Analysis

  • max time kernel
    138s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2023 16:39

General

  • Target

    NEAS.stub.exe

  • Size

    1.6MB

  • MD5

    a1ac9ba1ddc6808d7d9a301c9e546b65

  • SHA1

    928bfdea4586169b27c5c1ad23db19d9aede5e30

  • SHA256

    0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2

  • SHA512

    c1082a59cba1736639ebd0ffea1e59fc8f2b98fc4ef3f60efdb77b9da2efb5af2f7e1bda0b28ca73eb2b61d671d0b3679603f7a4e21cffacba84683305a337c2

  • SSDEEP

    24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLM:ZTq24GjdGSiqkqXfd+/9AqYanieKd

Score
10/10

Malware Config

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp93FE.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:5036
        • C:\Windows\SysWOW64\taskkill.exe
          TaskKill /F /IM 1192
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
        • C:\Windows\SysWOW64\timeout.exe
          Timeout /T 2 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:3496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp93FE.tmp.bat

      Filesize

      57B

      MD5

      38e5bb452f6602ce759e729585a72431

      SHA1

      88c484eee41f1f60e8b61b2bc6f30181e927fa29

      SHA256

      55cebc312686d4eacf57ab82c4fba19a7e6a54039a066786bf60d165d848b617

      SHA512

      fe97c8f94d8d440743bdef4a75e14a75a75c794a3e9d87693ccc821fa26c8c195d00bb9b2aebdfbbf63fb7a10bd7145a40a75a234fe382fef2358f62a58a4edb

    • memory/1192-1-0x00000000749A0000-0x0000000075150000-memory.dmp

      Filesize

      7.7MB

    • memory/1192-0-0x00000000002F0000-0x0000000000486000-memory.dmp

      Filesize

      1.6MB

    • memory/1192-2-0x0000000004E60000-0x0000000004EC6000-memory.dmp

      Filesize

      408KB

    • memory/1192-3-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

    • memory/1192-6-0x00000000749A0000-0x0000000075150000-memory.dmp

      Filesize

      7.7MB

    • memory/1192-10-0x0000000004E50000-0x0000000004E60000-memory.dmp

      Filesize

      64KB

    • memory/1192-12-0x00000000749A0000-0x0000000075150000-memory.dmp

      Filesize

      7.7MB