Analysis
-
max time kernel
9s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 14:16
Behavioral task
behavioral1
Sample
NEAS.6859b388a9d83d02a57f5081a74acad0.exe
Resource
win7-20231020-en
General
-
Target
NEAS.6859b388a9d83d02a57f5081a74acad0.exe
-
Size
111KB
-
MD5
6859b388a9d83d02a57f5081a74acad0
-
SHA1
c48b9ace80cd328210f7d630eb3655339977eb1e
-
SHA256
36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
-
SHA512
45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd
-
SSDEEP
1536:B+bAQRcW6FSM91qQIwiOFJlRxMD029+DVe+bhDqI64QWezCrAZujV6D1:UbTcWWSJOzlPOqbxqH4QWezCrAZujA1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation NEAS.6859b388a9d83d02a57f5081a74acad0.exe Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 4200 rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4396 schtasks.exe 4132 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2060 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4648 tasklist.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4200 rat.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4200 rat.exe 4200 rat.exe 4200 rat.exe 4200 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4404 NEAS.6859b388a9d83d02a57f5081a74acad0.exe Token: SeDebugPrivilege 4648 tasklist.exe Token: SeDebugPrivilege 4200 rat.exe Token: SeDebugPrivilege 4200 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4200 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4404 wrote to memory of 4396 4404 NEAS.6859b388a9d83d02a57f5081a74acad0.exe 90 PID 4404 wrote to memory of 4396 4404 NEAS.6859b388a9d83d02a57f5081a74acad0.exe 90 PID 4404 wrote to memory of 4400 4404 NEAS.6859b388a9d83d02a57f5081a74acad0.exe 93 PID 4404 wrote to memory of 4400 4404 NEAS.6859b388a9d83d02a57f5081a74acad0.exe 93 PID 4400 wrote to memory of 4648 4400 cmd.exe 95 PID 4400 wrote to memory of 4648 4400 cmd.exe 95 PID 4400 wrote to memory of 2328 4400 cmd.exe 96 PID 4400 wrote to memory of 2328 4400 cmd.exe 96 PID 4400 wrote to memory of 2060 4400 cmd.exe 97 PID 4400 wrote to memory of 2060 4400 cmd.exe 97 PID 4400 wrote to memory of 4200 4400 cmd.exe 99 PID 4400 wrote to memory of 4200 4400 cmd.exe 99 PID 4200 wrote to memory of 4132 4200 rat.exe 101 PID 4200 wrote to memory of 4132 4200 rat.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:4396
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4404"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2328
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2060
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:4132
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5631ac90ed63e0c3f8cfdee78cfd66106
SHA175ef408fa599ad5de8b83085c542a798a1c21705
SHA256a20cc728fc223ac597ee079d39d9248274e91e28a0401df928907e4342e670c6
SHA51208faf8e86cac70fbd6b1ea775d336462493a7e33aae339fd9c98155ffd8e51b18b5c4f54c5de9c7236703dcad1a6dffe8bec93f1ad118d02df010044a07c2bc8
-
Filesize
111KB
MD56859b388a9d83d02a57f5081a74acad0
SHA1c48b9ace80cd328210f7d630eb3655339977eb1e
SHA25636ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA51245a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd
-
Filesize
111KB
MD56859b388a9d83d02a57f5081a74acad0
SHA1c48b9ace80cd328210f7d630eb3655339977eb1e
SHA25636ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA51245a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd