Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 16:36
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.640ef9afce45a61a02970462b829bf37a845948c17d72577dc70c1c21aa55b23.url
Resource
win7-20231025-en
General
-
Target
NEAS.640ef9afce45a61a02970462b829bf37a845948c17d72577dc70c1c21aa55b23.url
-
Size
204B
-
MD5
9125bafd876eda003abefbcfd3280900
-
SHA1
5d045bdedaae6242de78f8a89fceca748f279a0d
-
SHA256
640ef9afce45a61a02970462b829bf37a845948c17d72577dc70c1c21aa55b23
-
SHA512
69df286a83a636dbdaf9a2b0e4b30ff8b716245244f475ee945f498aadd37d5cab9edef3e1a73710d46eb4b36e99daa39bb4201b26ae149eff63896aead13111
Malware Config
Extracted
systembc
62.173.140.37:4001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 75 2036 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2036 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 4320 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.execontrol.exerundll32.exedescription pid process target process PID 4320 wrote to memory of 4164 4320 rundll32.exe control.exe PID 4320 wrote to memory of 4164 4320 rundll32.exe control.exe PID 4164 wrote to memory of 448 4164 control.exe rundll32.exe PID 4164 wrote to memory of 448 4164 control.exe rundll32.exe PID 448 wrote to memory of 2036 448 rundll32.exe rundll32.exe PID 448 wrote to memory of 2036 448 rundll32.exe rundll32.exe PID 448 wrote to memory of 2036 448 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\NEAS.640ef9afce45a61a02970462b829bf37a845948c17d72577dc70c1c21aa55b23.url1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\wizard[1].cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\wizard[1].cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\wizard[1].cpl",4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5cac81707eba1be452f548e410275a0ac
SHA1dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
SHA2562f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA51201b6b45ec3c5ef4a0162164dfd69c15b08ed37082778ef97d0f1486bc82b4b1659a90705a4d9be42b9d25c8776e20011845a9f5e4498400b11cf14a3310df8d7
-
Filesize
16KB
MD5cac81707eba1be452f548e410275a0ac
SHA1dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
SHA2562f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA51201b6b45ec3c5ef4a0162164dfd69c15b08ed37082778ef97d0f1486bc82b4b1659a90705a4d9be42b9d25c8776e20011845a9f5e4498400b11cf14a3310df8d7