Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 04:25
Behavioral task
behavioral1
Sample
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe
-
Size
592KB
-
MD5
65db97bc471b2c790aaabb6f4501d8b0
-
SHA1
91ec31524c2de7edd03e924bac0271fedeef384a
-
SHA256
2ab0496f028ab7d556cf1bedb6d9c1f576652e6db08f1bf466f1a67483934851
-
SHA512
7fa17eda802868a631ecaa89941673d6d9c2db472c3622b99d119c894bafa13bdb16cc31aeecffc15c7e3641eabfdda7cea1c85ed37046defeda916fa421620b
-
SSDEEP
12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoSY:TW/xhIUKofSytJsL6HUP0OHC9
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe -
Executes dropped EXE 3 IoCs
Processes:
Soundcrd.exeSoundcrd.exeSoundcrd.exepid Process 2856 Soundcrd.exe 2544 Soundcrd.exe 2972 Soundcrd.exe -
Loads dropped DLL 5 IoCs
Processes:
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exepid Process 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe -
Processes:
resource yara_rule behavioral1/memory/2844-0-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral1/files/0x0035000000016126-27.dat upx behavioral1/memory/2856-46-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral1/memory/2844-48-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral1/memory/2544-54-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-55-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-57-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-59-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2544-58-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2856-60-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral1/memory/2972-64-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2972-63-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2544-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-67-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-66-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-69-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2972-70-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2544-73-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-77-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-81-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-85-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-89-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2544-93-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Soundcrd.exedescription pid Process procid_target PID 2856 set thread context of 2544 2856 Soundcrd.exe 32 PID 2856 set thread context of 2972 2856 Soundcrd.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Soundcrd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Soundcrd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Soundcrd.exeSoundcrd.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2544 Soundcrd.exe Token: SeSecurityPrivilege 2544 Soundcrd.exe Token: SeTakeOwnershipPrivilege 2544 Soundcrd.exe Token: SeLoadDriverPrivilege 2544 Soundcrd.exe Token: SeSystemProfilePrivilege 2544 Soundcrd.exe Token: SeSystemtimePrivilege 2544 Soundcrd.exe Token: SeProfSingleProcessPrivilege 2544 Soundcrd.exe Token: SeIncBasePriorityPrivilege 2544 Soundcrd.exe Token: SeCreatePagefilePrivilege 2544 Soundcrd.exe Token: SeBackupPrivilege 2544 Soundcrd.exe Token: SeRestorePrivilege 2544 Soundcrd.exe Token: SeShutdownPrivilege 2544 Soundcrd.exe Token: SeDebugPrivilege 2544 Soundcrd.exe Token: SeSystemEnvironmentPrivilege 2544 Soundcrd.exe Token: SeChangeNotifyPrivilege 2544 Soundcrd.exe Token: SeRemoteShutdownPrivilege 2544 Soundcrd.exe Token: SeUndockPrivilege 2544 Soundcrd.exe Token: SeManageVolumePrivilege 2544 Soundcrd.exe Token: SeImpersonatePrivilege 2544 Soundcrd.exe Token: SeCreateGlobalPrivilege 2544 Soundcrd.exe Token: 33 2544 Soundcrd.exe Token: 34 2544 Soundcrd.exe Token: 35 2544 Soundcrd.exe Token: SeDebugPrivilege 2972 Soundcrd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exeSoundcrd.exeSoundcrd.exepid Process 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 2856 Soundcrd.exe 2972 Soundcrd.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
65db97bc471b2c790aaabb6f4501d8b0_NEAS.execmd.exeSoundcrd.exedescription pid Process procid_target PID 2844 wrote to memory of 2688 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 28 PID 2844 wrote to memory of 2688 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 28 PID 2844 wrote to memory of 2688 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 28 PID 2844 wrote to memory of 2688 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 28 PID 2688 wrote to memory of 2708 2688 cmd.exe 30 PID 2688 wrote to memory of 2708 2688 cmd.exe 30 PID 2688 wrote to memory of 2708 2688 cmd.exe 30 PID 2688 wrote to memory of 2708 2688 cmd.exe 30 PID 2844 wrote to memory of 2856 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 31 PID 2844 wrote to memory of 2856 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 31 PID 2844 wrote to memory of 2856 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 31 PID 2844 wrote to memory of 2856 2844 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 31 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2544 2856 Soundcrd.exe 32 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33 PID 2856 wrote to memory of 2972 2856 Soundcrd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RMkLj.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
PID:2708
-
-
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD5173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
Filesize
592KB
MD58f4e6fcf3cfaa72a6a80173de24ff4fa
SHA16a8c2bb40191e0c8b49bdf8a790313c6d9c25601
SHA256df5fc237e1c2b089270adc6ccdaf18f70c2f88e0ec07441595b727261d345b0f
SHA5124847d6bd739159fea166c8346fd88bfd923676aca4ee979d35a34c5dcd71c07f7291409c826b1ab43913de39a25d74c7d6d2e2091ea283c7053d241e02e91cab