Overview

overview

10

Static

static

3

NEAS.f1162...JC.exe

windows7-x64

1

NEAS.f1162...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2023 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f116291e9940be107cf143fb4e02b7a0_JC.exe

  • Size

    224KB

  • MD5

    f116291e9940be107cf143fb4e02b7a0

  • SHA1

    1c09343ab459b2b50e0fd95b1b778c9fc5f2fef0

  • SHA256

    dbaa73ae7192f8335343640111815aa16fc3255e977464642e9d65d8687cff94

  • SHA512

    e77396ab5f313301bb0aaadef60b73cb6497b3d5071e862ffa1e096a8987520008b73dbfe1840fda24b6ee18346a03b635e794e7dc4e54ee3fb6bf0c8f78e846

  • SSDEEP

    3072:dsXRmUIMitPqQIZe27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwBmf5P:KR5ITqQIZeGk7RZBGxAycKpSPX2e

Score
10/10
evasionpersistencespywarestealer

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f116291e9940be107cf143fb4e02b7a0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f116291e9940be107cf143fb4e02b7a0_JC.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
      "C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn Admin /tr "\"C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe\" arguments" /sc MINUTE /mo 1
        3⤵
        • Creates scheduled task(s)
        PID:4808
      • \??\c:\windows\microsoft.net\framework\v2.0.50727\InstallUtil.exe
        "c:\windows\microsoft.net\framework\v2.0.50727\\InstallUtil.exe" C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
        3⤵
          PID:1372
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 192
            4⤵
            • Program crash
            PID:4044
        • \??\c:\windows\microsoft.net\framework\v2.0.50727\InstallUtil.exe
          "c:\windows\microsoft.net\framework\v2.0.50727\\InstallUtil.exe" C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3984
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        2⤵
          PID:4816
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.f116291e9940be107cf143fb4e02b7a0_JC.exe" && del "C:\Users\Admin\AppData\Local\Temp\NEAS.f116291e9940be107cf143fb4e02b7a0_JC.exe.config"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\system32\timeout.exe
            timeout /t 5
            3⤵
            • Delays execution with timeout.exe
            PID:2832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 1372
        1⤵
          PID:4392
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:3500
          • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
            C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe arguments
            1⤵
            • Executes dropped EXE
            PID:4364

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
            Filesize

            224KB

            MD5

            78120b8a9c0cc1e5fb7d3e19b5034cdb

            SHA1

            1297865d3132064989bdb3fb55daf96dde8bf581

            SHA256

            d1c1c1e5865310e33bc0fc8e615cb9e747dd01abbdedc3f5aeaa19b0ad34e21b

            SHA512

            d513d9671aff4b3bba09092d391b1e0c31b7ddb3ba71e26714010966cf01eb39d790a43a547df6969c0406c635fe7529fc140666ddd0a40999d72c8263b4deae

            Download Submit

          • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
            Filesize

            224KB

            MD5

            78120b8a9c0cc1e5fb7d3e19b5034cdb

            SHA1

            1297865d3132064989bdb3fb55daf96dde8bf581

            SHA256

            d1c1c1e5865310e33bc0fc8e615cb9e747dd01abbdedc3f5aeaa19b0ad34e21b

            SHA512

            d513d9671aff4b3bba09092d391b1e0c31b7ddb3ba71e26714010966cf01eb39d790a43a547df6969c0406c635fe7529fc140666ddd0a40999d72c8263b4deae

            Download Submit

          • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
            Filesize

            224KB

            MD5

            78120b8a9c0cc1e5fb7d3e19b5034cdb

            SHA1

            1297865d3132064989bdb3fb55daf96dde8bf581

            SHA256

            d1c1c1e5865310e33bc0fc8e615cb9e747dd01abbdedc3f5aeaa19b0ad34e21b

            SHA512

            d513d9671aff4b3bba09092d391b1e0c31b7ddb3ba71e26714010966cf01eb39d790a43a547df6969c0406c635fe7529fc140666ddd0a40999d72c8263b4deae

            Download Submit

          • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe
            Filesize

            224KB

            MD5

            78120b8a9c0cc1e5fb7d3e19b5034cdb

            SHA1

            1297865d3132064989bdb3fb55daf96dde8bf581

            SHA256

            d1c1c1e5865310e33bc0fc8e615cb9e747dd01abbdedc3f5aeaa19b0ad34e21b

            SHA512

            d513d9671aff4b3bba09092d391b1e0c31b7ddb3ba71e26714010966cf01eb39d790a43a547df6969c0406c635fe7529fc140666ddd0a40999d72c8263b4deae

            Download Submit

          • C:\Users\Admin\AppData\Local\_foldernamelocalappdata_\UIMgrBroker32.exe.config
            Filesize

            1KB

            MD5

            dd3d04c365984b4ec57a80503f81fddf

            SHA1

            c55fbcb61818e47dac9aae465faff91f0805bd7c

            SHA256

            40a59ca9744dc3d4647f246b2dc553f37f8095418c1b48a9bd94cdb5c03dbc5c

            SHA512

            0dd459def2abe9e3f0d1251049a0755c63f7dd3d85e91dba272c3f479f2578e3f3f2379e1cd6913190f7f596af721201eb5d9423ab28aed72bde5cd3cac7f785

            Download Submit

          • memory/1372-33-0x0000000000400000-0x0000000000408000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1972-31-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-25-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-52-0x0000000020750000-0x0000000020850000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1972-49-0x0000000020750000-0x0000000020850000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/1972-48-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-47-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-46-0x000000001EB70000-0x000000001EBD2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/1972-45-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-24-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1972-37-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-41-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-27-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1972-29-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-30-0x000000001ED40000-0x000000001ED62000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1972-39-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-32-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-34-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1972-38-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-35-0x0000000001200000-0x0000000001210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1972-36-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/3548-2-0x000000001B450000-0x000000001B4EC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3548-6-0x000000001C070000-0x000000001C0D6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3548-0-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/3548-28-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/3548-1-0x000000001BA40000-0x000000001BF0E000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/3548-8-0x000000001B520000-0x000000001B542000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3548-9-0x000000001F240000-0x000000001F2E6000-memory.dmp

            Filesize

            664KB

            Download

          • memory/3548-3-0x00007FF8B5030000-0x00007FF8B59D1000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/3548-4-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3548-5-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3548-7-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3984-44-0x0000000001A60000-0x0000000001A70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3984-50-0x0000000074D80000-0x0000000075331000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3984-51-0x0000000001A60000-0x0000000001A70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3984-43-0x0000000074D80000-0x0000000075331000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3984-42-0x0000000074D80000-0x0000000075331000-memory.dmp

            Filesize

            5.7MB

            Download