Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2023 16:39

General

  • Target

    NEAS.stub.exe

  • Size

    1.6MB

  • MD5

    a1ac9ba1ddc6808d7d9a301c9e546b65

  • SHA1

    928bfdea4586169b27c5c1ad23db19d9aede5e30

  • SHA256

    0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2

  • SHA512

    c1082a59cba1736639ebd0ffea1e59fc8f2b98fc4ef3f60efdb77b9da2efb5af2f7e1bda0b28ca73eb2b61d671d0b3679603f7a4e21cffacba84683305a337c2

  • SSDEEP

    24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLM:ZTq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp83B9.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:3040
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 1968
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2456
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab8039.tmp

      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    • C:\Users\Admin\AppData\Local\Temp\Tar807B.tmp

      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    • C:\Users\Admin\AppData\Local\Temp\tmp83B9.tmp.bat

      Filesize

      57B

      MD5

      2c433d9737acd355653bb4abd50850f1

      SHA1

      ffc55753ee0aa87b3420e53c40646449a83eeef6

      SHA256

      fa159f4c4fd61df942f4b566613ea9d3b1389ff7aca86865d172e9929a5fff7a

      SHA512

      15ecffc96bdb39ef3b57006555b2f8cf1e32e5cd250cf385f4f30bd5cbe74a91469cd79e5a9483a8926b6e02a5ea24f2a2b169012ab48893cda439f32553d9c3

    • memory/1968-0-0x00000000001D0000-0x0000000000366000-memory.dmp

      Filesize

      1.6MB

    • memory/1968-1-0x0000000074C40000-0x000000007532E000-memory.dmp

      Filesize

      6.9MB

    • memory/1968-2-0x0000000004450000-0x0000000004490000-memory.dmp

      Filesize

      256KB

    • memory/1968-43-0x0000000074C40000-0x000000007532E000-memory.dmp

      Filesize

      6.9MB