Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 04:25
Behavioral task
behavioral1
Sample
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe
-
Size
592KB
-
MD5
65db97bc471b2c790aaabb6f4501d8b0
-
SHA1
91ec31524c2de7edd03e924bac0271fedeef384a
-
SHA256
2ab0496f028ab7d556cf1bedb6d9c1f576652e6db08f1bf466f1a67483934851
-
SHA512
7fa17eda802868a631ecaa89941673d6d9c2db472c3622b99d119c894bafa13bdb16cc31aeecffc15c7e3641eabfdda7cea1c85ed37046defeda916fa421620b
-
SSDEEP
12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoSY:TW/xhIUKofSytJsL6HUP0OHC9
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe -
Executes dropped EXE 3 IoCs
Processes:
Soundcrd.exeSoundcrd.exeSoundcrd.exepid Process 2204 Soundcrd.exe 4896 Soundcrd.exe 2804 Soundcrd.exe -
Processes:
resource yara_rule behavioral2/memory/1968-0-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral2/files/0x000b000000023b95-16.dat upx behavioral2/memory/1968-29-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral2/memory/4896-32-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2804-37-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4896-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2804-40-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2804-42-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4896-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-47-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-51-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-49-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2204-46-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral2/memory/4896-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2804-53-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4896-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-68-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4896-76-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Soundcrd.exedescription pid Process procid_target PID 2204 set thread context of 4896 2204 Soundcrd.exe 89 PID 2204 set thread context of 2804 2204 Soundcrd.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Soundcrd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Soundcrd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Soundcrd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Soundcrd.exeSoundcrd.exedescription pid Process Token: SeDebugPrivilege 2804 Soundcrd.exe Token: SeIncreaseQuotaPrivilege 4896 Soundcrd.exe Token: SeSecurityPrivilege 4896 Soundcrd.exe Token: SeTakeOwnershipPrivilege 4896 Soundcrd.exe Token: SeLoadDriverPrivilege 4896 Soundcrd.exe Token: SeSystemProfilePrivilege 4896 Soundcrd.exe Token: SeSystemtimePrivilege 4896 Soundcrd.exe Token: SeProfSingleProcessPrivilege 4896 Soundcrd.exe Token: SeIncBasePriorityPrivilege 4896 Soundcrd.exe Token: SeCreatePagefilePrivilege 4896 Soundcrd.exe Token: SeBackupPrivilege 4896 Soundcrd.exe Token: SeRestorePrivilege 4896 Soundcrd.exe Token: SeShutdownPrivilege 4896 Soundcrd.exe Token: SeDebugPrivilege 4896 Soundcrd.exe Token: SeSystemEnvironmentPrivilege 4896 Soundcrd.exe Token: SeChangeNotifyPrivilege 4896 Soundcrd.exe Token: SeRemoteShutdownPrivilege 4896 Soundcrd.exe Token: SeUndockPrivilege 4896 Soundcrd.exe Token: SeManageVolumePrivilege 4896 Soundcrd.exe Token: SeImpersonatePrivilege 4896 Soundcrd.exe Token: SeCreateGlobalPrivilege 4896 Soundcrd.exe Token: 33 4896 Soundcrd.exe Token: 34 4896 Soundcrd.exe Token: 35 4896 Soundcrd.exe Token: 36 4896 Soundcrd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
65db97bc471b2c790aaabb6f4501d8b0_NEAS.exeSoundcrd.exeSoundcrd.exepid Process 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 2204 Soundcrd.exe 2804 Soundcrd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
65db97bc471b2c790aaabb6f4501d8b0_NEAS.execmd.exeSoundcrd.exedescription pid Process procid_target PID 1968 wrote to memory of 3140 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 83 PID 1968 wrote to memory of 3140 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 83 PID 1968 wrote to memory of 3140 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 83 PID 3140 wrote to memory of 4268 3140 cmd.exe 86 PID 3140 wrote to memory of 4268 3140 cmd.exe 86 PID 3140 wrote to memory of 4268 3140 cmd.exe 86 PID 1968 wrote to memory of 2204 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 87 PID 1968 wrote to memory of 2204 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 87 PID 1968 wrote to memory of 2204 1968 65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe 87 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 4896 2204 Soundcrd.exe 89 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90 PID 2204 wrote to memory of 2804 2204 Soundcrd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\65db97bc471b2c790aaabb6f4501d8b0_NEAS.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKJED.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
PID:4268
-
-
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139B
MD5173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
Filesize
592KB
MD57527ea14729fdde1e242dc992e7aab1c
SHA19bb64899b7b54a576ea12b109777bb40e5e7963f
SHA256f5bb009d7421565e18efda15a17485436f18caff30fc3108bcf1d8fa9e24ed0e
SHA5129a22f7a721cac8c0b213aca7dba3f1c0e5382961a6b98227a835b61b8fa652388e097b92a5e128b543320f44308de89f329bfc69075e2e3964ec80fa47f5734b