Analysis
-
max time kernel
138s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 16:39
Behavioral task
behavioral1
Sample
NEAS.stub.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.stub.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.stub.exe
-
Size
1.6MB
-
MD5
a1ac9ba1ddc6808d7d9a301c9e546b65
-
SHA1
928bfdea4586169b27c5c1ad23db19d9aede5e30
-
SHA256
0fe68b8689e8d8439ae48b39dc96d6ab178e2a68c83a5cdfe577eb9d3b9537d2
-
SHA512
c1082a59cba1736639ebd0ffea1e59fc8f2b98fc4ef3f60efdb77b9da2efb5af2f7e1bda0b28ca73eb2b61d671d0b3679603f7a4e21cffacba84683305a337c2
-
SSDEEP
24576:Oi2Q9NXw2/wPOjdGxY2rqkqjVnlqud+/2P+A+ZecdyFoBkkAnexMrdgLM:ZTq24GjdGSiqkqXfd+/9AqYanieKd
Malware Config
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.stub.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation NEAS.stub.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3496 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2984 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
NEAS.stub.exepid process 1192 NEAS.stub.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEAS.stub.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1192 NEAS.stub.exe Token: SeDebugPrivilege 2984 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
NEAS.stub.execmd.exedescription pid process target process PID 1192 wrote to memory of 4120 1192 NEAS.stub.exe cmd.exe PID 1192 wrote to memory of 4120 1192 NEAS.stub.exe cmd.exe PID 1192 wrote to memory of 4120 1192 NEAS.stub.exe cmd.exe PID 4120 wrote to memory of 5036 4120 cmd.exe chcp.com PID 4120 wrote to memory of 5036 4120 cmd.exe chcp.com PID 4120 wrote to memory of 5036 4120 cmd.exe chcp.com PID 4120 wrote to memory of 2984 4120 cmd.exe taskkill.exe PID 4120 wrote to memory of 2984 4120 cmd.exe taskkill.exe PID 4120 wrote to memory of 2984 4120 cmd.exe taskkill.exe PID 4120 wrote to memory of 3496 4120 cmd.exe timeout.exe PID 4120 wrote to memory of 3496 4120 cmd.exe timeout.exe PID 4120 wrote to memory of 3496 4120 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.stub.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp93FE.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:5036
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 11923⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD538e5bb452f6602ce759e729585a72431
SHA188c484eee41f1f60e8b61b2bc6f30181e927fa29
SHA25655cebc312686d4eacf57ab82c4fba19a7e6a54039a066786bf60d165d848b617
SHA512fe97c8f94d8d440743bdef4a75e14a75a75c794a3e9d87693ccc821fa26c8c195d00bb9b2aebdfbbf63fb7a10bd7145a40a75a234fe382fef2358f62a58a4edb