Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 02:59
Static task
static1
Behavioral task
behavioral1
Sample
55df5179a90de41691dd26553b8264c0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
55df5179a90de41691dd26553b8264c0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
55df5179a90de41691dd26553b8264c0_NEAS.exe
-
Size
287KB
-
MD5
55df5179a90de41691dd26553b8264c0
-
SHA1
86093a79408544dedfcb510eca0ec6fd27ff9aaf
-
SHA256
406443462ef7c000ded1f4d0286e69be56cf48988f1d7f614b456f9037182612
-
SHA512
4ec163485adc8bdb9416cffa91b3bd3ff3450f0b3835eefeec2585681c4a286a5581ecbf14b4711b2c0517c00726a688c58235ef9d0324e05205f9ae17c299e3
-
SSDEEP
6144:p2wA/HQR9mgC74LtlgTvoRRcWd6V2NeTKDEeW3JHMRzfSAv:nA/QR9mb4Lt7cWd6VgeTKDEp3JifSo
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1612 uqezluo.exe -
Executes dropped EXE 2 IoCs
pid Process 1612 uqezluo.exe 3916 jbnuj.exe -
Loads dropped DLL 1 IoCs
pid Process 3916 jbnuj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COAPI = "c:\\Program Files\\cftsxig\\jbnuj.exe \"c:\\Program Files\\cftsxig\\jbnuj.dll\",ClassObject" jbnuj.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: jbnuj.exe File opened (read-only) \??\g: jbnuj.exe File opened (read-only) \??\k: jbnuj.exe File opened (read-only) \??\l: jbnuj.exe File opened (read-only) \??\o: jbnuj.exe File opened (read-only) \??\s: jbnuj.exe File opened (read-only) \??\j: jbnuj.exe File opened (read-only) \??\m: jbnuj.exe File opened (read-only) \??\z: jbnuj.exe File opened (read-only) \??\a: jbnuj.exe File opened (read-only) \??\e: jbnuj.exe File opened (read-only) \??\r: jbnuj.exe File opened (read-only) \??\t: jbnuj.exe File opened (read-only) \??\u: jbnuj.exe File opened (read-only) \??\w: jbnuj.exe File opened (read-only) \??\x: jbnuj.exe File opened (read-only) \??\h: jbnuj.exe File opened (read-only) \??\i: jbnuj.exe File opened (read-only) \??\n: jbnuj.exe File opened (read-only) \??\p: jbnuj.exe File opened (read-only) \??\q: jbnuj.exe File opened (read-only) \??\v: jbnuj.exe File opened (read-only) \??\y: jbnuj.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 jbnuj.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\Program Files\cftsxig\jbnuj.dll uqezluo.exe File created \??\c:\Program Files\cftsxig\jbnuj.exe uqezluo.exe File opened for modification \??\c:\Program Files\cftsxig\jbnuj.exe uqezluo.exe File opened for modification \??\c:\Program Files\cftsxig uqezluo.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jbnuj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jbnuj.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3916 jbnuj.exe 3916 jbnuj.exe 3916 jbnuj.exe 3916 jbnuj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3916 jbnuj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3664 55df5179a90de41691dd26553b8264c0_NEAS.exe 1612 uqezluo.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3664 wrote to memory of 3700 3664 55df5179a90de41691dd26553b8264c0_NEAS.exe 85 PID 3664 wrote to memory of 3700 3664 55df5179a90de41691dd26553b8264c0_NEAS.exe 85 PID 3664 wrote to memory of 3700 3664 55df5179a90de41691dd26553b8264c0_NEAS.exe 85 PID 3700 wrote to memory of 1040 3700 cmd.exe 87 PID 3700 wrote to memory of 1040 3700 cmd.exe 87 PID 3700 wrote to memory of 1040 3700 cmd.exe 87 PID 3700 wrote to memory of 1612 3700 cmd.exe 91 PID 3700 wrote to memory of 1612 3700 cmd.exe 91 PID 3700 wrote to memory of 1612 3700 cmd.exe 91 PID 1612 wrote to memory of 3916 1612 uqezluo.exe 93 PID 1612 wrote to memory of 3916 1612 uqezluo.exe 93 PID 1612 wrote to memory of 3916 1612 uqezluo.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\55df5179a90de41691dd26553b8264c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\55df5179a90de41691dd26553b8264c0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\uqezluo.exe "C:\Users\Admin\AppData\Local\Temp\55df5179a90de41691dd26553b8264c0_NEAS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1040
-
-
C:\Users\Admin\AppData\Local\Temp\uqezluo.exeC:\Users\Admin\AppData\Local\Temp\\uqezluo.exe "C:\Users\Admin\AppData\Local\Temp\55df5179a90de41691dd26553b8264c0_NEAS.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\Program Files\cftsxig\jbnuj.exe"c:\Program Files\cftsxig\jbnuj.exe" "c:\Program Files\cftsxig\jbnuj.dll",ClassObject C:\Users\Admin\AppData\Local\Temp\uqezluo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
287KB
MD5f59cffd900e19158ce2bc2bcbd227179
SHA1ef4c0feace972f70bb95cdf76df551e18e170a2b
SHA256a27463c953b577360e8ffee0271f27b9579d2f8a91dd2673e3fb21e3a2001ede
SHA512ba9696cf058bc49308b66d1064db618d1e3cdf0f1b92d8d9608b882b3201e920d068e9820a73d0c17320f8e92f69af14cd386c167c2e404e4145e43701aa13d0
-
Filesize
200KB
MD58c444e8a00905affa39434ccc858c4da
SHA11a822ce25df124ebaec8c2b5472ce6d9effaddbe
SHA2569d3a85922b60d20db6e700730482ed2bc528c7ff8793437e0f8d01280c350e0d
SHA512505a5f8194c1a73d277a24559f5260164dbe1f94d05ba66033e23b51f75f93d2188726e2b7373a4bf909553dae31cdff06a5290955c871de913ce7d2b161f0c4