Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe
Resource
win7-20240215-en
General
-
Target
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe
-
Size
847KB
-
MD5
32714e6ba316bf34e90dbf6d5e81f260
-
SHA1
34ae7f07b4d179323854f9b3d624d03e35889da9
-
SHA256
2b6a3303f789dcb6019801babcbde32bac1a1154391f61f8127e3b9f03d6e8de
-
SHA512
46302f16a2b491808b579b4596e52bc8ff6fe972f4054483cc622357bb727394e7ab65191091eeef97fedcbcd39f388511c5757399d8674221c3ba6ab6958d5a
-
SSDEEP
24576:SV9RUqJJeOY9J3/Ekbl4055FWim0HvYq/5lrzG:eUqJsOWJ3/EIlhtzYqxZzG
Malware Config
Extracted
darkcomet
FUD
ainab-inc.no-ip.biz:1604
ainab-inc.no-ip.biz:1605
ainab.no-ip.info:1605
ainab.no-ip.info:1604
DC_MUTEX-8PSGHJX
-
InstallPath
C:\Program Files\CCleaner\CCleaner-resident.exe
-
gencode
xhpExvTjwd0Y
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explore
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\C:\\Program Files\\CCleaner\\xhpExvTjwd0Y\\CCleaner-resident.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
SKYPE_CHECKER.EXESKYPE_CHECKER.EXEpid Process 2132 SKYPE_CHECKER.EXE 2660 SKYPE_CHECKER.EXE -
Loads dropped DLL 4 IoCs
Processes:
vbc.exepid Process 2064 vbc.exe 2064 vbc.exe 2064 vbc.exe 2064 vbc.exe -
Processes:
resource yara_rule behavioral1/memory/2064-4-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-9-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-8-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-6-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-10-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-11-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-22-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-71-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-70-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-72-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-75-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-79-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-76-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-80-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-83-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-86-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral1/memory/2064-89-0x0000000000400000-0x000000000053B000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exe32714e6ba316bf34e90dbf6d5e81f260_NEAS.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\explore = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C:\\Program Files\\CCleaner\\xhpExvTjwd0Y\\CCleaner-resident.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype-Checker = "C:\\Users\\Admin\\AppData\\Roaming\\Skype Checker.exe" 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exedescription pid Process procid_target PID 2932 set thread context of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 -
NTFS ADS 4 IoCs
Processes:
vbc.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\xhpExvTjwd0Y\ vbc.exe File created C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\CCleaner-resident.exe vbc.exe File created C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\xhpExvTjwd0Y\CCleaner-resident.exe vbc.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\xhpExvTjwd0Y\CCleaner-resident.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2064 vbc.exe Token: SeSecurityPrivilege 2064 vbc.exe Token: SeTakeOwnershipPrivilege 2064 vbc.exe Token: SeLoadDriverPrivilege 2064 vbc.exe Token: SeSystemProfilePrivilege 2064 vbc.exe Token: SeSystemtimePrivilege 2064 vbc.exe Token: SeProfSingleProcessPrivilege 2064 vbc.exe Token: SeIncBasePriorityPrivilege 2064 vbc.exe Token: SeCreatePagefilePrivilege 2064 vbc.exe Token: SeBackupPrivilege 2064 vbc.exe Token: SeRestorePrivilege 2064 vbc.exe Token: SeShutdownPrivilege 2064 vbc.exe Token: SeDebugPrivilege 2064 vbc.exe Token: SeSystemEnvironmentPrivilege 2064 vbc.exe Token: SeChangeNotifyPrivilege 2064 vbc.exe Token: SeRemoteShutdownPrivilege 2064 vbc.exe Token: SeUndockPrivilege 2064 vbc.exe Token: SeManageVolumePrivilege 2064 vbc.exe Token: SeImpersonatePrivilege 2064 vbc.exe Token: SeCreateGlobalPrivilege 2064 vbc.exe Token: 33 2064 vbc.exe Token: 34 2064 vbc.exe Token: 35 2064 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 2064 vbc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exevbc.exedescription pid Process procid_target PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2932 wrote to memory of 2064 2932 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 28 PID 2064 wrote to memory of 2132 2064 vbc.exe 29 PID 2064 wrote to memory of 2132 2064 vbc.exe 29 PID 2064 wrote to memory of 2132 2064 vbc.exe 29 PID 2064 wrote to memory of 2132 2064 vbc.exe 29 PID 2064 wrote to memory of 2660 2064 vbc.exe 30 PID 2064 wrote to memory of 2660 2064 vbc.exe 30 PID 2064 wrote to memory of 2660 2064 vbc.exe 30 PID 2064 wrote to memory of 2660 2064 vbc.exe 30 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31 PID 2064 wrote to memory of 2748 2064 vbc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"3⤵
- Executes dropped EXE
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"3⤵
- Executes dropped EXE
PID:2660
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD5c30a1984c00d53d6f58ceacffc7f609f
SHA1e38910a83a7bbefebc7f87d6f1d8e8bfe2c77308
SHA256df15bb116b47979eeafa960df367f7de3dfba79d3d60704703bfbd9c2c52d2ab
SHA512d0ed5698fc627ef2481bb7c8efa0a72e22627184466d7ff4ed3d22119c0c8d92ac2d8aa8ffe4f29f0259aa658373e1d643f9a1e26969e8f3fb668c15d47bca0d