Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 03:21
Static task
static1
Behavioral task
behavioral1
Sample
59fdbe976e9178c52e3a198033e704c0_NEAS.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
59fdbe976e9178c52e3a198033e704c0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
59fdbe976e9178c52e3a198033e704c0_NEAS.exe
-
Size
520KB
-
MD5
59fdbe976e9178c52e3a198033e704c0
-
SHA1
26c1e75c0379f371b606e4e925d0a427f6f220dc
-
SHA256
9a8e189802856de4155551c6f660428a41fae421188376102cc8795de6615409
-
SHA512
ef9a59734961e683c5d55945dccdd917c25d42e9208f7e70ec2bb09efb6ab8a720efb2fc783cf1fa4cdab138e9ba77fd2b178dc2f9b6934cd5c1c2feadbd67b8
-
SSDEEP
6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbI:f9fC3hh29Ya77A90aFtDfT5IMbI
Malware Config
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid Process 2736 winupd.exe 2560 winupd.exe 2580 winupd.exe -
Loads dropped DLL 4 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exepid Process 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 2736 winupd.exe 2736 winupd.exe -
Processes:
resource yara_rule behavioral1/memory/2580-60-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-59-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-57-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-54-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-52-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-73-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-72-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-71-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-70-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-80-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-83-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-84-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-86-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-88-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-89-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-90-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-91-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2580-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exedescription pid Process procid_target PID 824 set thread context of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 2736 set thread context of 2560 2736 winupd.exe 30 PID 2736 set thread context of 2580 2736 winupd.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 2480 ipconfig.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winupd.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2580 winupd.exe Token: SeSecurityPrivilege 2580 winupd.exe Token: SeTakeOwnershipPrivilege 2580 winupd.exe Token: SeLoadDriverPrivilege 2580 winupd.exe Token: SeSystemProfilePrivilege 2580 winupd.exe Token: SeSystemtimePrivilege 2580 winupd.exe Token: SeProfSingleProcessPrivilege 2580 winupd.exe Token: SeIncBasePriorityPrivilege 2580 winupd.exe Token: SeCreatePagefilePrivilege 2580 winupd.exe Token: SeBackupPrivilege 2580 winupd.exe Token: SeRestorePrivilege 2580 winupd.exe Token: SeShutdownPrivilege 2580 winupd.exe Token: SeDebugPrivilege 2580 winupd.exe Token: SeSystemEnvironmentPrivilege 2580 winupd.exe Token: SeChangeNotifyPrivilege 2580 winupd.exe Token: SeRemoteShutdownPrivilege 2580 winupd.exe Token: SeUndockPrivilege 2580 winupd.exe Token: SeManageVolumePrivilege 2580 winupd.exe Token: SeImpersonatePrivilege 2580 winupd.exe Token: SeCreateGlobalPrivilege 2580 winupd.exe Token: 33 2580 winupd.exe Token: 34 2580 winupd.exe Token: 35 2580 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exe59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exewinupd.exewinupd.exepid Process 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 2736 winupd.exe 2560 winupd.exe 2580 winupd.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exe59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exewinupd.exeipconfig.execmd.exedescription pid Process procid_target PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 824 wrote to memory of 2308 824 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 28 PID 2308 wrote to memory of 2736 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 29 PID 2308 wrote to memory of 2736 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 29 PID 2308 wrote to memory of 2736 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 29 PID 2308 wrote to memory of 2736 2308 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 29 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2560 2736 winupd.exe 30 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2736 wrote to memory of 2580 2736 winupd.exe 31 PID 2560 wrote to memory of 2480 2560 winupd.exe 32 PID 2560 wrote to memory of 2480 2560 winupd.exe 32 PID 2560 wrote to memory of 2480 2560 winupd.exe 32 PID 2560 wrote to memory of 2480 2560 winupd.exe 32 PID 2560 wrote to memory of 2480 2560 winupd.exe 32 PID 2560 wrote to memory of 2480 2560 winupd.exe 32 PID 2480 wrote to memory of 2108 2480 ipconfig.exe 34 PID 2480 wrote to memory of 2108 2480 ipconfig.exe 34 PID 2480 wrote to memory of 2108 2480 ipconfig.exe 34 PID 2480 wrote to memory of 2108 2480 ipconfig.exe 34 PID 2108 wrote to memory of 3000 2108 cmd.exe 36 PID 2108 wrote to memory of 3000 2108 cmd.exe 36 PID 2108 wrote to memory of 3000 2108 cmd.exe 36 PID 2108 wrote to memory of 3000 2108 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XEWHTSTP.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:3000
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5cac890d00365d07b9ca89def17cc3a36
SHA16fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA2564f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1
-
Filesize
520KB
MD5ebeaafb3b908b9d72a06fc16d43f0aef
SHA1659b0c2510b88e421a6ed75df0d306ea00c64a34
SHA2564e51438ceedffd524c03c61b2f1c4a981f079772952eefaf4ec175ab1d1469d9
SHA51201fb855f57db66861c3a68c80d0c876089151b969573396d89e131f075da22fb9ce53b7ae14b8e3bf9f7b3c987854faf2615f8272713d3429cf2f01443424045