Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 16:14
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.fb8fc294dfeda915ae10f066eb3b85abdf47ca7f91cd94c60429b43177887cbd.url
Resource
win7-20231020-en
General
-
Target
NEAS.fb8fc294dfeda915ae10f066eb3b85abdf47ca7f91cd94c60429b43177887cbd.url
-
Size
204B
-
MD5
e718f6d076309ffcbfa8515db1df0b6f
-
SHA1
98c15c2ed94cdab0915f56daa334f35b6aeb5a45
-
SHA256
fb8fc294dfeda915ae10f066eb3b85abdf47ca7f91cd94c60429b43177887cbd
-
SHA512
83f3fdb15331273c0e50847ace2d1f3828a8923492f874a1b9337d8525dfc44f44b980bb0527858cc06febd7f3859ed7f3571f9c3259b577770203080066e2f5
Malware Config
Extracted
systembc
62.173.140.37:4001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 75 2120 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2120 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 3024 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.execontrol.exerundll32.exedescription pid process target process PID 3024 wrote to memory of 3032 3024 rundll32.exe control.exe PID 3024 wrote to memory of 3032 3024 rundll32.exe control.exe PID 3032 wrote to memory of 324 3032 control.exe rundll32.exe PID 3032 wrote to memory of 324 3032 control.exe rundll32.exe PID 324 wrote to memory of 2120 324 rundll32.exe rundll32.exe PID 324 wrote to memory of 2120 324 rundll32.exe rundll32.exe PID 324 wrote to memory of 2120 324 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\NEAS.fb8fc294dfeda915ae10f066eb3b85abdf47ca7f91cd94c60429b43177887cbd.url1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\wizard[1].cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\wizard[1].cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\wizard[1].cpl",4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2120
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5cac81707eba1be452f548e410275a0ac
SHA1dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
SHA2562f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA51201b6b45ec3c5ef4a0162164dfd69c15b08ed37082778ef97d0f1486bc82b4b1659a90705a4d9be42b9d25c8776e20011845a9f5e4498400b11cf14a3310df8d7
-
Filesize
16KB
MD5cac81707eba1be452f548e410275a0ac
SHA1dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
SHA2562f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA51201b6b45ec3c5ef4a0162164dfd69c15b08ed37082778ef97d0f1486bc82b4b1659a90705a4d9be42b9d25c8776e20011845a9f5e4498400b11cf14a3310df8d7