276febd3195f362229620d5e371c1225b85f549efcdf

            SHA512

            f21be15958c8fec2c2cd4a1623cc309d6cf7d36209d37f4f7dbb09e15cee449b5c1a125ab2023b40b3bca2303131012da6af82897c0b522164ef420ba78b5043

            Download Submit

          • C:\Windows\SysWOW64\grcopy.dll
            Filesize

            119KB

            MD5

            a1a96bc13c55c2a1eab8e69be01ffa78

            SHA1

            9c337e113b698e60fdac08ab6259638917b71907

            SHA256

            849cbf57effea0ca3b34276febd3195f362229620d5e371c1225b85f549efcdf

            SHA512

            f21be15958c8fec2c2cd4a1623cc309d6cf7d36209d37f4f7dbb09e15cee449b5c1a125ab2023b40b3bca2303131012da6af82897c0b522164ef420ba78b5043

            Download Submit

          • C:\Windows\SysWOW64\satornas.dll
            Filesize

            183B

            MD5

            6761051c64d2af83d680030a74681b97

            SHA1

            e68b257bedec7fac682e161550b885e62916325f

            SHA256

            e03f3ad043410cad86b9a85eba3859a9e2334b4a6169457474178056897cc3d1

            SHA512

            18c088e6106ec79a3c7d93bc94aadf549d4f26b9a20d0bd591ad03de9a7b6779d1f15b15225738990eb0cd10cf58e73325ea3821bee2611b7af0503a044f769e

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            31a2784a683826aa3c2bc63019ae8853

            SHA1

            f2e1aca0d1e8cd3b66ec0a436435f9c46ae74c4d

            SHA256

            6093d57fc64c5617667bd129159ecae0514654e3bd048caad57a56d0b77434ac

            SHA512

            8b801328bf96553380018b8789e25e8d6a86479b4c8736c0498517a706b5c2b840ae6c12a0fd9dce7ba8773c0e74967a851cd36dbbedaad55926a5b3c864f390

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            31a2784a683826aa3c2bc63019ae8853

            SHA1

            f2e1aca0d1e8cd3b66ec0a436435f9c46ae74c4d

            SHA256

            6093d57fc64c5617667bd129159ecae0514654e3bd048caad57a56d0b77434ac

            SHA512

            8b801328bf96553380018b8789e25e8d6a86479b4c8736c0498517a706b5c2b840ae6c12a0fd9dce7ba8773c0e74967a851cd36dbbedaad55926a5b3c864f390

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            31a2784a683826aa3c2bc63019ae8853

            SHA1

            f2e1aca0d1e8cd3b66ec0a436435f9c46ae74c4d

            SHA256

            6093d57fc64c5617667bd129159ecae0514654e3bd048caad57a56d0b77434ac

            SHA512

            8b801328bf96553380018b8789e25e8d6a86479b4c8736c0498517a706b5c2b840ae6c12a0fd9dce7ba8773c0e74967a851cd36dbbedaad55926a5b3c864f390

            Download Submit

          • C:\Windows\SysWOW64\smnss.exe
            Filesize

            119KB

            MD5

            a1a96bc13c55c2a1eab8e69be01ffa78

            SHA1

            9c337e113b698e60fdac08ab6259638917b71907

            SHA256

            849cbf57effea0ca3b34276febd3195f362229620d5e371c1225b85f549efcdf

            SHA512

            f21be15958c8fec2c2cd4a1623cc309d6cf7d36209d37f4f7dbb09e15cee449b5c1a125ab2023b40b3bca2303131012da6af82897c0b522164ef420ba78b5043

            Download Submit

          • C:\Windows\SysWOW64\smnss.exe
            Filesize

            119KB

            MD5

            a1a96bc13c55c2a1eab8e69be01ffa78

            SHA1

            9c337e113b698e60fdac08ab6259638917b71907

            SHA256

            849cbf57effea0ca3b34276febd3195f362229620d5e371c1225b85f549efcdf

            SHA512

            f21be15958c8fec2c2cd4a1623cc309d6cf7d36209d37f4f7dbb09e15cee449b5c1a125ab2023b40b3bca2303131012da6af82897c0b522164ef420ba78b5043

            Download Submit

          • memory/1960-23-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2728-29-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2728-36-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/2728-37-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4568-0-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4568-26-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4568-21-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/4568-13-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download