Overview

overview

8

Static

static

3

NEAS.9b41e...d0.exe

windows7-x64

8

NEAS.9b41e...d0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2023, 13:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.9b41e6d55dc0151c843a30d4010fc3d0.exe

  • Size

    70KB

  • MD5

    9b41e6d55dc0151c843a30d4010fc3d0

  • SHA1

    ba18ace1459ebec4bfdadf2a7b02d30ec7e971cd

  • SHA256

    39ea763c8b6b899b73c8f75fcb20ce0f1f78d8c52fa183da222afa4e428e88d1

  • SHA512

    308993066fd5752f60276c8f99975426e81411c8f808e983fe48a1820f92173c2b3ea0e16cd3727b4fc8930b10233ef86f5c7b19e6a51638ad466d64ae83aa89

  • SSDEEP

    1536:9q5VwWDjDkdTRqHFOn8tIbbeYiuZIFS9b1YTjipvF2a:9q5ud9qHFO8Kf3rIIb1YvQd2a

Score
7/10
persistence

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.9b41e6d55dc0151c843a30d4010fc3d0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.9b41e6d55dc0151c843a30d4010fc3d0.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1380
          4⤵
          • Program crash
          PID:4288
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1968 -ip 1968
    1⤵
      PID:3120

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\ctfmen.exe
            Filesize

            4KB

            MD5

            f7c42151315c1e7e13c8ba1f29d9c591

            SHA1

            b180ab3d38af7c14c39be63b1c27156be4f3864a

            SHA256

            f01de414b9188dbfb77ca782be189c67c6d9e67b0184af6366db0f47c45a3b84

            SHA512

            88f2557d198cc6b63ae702565f0db4620176fcadd7a674d957e7bd65b7714c69483d3eb86e64867f0bf04aa76fcb055b86cc32a0e2c7803e81bbd8ede9499dde

            Download Submit

          • C:\Windows\SysWOW64\ctfmen.exe
            Filesize

            4KB

            MD5

            f7c42151315c1e7e13c8ba1f29d9c591

            SHA1

            b180ab3d38af7c14c39be63b1c27156be4f3864a

            SHA256

            f01de414b9188dbfb77ca782be189c67c6d9e67b0184af6366db0f47c45a3b84

            SHA512

            88f2557d198cc6b63ae702565f0db4620176fcadd7a674d957e7bd65b7714c69483d3eb86e64867f0bf04aa76fcb055b86cc32a0e2c7803e81bbd8ede9499dde

            Download Submit

          • C:\Windows\SysWOW64\grcopy.dll
            Filesize

            70KB

            MD5

            e07a7ebab52dab1f84e46bb8962a0d4c

            SHA1

            cfc74ec4352e776d3d9fe96f55a71f653344ea71

            SHA256

            03de8f1651542c9b679f0b4eee028dc1ef71346e337e7f9d1c84da4574443b6f

            SHA512

            289d5dcc6c353637092611d10175e1cc1c12ac7e7d6552c6982771ccb0b807be1d6c81c3a084ace5acfa4e6c6176bf6bd48c9a9919e82d1843217c8ac7b335c6

            Download Submit

          • C:\Windows\SysWOW64\grcopy.dll
            Filesize

            70KB

            MD5

            e07a7ebab52dab1f84e46bb8962a0d4c

            SHA1

            cfc74ec4352e776d3d9fe96f55a71f653344ea71

            SHA256

            03de8f1651542c9b679f0b4eee028dc1ef71346e337e7f9d1c84da4574443b6f

            SHA512

            289d5dcc6c353637092611d10175e1cc1c12ac7e7d6552c6982771ccb0b807be1d6c81c3a084ace5acfa4e6c6176bf6bd48c9a9919e82d1843217c8ac7b335c6

            Download Submit

          • C:\Windows\SysWOW64\satornas.dll
            Filesize

            183B

            MD5

            c682810c2697864d5df0819b3e3bf5c4

            SHA1

            eae3e90b193da47442206ee559ca5ff0cf9507f6

            SHA256

            2435b7622a0ae6fbe24ddd3292725503c6d212b0121083e989310d0323a5491b

            SHA512

            e0a11c5c7fd868bc97053d35623e0aeb634b35b606c61ea19fb315e555fbcf4efd7dbcff3c6cf8901ab59d9bed20382e193b4b51ffdbaacbec0d18f237b7fd5a

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            e7d63d7a8cf22674a705875cf358ad3c

            SHA1

            db0957ceb6767968449471b7982ff362e982eead

            SHA256

            c827cfd70b4589080e98d851e66f713034e93d8a1420ceb95726f62098f109df

            SHA512

            87c5bc8380347073b1a25b86c7182d96abc11ae2bb2ce4f3d0dc0993e32c2a4e7dadab2deeec99994837e693a8787dc28797bf91a855e8de4bcc19b60b57b7f7

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            e7d63d7a8cf22674a705875cf358ad3c

            SHA1

            db0957ceb6767968449471b7982ff362e982eead

            SHA256

            c827cfd70b4589080e98d851e66f713034e93d8a1420ceb95726f62098f109df

            SHA512

            87c5bc8380347073b1a25b86c7182d96abc11ae2bb2ce4f3d0dc0993e32c2a4e7dadab2deeec99994837e693a8787dc28797bf91a855e8de4bcc19b60b57b7f7

            Download Submit

          • C:\Windows\SysWOW64\shervans.dll
            Filesize

            8KB

            MD5

            e7d63d7a8cf22674a705875cf358ad3c

            SHA1

            db0957ceb6767968449471b7982ff362e982eead

            SHA256

            c827cfd70b4589080e98d851e66f713034e93d8a1420ceb95726f62098f109df

            SHA512

            87c5bc8380347073b1a25b86c7182d96abc11ae2bb2ce4f3d0dc0993e32c2a4e7dadab2deeec99994837e693a8787dc28797bf91a855e8de4bcc19b60b57b7f7

            Download Submit

          • C:\Windows\SysWOW64\smnss.exe
            Filesize

            70KB

            MD5

            e07a7ebab52dab1f84e46bb8962a0d4c

            SHA1

            cfc74ec4352e776d3d9fe96f55a71f653344ea71

            SHA256

            03de8f1651542c9b679f0b4eee028dc1ef71346e337e7f9d1c84da4574443b6f

            SHA512

            289d5dcc6c353637092611d10175e1cc1c12ac7e7d6552c6982771ccb0b807be1d6c81c3a084ace5acfa4e6c6176bf6bd48c9a9919e82d1843217c8ac7b335c6

            Download Submit

          • C:\Windows\SysWOW64\smnss.exe
            Filesize

            70KB

            MD5

            e07a7ebab52dab1f84e46bb8962a0d4c

            SHA1

            cfc74ec4352e776d3d9fe96f55a71f653344ea71

            SHA256

            03de8f1651542c9b679f0b4eee028dc1ef71346e337e7f9d1c84da4574443b6f

            SHA512

            289d5dcc6c353637092611d10175e1cc1c12ac7e7d6552c6982771ccb0b807be1d6c81c3a084ace5acfa4e6c6176bf6bd48c9a9919e82d1843217c8ac7b335c6

            Download Submit

          • memory/1968-31-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1968-35-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1968-37-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1968-38-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/3520-24-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/3520-21-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3520-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3520-13-0x0000000010000000-0x000000001000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/4280-26-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4280-22-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download