Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe
Resource
win7-20240215-en
General
-
Target
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe
-
Size
847KB
-
MD5
32714e6ba316bf34e90dbf6d5e81f260
-
SHA1
34ae7f07b4d179323854f9b3d624d03e35889da9
-
SHA256
2b6a3303f789dcb6019801babcbde32bac1a1154391f61f8127e3b9f03d6e8de
-
SHA512
46302f16a2b491808b579b4596e52bc8ff6fe972f4054483cc622357bb727394e7ab65191091eeef97fedcbcd39f388511c5757399d8674221c3ba6ab6958d5a
-
SSDEEP
24576:SV9RUqJJeOY9J3/Ekbl4055FWim0HvYq/5lrzG:eUqJsOWJ3/EIlhtzYqxZzG
Malware Config
Extracted
darkcomet
FUD
ainab-inc.no-ip.biz:1604
ainab-inc.no-ip.biz:1605
ainab.no-ip.info:1605
ainab.no-ip.info:1604
DC_MUTEX-8PSGHJX
-
InstallPath
C:\Program Files\CCleaner\CCleaner-resident.exe
-
gencode
xhpExvTjwd0Y
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explore
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\C:\\Program Files\\CCleaner\\xhpExvTjwd0Y\\CCleaner-resident.exe" vbc.exe -
Executes dropped EXE 2 IoCs
Processes:
SKYPE_CHECKER.EXESKYPE_CHECKER.EXEpid Process 1420 SKYPE_CHECKER.EXE 2100 SKYPE_CHECKER.EXE -
Processes:
resource yara_rule behavioral2/memory/4388-7-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-10-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-9-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-12-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-13-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-26-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-30-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-29-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-31-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-34-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-35-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-36-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-39-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-40-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-43-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-46-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-49-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-52-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-55-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-58-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-61-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-64-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-67-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-70-0x0000000000400000-0x000000000053B000-memory.dmp upx behavioral2/memory/4388-73-0x0000000000400000-0x000000000053B000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exevbc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype-Checker = "C:\\Users\\Admin\\AppData\\Roaming\\Skype Checker.exe" 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explore = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C:\\Program Files\\CCleaner\\xhpExvTjwd0Y\\CCleaner-resident.exe" vbc.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exedescription ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe File created C:\Windows\assembly\Desktop.ini 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exedescription pid Process procid_target PID 216 set thread context of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 -
Drops file in Windows directory 3 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exedescription ioc Process File opened for modification C:\Windows\assembly 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe File created C:\Windows\assembly\Desktop.ini 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe File opened for modification C:\Windows\assembly\Desktop.ini 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe -
NTFS ADS 4 IoCs
Processes:
vbc.exedescription ioc Process File created C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\CCleaner-resident.exe vbc.exe File created C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\xhpExvTjwd0Y\CCleaner-resident.exe vbc.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\xhpExvTjwd0Y\CCleaner-resident.exe vbc.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\C:\Program Files\CCleaner\xhpExvTjwd0Y\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4388 vbc.exe Token: SeSecurityPrivilege 4388 vbc.exe Token: SeTakeOwnershipPrivilege 4388 vbc.exe Token: SeLoadDriverPrivilege 4388 vbc.exe Token: SeSystemProfilePrivilege 4388 vbc.exe Token: SeSystemtimePrivilege 4388 vbc.exe Token: SeProfSingleProcessPrivilege 4388 vbc.exe Token: SeIncBasePriorityPrivilege 4388 vbc.exe Token: SeCreatePagefilePrivilege 4388 vbc.exe Token: SeBackupPrivilege 4388 vbc.exe Token: SeRestorePrivilege 4388 vbc.exe Token: SeShutdownPrivilege 4388 vbc.exe Token: SeDebugPrivilege 4388 vbc.exe Token: SeSystemEnvironmentPrivilege 4388 vbc.exe Token: SeChangeNotifyPrivilege 4388 vbc.exe Token: SeRemoteShutdownPrivilege 4388 vbc.exe Token: SeUndockPrivilege 4388 vbc.exe Token: SeManageVolumePrivilege 4388 vbc.exe Token: SeImpersonatePrivilege 4388 vbc.exe Token: SeCreateGlobalPrivilege 4388 vbc.exe Token: 33 4388 vbc.exe Token: 34 4388 vbc.exe Token: 35 4388 vbc.exe Token: 36 4388 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 4388 vbc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
32714e6ba316bf34e90dbf6d5e81f260_NEAS.exevbc.exedescription pid Process procid_target PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 216 wrote to memory of 4388 216 32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe 84 PID 4388 wrote to memory of 1420 4388 vbc.exe 86 PID 4388 wrote to memory of 1420 4388 vbc.exe 86 PID 4388 wrote to memory of 1420 4388 vbc.exe 86 PID 4388 wrote to memory of 2100 4388 vbc.exe 89 PID 4388 wrote to memory of 2100 4388 vbc.exe 89 PID 4388 wrote to memory of 2100 4388 vbc.exe 89 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90 PID 4388 wrote to memory of 3916 4388 vbc.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"3⤵
- Executes dropped EXE
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"C:\Users\Admin\AppData\Local\Temp\SKYPE_CHECKER.EXE"3⤵
- Executes dropped EXE
PID:2100
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3916
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
521KB
MD5c30a1984c00d53d6f58ceacffc7f609f
SHA1e38910a83a7bbefebc7f87d6f1d8e8bfe2c77308
SHA256df15bb116b47979eeafa960df367f7de3dfba79d3d60704703bfbd9c2c52d2ab
SHA512d0ed5698fc627ef2481bb7c8efa0a72e22627184466d7ff4ed3d22119c0c8d92ac2d8aa8ffe4f29f0259aa658373e1d643f9a1e26969e8f3fb668c15d47bca0d