Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17-11-2023 16:39
Behavioral task
behavioral1
Sample
NEAS.stub.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.stub.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.stub.exe
-
Size
1.6MB
-
MD5
a1ac9ba1ddc6808d7d9a301c9e546b65
-
SHA1
928bfdea4586169b27c5c1ad23db19d9aede5e30
-
SHA256
0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2
-
SHA512
c1082a59cba1736639ebd0ffea1e59fc8f2b98fc4ef3f60efdb77b9da2efb5af2f7e1bda0b28ca73eb2b61d671d0b3679603f7a4e21cffacba84683305a337c2
-
SSDEEP
24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLM:ZTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1664 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2456 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
NEAS.stub.exepid process 1968 NEAS.stub.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEAS.stub.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1968 NEAS.stub.exe Token: SeDebugPrivilege 2456 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
NEAS.stub.execmd.exedescription pid process target process PID 1968 wrote to memory of 1688 1968 NEAS.stub.exe cmd.exe PID 1968 wrote to memory of 1688 1968 NEAS.stub.exe cmd.exe PID 1968 wrote to memory of 1688 1968 NEAS.stub.exe cmd.exe PID 1968 wrote to memory of 1688 1968 NEAS.stub.exe cmd.exe PID 1688 wrote to memory of 3040 1688 cmd.exe chcp.com PID 1688 wrote to memory of 3040 1688 cmd.exe chcp.com PID 1688 wrote to memory of 3040 1688 cmd.exe chcp.com PID 1688 wrote to memory of 3040 1688 cmd.exe chcp.com PID 1688 wrote to memory of 2456 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 2456 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 2456 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 2456 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 1664 1688 cmd.exe timeout.exe PID 1688 wrote to memory of 1664 1688 cmd.exe timeout.exe PID 1688 wrote to memory of 1664 1688 cmd.exe timeout.exe PID 1688 wrote to memory of 1664 1688 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp83B9.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:3040
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 19683⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
57B
MD52c433d9737acd355653bb4abd50850f1
SHA1ffc55753ee0aa87b3420e53c40646449a83eeef6
SHA256fa159f4c4fd61df942f4b566613ea9d3b1389ff7aca86865d172e9929a5fff7a
SHA51215ecffc96bdb39ef3b57006555b2f8cf1e32e5cd250cf385f4f30bd5cbe74a91469cd79e5a9483a8926b6e02a5ea24f2a2b169012ab48893cda439f32553d9c3