Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 03:21
Static task
static1
Behavioral task
behavioral1
Sample
59fdbe976e9178c52e3a198033e704c0_NEAS.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
59fdbe976e9178c52e3a198033e704c0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
59fdbe976e9178c52e3a198033e704c0_NEAS.exe
-
Size
520KB
-
MD5
59fdbe976e9178c52e3a198033e704c0
-
SHA1
26c1e75c0379f371b606e4e925d0a427f6f220dc
-
SHA256
9a8e189802856de4155551c6f660428a41fae421188376102cc8795de6615409
-
SHA512
ef9a59734961e683c5d55945dccdd917c25d42e9208f7e70ec2bb09efb6ab8a720efb2fc783cf1fa4cdab138e9ba77fd2b178dc2f9b6934cd5c1c2feadbd67b8
-
SSDEEP
6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbI:f9fC3hh29Ya77A90aFtDfT5IMbI
Malware Config
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid Process 3328 winupd.exe 2056 winupd.exe 4940 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/4940-32-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-34-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-36-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-37-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-35-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-25-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-28-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-40-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-41-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-42-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-43-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-44-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-45-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-46-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-47-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-48-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4940-49-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exedescription pid Process procid_target PID 844 set thread context of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 3328 set thread context of 2056 3328 winupd.exe 100 PID 3328 set thread context of 4940 3328 winupd.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 400 224 WerFault.exe 102 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 224 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
winupd.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4940 winupd.exe Token: SeSecurityPrivilege 4940 winupd.exe Token: SeTakeOwnershipPrivilege 4940 winupd.exe Token: SeLoadDriverPrivilege 4940 winupd.exe Token: SeSystemProfilePrivilege 4940 winupd.exe Token: SeSystemtimePrivilege 4940 winupd.exe Token: SeProfSingleProcessPrivilege 4940 winupd.exe Token: SeIncBasePriorityPrivilege 4940 winupd.exe Token: SeCreatePagefilePrivilege 4940 winupd.exe Token: SeBackupPrivilege 4940 winupd.exe Token: SeRestorePrivilege 4940 winupd.exe Token: SeShutdownPrivilege 4940 winupd.exe Token: SeDebugPrivilege 4940 winupd.exe Token: SeSystemEnvironmentPrivilege 4940 winupd.exe Token: SeChangeNotifyPrivilege 4940 winupd.exe Token: SeRemoteShutdownPrivilege 4940 winupd.exe Token: SeUndockPrivilege 4940 winupd.exe Token: SeManageVolumePrivilege 4940 winupd.exe Token: SeImpersonatePrivilege 4940 winupd.exe Token: SeCreateGlobalPrivilege 4940 winupd.exe Token: 33 4940 winupd.exe Token: 34 4940 winupd.exe Token: 35 4940 winupd.exe Token: 36 4940 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exe59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exewinupd.exewinupd.exepid Process 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 2064 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 3328 winupd.exe 2056 winupd.exe 4940 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
59fdbe976e9178c52e3a198033e704c0_NEAS.exe59fdbe976e9178c52e3a198033e704c0_NEAS.exewinupd.exewinupd.exedescription pid Process procid_target PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 844 wrote to memory of 2064 844 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 96 PID 2064 wrote to memory of 3328 2064 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 97 PID 2064 wrote to memory of 3328 2064 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 97 PID 2064 wrote to memory of 3328 2064 59fdbe976e9178c52e3a198033e704c0_NEAS.exe 97 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 2056 3328 winupd.exe 100 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 3328 wrote to memory of 4940 3328 winupd.exe 101 PID 2056 wrote to memory of 224 2056 winupd.exe 102 PID 2056 wrote to memory of 224 2056 winupd.exe 102 PID 2056 wrote to memory of 224 2056 winupd.exe 102 PID 2056 wrote to memory of 224 2056 winupd.exe 102 PID 2056 wrote to memory of 224 2056 winupd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\59fdbe976e9178c52e3a198033e704c0_NEAS.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 2726⤵
- Program crash
PID:400
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 224 -ip 2241⤵PID:640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD54b1c9e4480c2b4dd002071b8a8756253
SHA1a839b57c19f2dba5c22a5bdbf888121dbed1e425
SHA256ebd3861fc873d434dabed3099dcbd50e7091f1f90297c5453a76d0ab748f5a8b
SHA5126f754b0f912cd913fdd5554c73ff1f91c1b8f2d5ef5cd56e95104dc23ee46e9d3986e65174d8a4a4890e620246c8c0ecf815ea0cb0cef1773391d8723f8d7ed2