Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 03:53
Behavioral task
behavioral1
Sample
6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe
-
Size
248KB
-
MD5
6034c4f4fd7240dc2f0331a916a43c00
-
SHA1
bf49b157864df4e65150b9093bf6d957cf864641
-
SHA256
d701cb5b78ad384ed221a35e2c03313fa8803ce051104a997786b87ff4c32ea2
-
SHA512
65f85460c629ee29c8252a3cb641023e319450032942c034852189cb5480034585ce0981a5cf95491069df4c8cac00df96184ac40e3c1db47dc02ae1ff69d04f
-
SSDEEP
6144:6lez2ssftlVN+zBfGrSWm+omDAgQsSygGG2SzA9T2:H6silNoGSJ+omDAdsWGLS8k
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2980 pjamq.exe -
Executes dropped EXE 2 IoCs
pid Process 2980 pjamq.exe 2884 frnz.exe -
Loads dropped DLL 7 IoCs
pid Process 2184 cmd.exe 2184 cmd.exe 2980 pjamq.exe 2884 frnz.exe 2884 frnz.exe 2884 frnz.exe 2884 frnz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1152-1-0x0000000000400000-0x000000000047301D-memory.dmp upx behavioral1/files/0x000c00000001441e-2.dat upx behavioral1/memory/2980-11-0x0000000000400000-0x000000000047301D-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\kyazhh\\frnz.exe \"c:\\Program Files\\kyazhh\\frnzk.dll\",WriteErrorLog" frnz.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: frnz.exe File opened (read-only) \??\r: frnz.exe File opened (read-only) \??\y: frnz.exe File opened (read-only) \??\a: frnz.exe File opened (read-only) \??\b: frnz.exe File opened (read-only) \??\j: frnz.exe File opened (read-only) \??\k: frnz.exe File opened (read-only) \??\v: frnz.exe File opened (read-only) \??\x: frnz.exe File opened (read-only) \??\e: frnz.exe File opened (read-only) \??\i: frnz.exe File opened (read-only) \??\m: frnz.exe File opened (read-only) \??\q: frnz.exe File opened (read-only) \??\g: frnz.exe File opened (read-only) \??\h: frnz.exe File opened (read-only) \??\n: frnz.exe File opened (read-only) \??\u: frnz.exe File opened (read-only) \??\w: frnz.exe File opened (read-only) \??\z: frnz.exe File opened (read-only) \??\o: frnz.exe File opened (read-only) \??\p: frnz.exe File opened (read-only) \??\s: frnz.exe File opened (read-only) \??\t: frnz.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 frnz.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\kyazhh pjamq.exe File created \??\c:\Program Files\kyazhh\frnzk.dll pjamq.exe File created \??\c:\Program Files\kyazhh\frnz.exe pjamq.exe File opened for modification \??\c:\Program Files\kyazhh\frnz.exe pjamq.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString frnz.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 frnz.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1912 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2884 frnz.exe 2884 frnz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2884 frnz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1152 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 2980 pjamq.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2184 1152 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 28 PID 1152 wrote to memory of 2184 1152 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 28 PID 1152 wrote to memory of 2184 1152 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 28 PID 1152 wrote to memory of 2184 1152 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 28 PID 2184 wrote to memory of 1912 2184 cmd.exe 30 PID 2184 wrote to memory of 1912 2184 cmd.exe 30 PID 2184 wrote to memory of 1912 2184 cmd.exe 30 PID 2184 wrote to memory of 1912 2184 cmd.exe 30 PID 2184 wrote to memory of 2980 2184 cmd.exe 31 PID 2184 wrote to memory of 2980 2184 cmd.exe 31 PID 2184 wrote to memory of 2980 2184 cmd.exe 31 PID 2184 wrote to memory of 2980 2184 cmd.exe 31 PID 2980 wrote to memory of 2884 2980 pjamq.exe 32 PID 2980 wrote to memory of 2884 2980 pjamq.exe 32 PID 2980 wrote to memory of 2884 2980 pjamq.exe 32 PID 2980 wrote to memory of 2884 2980 pjamq.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\pjamq.exe "C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\pjamq.exeC:\Users\Admin\AppData\Local\Temp\\pjamq.exe "C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\Program Files\kyazhh\frnz.exe"c:\Program Files\kyazhh\frnz.exe" "c:\Program Files\kyazhh\frnzk.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\pjamq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
181KB
MD5e4151202a2a65d0d54e26b865c9a944f
SHA1cf2a08013c3daf99745898a7ff8022ed282fce34
SHA2567f24733875cc46a27fc695370b068e3fe0502e47e3f30128ee9cbb023f74c2fd
SHA5125bf41f31b2e44b1f5dbd7d2a78bf56d018e1c3e5a0d633d584f1b6700a96d18fe92343a03acc78c974164a50afaad38268ddd3f0641c930faf78f15342b5dae5
-
Filesize
248KB
MD5e9e7d97d53cb3a179131b5f66ccde20c
SHA1563330ea45a691cda3cb51881302ddaac75a65ad
SHA2561d5876ec77d1c7c0312cdfb906ee09f3487f084dbcb5d58d72335da169a57d2b
SHA512c5728ec35f11d842a13238986a074ba75f6b01d39f38887b57ba427417f0e44a3799d3fd6a224a57f8d2ca8a860635ad3dbc41be6a575f931bd81e56dfde9ae3