Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2023 17:20
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e388ae91a8cdc3ae144f1b861aa4dd3168a4a091e74871874221fa69424f10e9.url
Resource
win7-20231023-en
General
-
Target
NEAS.e388ae91a8cdc3ae144f1b861aa4dd3168a4a091e74871874221fa69424f10e9.url
-
Size
204B
-
MD5
357d521672b45d44bcc584f2fe4f0592
-
SHA1
c8d47e89f1317615b6135d5ce2cb2e784528d437
-
SHA256
e388ae91a8cdc3ae144f1b861aa4dd3168a4a091e74871874221fa69424f10e9
-
SHA512
b3eb93c20080c2f8d431aaa11dbe93570b34c84a57eeabfe71a0101c674695b352b741e0e5dd1e2f08d14673804cc28254ebfebc8e25390c2b616e57ac9a244a
Malware Config
Extracted
systembc
62.173.140.37:4001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 54 760 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 760 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 412 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.execontrol.exerundll32.exedescription pid process target process PID 412 wrote to memory of 4752 412 rundll32.exe control.exe PID 412 wrote to memory of 4752 412 rundll32.exe control.exe PID 4752 wrote to memory of 4828 4752 control.exe rundll32.exe PID 4752 wrote to memory of 4828 4752 control.exe rundll32.exe PID 4828 wrote to memory of 760 4828 rundll32.exe rundll32.exe PID 4828 wrote to memory of 760 4828 rundll32.exe rundll32.exe PID 4828 wrote to memory of 760 4828 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\NEAS.e388ae91a8cdc3ae144f1b861aa4dd3168a4a091e74871874221fa69424f10e9.url1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\wizard[1].cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\wizard[1].cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\wizard[1].cpl",4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:760
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5cac81707eba1be452f548e410275a0ac
SHA1dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
SHA2562f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA51201b6b45ec3c5ef4a0162164dfd69c15b08ed37082778ef97d0f1486bc82b4b1659a90705a4d9be42b9d25c8776e20011845a9f5e4498400b11cf14a3310df8d7
-
Filesize
16KB
MD5cac81707eba1be452f548e410275a0ac
SHA1dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
SHA2562f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA51201b6b45ec3c5ef4a0162164dfd69c15b08ed37082778ef97d0f1486bc82b4b1659a90705a4d9be42b9d25c8776e20011845a9f5e4498400b11cf14a3310df8d7