Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 03:30

General

  • Target

    5be9acaebf27218731ef9bfca990b9f0_NEAS.exe

  • Size

    3.6MB

  • MD5

    5be9acaebf27218731ef9bfca990b9f0

  • SHA1

    903185395cf0bb739612903a048788538517c65a

  • SHA256

    fda373f32ac00a6d88ffb7ccfac41df243b8b6e42234d22b90b97cf385d70010

  • SHA512

    a0b2d8b1a1d07dcdc1c012f1abd416597d4ff7d275ad9604b8a025a8ad4f53744cfcc63621a9b56ddf05779f930807fdcc34258b0aa2ceae7337ff9ba700028c

  • SSDEEP

    49152:ksgY1bXNn4iM1mo7JFAU9YfLxd4cY1DJmXTHX1bLu1LriJzf64iVDJEY:5gwrNn4Yo7Lefb4cY1DY5bL4Lrc7NaJ3

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\5be9acaebf27218731ef9bfca990b9f0_NEAS.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2192
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2240
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2756
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2660
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:32 /f
            5⤵
            • Creates scheduled task(s)
            PID:2560
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:33 /f
            5⤵
            • Creates scheduled task(s)
            PID:2040
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:34 /f
            5⤵
            • Creates scheduled task(s)
            PID:1144
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2932

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\mntemp

            Filesize

            16B

            MD5

            0f02c2e0896d526c1474a6f940945377

            SHA1

            ba2b111ec4bec3dc4841e48c25131c620986756f

            SHA256

            be4e28813d7bd4309c47abeb388ce18260d5328f950b4f32be20d4d71cde3e61

            SHA512

            708cb7c3cb20c82264e492b1354df96993053bcd54b2620bd4d60bf922b36d61b4548fddec3e52cf78b6fcabdfe37aabde87c58d900a7733c95e8ad3fe5fdf78

          • \Windows\Resources\Themes\explorer.exe

            Filesize

            3.6MB

            MD5

            d265bece931d77b73b997e8f1ac5c4b9

            SHA1

            a20e5611e518a8356760ad9a3215ac86a817243d

            SHA256

            44b949869ea9596c846df4cb5993d5610affb6f04753e382bcba0dc501c291d3

            SHA512

            f46c15d828c2edaa527986d39d808eae509b2974b0ec1ce498d6f7251239f5fb0f3c697a279da5e005305a284923e6cfa0e7c5ce3b90c24eebd27ad5d2025137

          • \Windows\Resources\spoolsv.exe

            Filesize

            3.6MB

            MD5

            b6268b246a2858bbe3409449c4f0c302

            SHA1

            b50fcad53e4d32e8eda408945487957a5ee9b48a

            SHA256

            87cedfe2e0d65b631792720c416358ce0462435f0208c31f9380b6a8c0d1fc0f

            SHA512

            42f93ae4639ed56719c4eb5843b317213d35097750dbbde6295b651f12ce55f86674327e9a4b3656c08144ea8c43a210be95736be0df2078f82c9662d45f29c7

          • \Windows\Resources\svchost.exe

            Filesize

            3.6MB

            MD5

            dcf48dc95dd6131ce82cb4a45af34229

            SHA1

            0ccd81945476c018e6781f61df5bd73a389115d0

            SHA256

            4287805ebdf1e27a6957ceef8ced455af194e9445d5cfeee1ff3b785202a347c

            SHA512

            b587afa5ac3005d0d0d1791d95899c268753316b5267fb3060f0f8c663055d532d611f53c06455b78e4dbfb038f7918543b88c786db19a567d40b63433eec37d

          • memory/1972-55-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/1972-67-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/1972-12-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/1972-24-0x00000000039A0000-0x00000000041C3000-memory.dmp

            Filesize

            8.1MB

          • memory/1972-58-0x00000000039A0000-0x00000000041C3000-memory.dmp

            Filesize

            8.1MB

          • memory/2192-54-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2192-44-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2192-0-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2192-1-0x00000000774F0000-0x00000000774F2000-memory.dmp

            Filesize

            8KB

          • memory/2240-51-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2240-36-0x0000000003A60000-0x0000000004283000-memory.dmp

            Filesize

            8.1MB

          • memory/2240-25-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2660-45-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2660-52-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2756-37-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB

          • memory/2756-57-0x0000000000400000-0x0000000000C23000-memory.dmp

            Filesize

            8.1MB