Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 01:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe
-
Size
119KB
-
MD5
41c7c8c0a7bc7ba36889fa9de1bf5ad0
-
SHA1
bbc6c2f54372ddd9bac246d1935fb941a8b94a0e
-
SHA256
7c1e17247e562a4e5e20db66031de2b23ba11f8044fe35dc064f4b51987d3c78
-
SHA512
934fdd95763356f13d90fddc5f1f17ff1263cd8137eef2ead4e51c83c9f874833529bbd4684eb53e42eb143f5c2d2f5234e08bf3489cba5ba87763d918f8163c
-
SSDEEP
3072:6OjWuyt0ZsqsXOKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7zjPPh:6Is9OKofHfHTXQLzgvnzHPowYbvrjD/E
Score
7/10
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0035000000014701-10.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2648 ctfmen.exe 2828 smnss.exe -
Loads dropped DLL 9 IoCs
pid Process 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 2648 ctfmen.exe 2648 ctfmen.exe 2828 smnss.exe 2432 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe" smnss.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 smnss.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\1 smnss.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smnss.exe 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File created C:\Windows\SysWOW64\satornas.dll 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File created C:\Windows\SysWOW64\zipfi.dll smnss.exe File created C:\Windows\SysWOW64\ctfmen.exe 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File created C:\Windows\SysWOW64\shervans.dll 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File created C:\Windows\SysWOW64\grcopy.dll 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File opened for modification C:\Windows\SysWOW64\grcopy.dll 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File opened for modification C:\Windows\SysWOW64\shervans.dll 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File created C:\Windows\SysWOW64\smnss.exe smnss.exe File opened for modification C:\Windows\SysWOW64\ctfmen.exe 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File opened for modification C:\Windows\SysWOW64\satornas.dll 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe File created C:\Windows\SysWOW64\zipfiaq.dll smnss.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ko.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml smnss.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm smnss.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt smnss.exe File opened for modification C:\Program Files\7-Zip\History.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm smnss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt smnss.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt smnss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml smnss.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2432 2828 WerFault.exe 29 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll" smnss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2828 smnss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2648 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 28 PID 2964 wrote to memory of 2648 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 28 PID 2964 wrote to memory of 2648 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 28 PID 2964 wrote to memory of 2648 2964 41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe 28 PID 2648 wrote to memory of 2828 2648 ctfmen.exe 29 PID 2648 wrote to memory of 2828 2648 ctfmen.exe 29 PID 2648 wrote to memory of 2828 2648 ctfmen.exe 29 PID 2648 wrote to memory of 2828 2648 ctfmen.exe 29 PID 2828 wrote to memory of 2432 2828 smnss.exe 30 PID 2828 wrote to memory of 2432 2828 smnss.exe 30 PID 2828 wrote to memory of 2432 2828 smnss.exe 30 PID 2828 wrote to memory of 2432 2828 smnss.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\41c7c8c0a7bc7ba36889fa9de1bf5ad0_NEAS.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\ctfmen.exectfmen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\smnss.exeC:\Windows\system32\smnss.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 7444⤵
- Loads dropped DLL
- Program crash
PID:2432
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD5a446ee7e3616d13a81ee5dac403a1b2e
SHA1550d172bdce138da5d0e6b64e57cef8a755936a0
SHA25664873d99da94bd5da97d20c2c1ce04ae3aee88803633d03b0249a2d54d1413e2
SHA512daf5152635a45d25afab03adc515c310adbecc0cefdc71b72f5733bf5c504f3a40b777b43afb9da2b0997501106261b5c3c6a87bb695273407cc2efc8055d82f
-
Filesize
4KB
MD5aa08109e8351783ade7b5591e2b795a6
SHA1e7e0da24719280deb3de2fd7082025b80e88ed04
SHA256d9d3ebd32c9d67a0b2616b309c74614ab9671c6b6886dbb63476aadd81bd925f
SHA51276674a778a7ed3980f44f5fea3e992cd4b50a1b3da00e0bb16b8d4cf037a89e35032eda5590b118ba66ccbba4f6582479cbb9f30cdbeeea28281723165bce7b7
-
Filesize
8KB
MD512215d60a8266b46cec97b19a61ff7a4
SHA1d79e6723990cc077414cf3c1d5b1763a02f1af41
SHA25643634d22c05c6980fa033a865db71bb3d9fba241fc98eeb25b14951d3b153175
SHA512ec1fab217a286610b97997dd2f4bbeef0fcd7ae36b48e71648c2563bce52d3295610079e386cdaa8f09e0f17bad324acd8c878e0bdbe7edf36151b23e8a31c67
-
Filesize
119KB
MD5bb61dd6f39b0f9914581cf2c97fd71a5
SHA1b6555a1af6a841293f120be178194c5848cbfeba
SHA256d31f51d0eba3f3fa88ef5f9dd1b99c230c7c88923cff7d46700ca12eacf6769a
SHA512d3f62256830211cf609a2ba11e6d320651f8d6f03bbac9c35122eca3689cde26147eb8de59127efacfc3289111cb67020cdd50fa49ebb1b802f5d25e6629a6a5