Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/05/2024, 23:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe
-
Size
224KB
-
MD5
2ebf753c0a60d8bc21de31b1a6ea0c10
-
SHA1
5baadb15c4a31d714df6e1c4fae9cbaa44f87ce2
-
SHA256
51b446d748bcfc639b05dd75789880bb28eda7c8be4f5b40bb3138e118d2988e
-
SHA512
04f4d211db451fa910af964eae463073ef36f90147d9657d8c506604b9b806a1ab959d8f52ab824e1ba52303045bdd609d03776814dbf43152ec3eda10d1d94a
-
SSDEEP
6144:wIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPFsEPAsKCtZy:pKofHfHTXQLzgvnzHPowYbvrjD/L7QPo
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0036000000015d06-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2592 ctfmen.exe 2656 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 2592 ctfmen.exe 2592 ctfmen.exe 2656 smnss.exe 2920 WerFault.exe 2920 WerFault.exe 2920 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ctfmen.exe 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File created C:\Windows\SysWOW64\satornas.dll 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File created C:\Windows\SysWOW64\shervans.dll 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File created C:\Windows\SysWOW64\grcopy.dll 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File created C:\Windows\SysWOW64\smnss.exe 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\License.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt smnss.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2920 2656 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2656 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2592 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 28 PID 2080 wrote to memory of 2592 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 28 PID 2080 wrote to memory of 2592 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 28 PID 2080 wrote to memory of 2592 2080 2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe 28 PID 2592 wrote to memory of 2656 2592 ctfmen.exe 29 PID 2592 wrote to memory of 2656 2592 ctfmen.exe 29 PID 2592 wrote to memory of 2656 2592 ctfmen.exe 29 PID 2592 wrote to memory of 2656 2592 ctfmen.exe 29 PID 2656 wrote to memory of 2920 2656 smnss.exe 30 PID 2656 wrote to memory of 2920 2656 smnss.exe 30 PID 2656 wrote to memory of 2920 2656 smnss.exe 30 PID 2656 wrote to memory of 2920 2656 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\2ebf753c0a60d8bc21de31b1a6ea0c10_NEAS.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 8324⤵
- Loads dropped DLL
- Program crash
PID:2920
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5658bb639aeefc79c30b6ad9f2f6334ee
SHA1bbc4bbb53468474eac3144984ae54cfa57ff398a
SHA2569657e4c0be7f38eb5f3135b8296f233f429b5ec1f0f3eed903e86843c0b0ab8b
SHA512c5387efd5a1d30b1812aef53e020cc6b8bc2a4c220b24330d4aa217d9bad57b13f79910845e6d4445180a82cc97bc7e4789f03faef84e330077802b3651dacf5
-
Filesize
4KB
MD5536c3a172d95848ab1f8e4dd533ca2ad
SHA1b637ebcf898de02afb097c51e7d4749ddd9181d0
SHA256a5ccfdf382ddae4ea4164f367c1826f84d553f58cf3e9dc0b9961f5d8a1ede7f
SHA5126d24491bb34d31d88674976915df556ad190261e28aeeb2ec60016fe331ed92baabe8c6405fde1dee4742ea9f779a32d01dbe7f4ce35c96ab5216cd320734b93
-
Filesize
8KB
MD57380f2e43b19418e919f9bd6a5aba421
SHA148dbfc68af2c90e6ef8085020a60d7f4c3516ef2
SHA256e322a199332550b5c673620fe6595d218e1735ad29627bd1f2e8d208379bce6f
SHA5127e4521bb9259d9f1986e5c8bce7cd57a12a379485539497ca1bceb3d5510d4a03afb7cd8f24bd19dd23c4e73371ff8d0838d5e0e6e2a2484fe241cc776305eb4
-
Filesize
224KB
MD56eebb8e6256f039f902d7c0bf2508cab
SHA1add54e2fa365158514714e9933c33f812ba340f7
SHA25611fd9e175928f43484fc68753a382b96f8cacf1b8bc94aeb84f14bee7d052917
SHA5126dd5a207dd9b9e411896e0e3f157c07cb292c7174d54da5a9d8968d684298a267ddabef5122fe2f77665a92467e43c3b6967c265b1b6d51191a19f165485cee3