Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 16:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.d644fe1e93178de1d9b37d321f89e260.dll
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d644fe1e93178de1d9b37d321f89e260.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
NEAS.d644fe1e93178de1d9b37d321f89e260.dll
-
Size
941KB
-
MD5
d644fe1e93178de1d9b37d321f89e260
-
SHA1
65bd5c0f89ba6de1af461fc797bf2311219e8ebe
-
SHA256
130e3c35f60ffae345a7bb8b9c46fc66e708fe9bc465c9756eeac1fb648970ce
-
SHA512
5736993c5913872fe84bace3ae0facd28734877d823aca55aa8b87cb304a860089d4cc7da21235961ea8bdb88a4ef944fd04dd8622fb61dfd7dd8ec632b6bd3d
-
SSDEEP
12288:yA/YXEn35T/LilVmBVGL8WXjHXr1Fu/Rgl1vi9A:yA/Y035jLQVmBVG/rwAK9
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows·þÎñ³ÌÐò.lnk rundll32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows·þÎñ³ÌÐò.lnk rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\superec.AntiOpenProcess.sys rundll32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\WinzhConnet\hgx.h rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\HELPDIR rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5028 wrote to memory of 2464 5028 rundll32.exe 88 PID 5028 wrote to memory of 2464 5028 rundll32.exe 88 PID 5028 wrote to memory of 2464 5028 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d644fe1e93178de1d9b37d321f89e260.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.d644fe1e93178de1d9b37d321f89e260.dll,#12⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2464
-