Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 03:53
Behavioral task
behavioral1
Sample
6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe
-
Size
248KB
-
MD5
6034c4f4fd7240dc2f0331a916a43c00
-
SHA1
bf49b157864df4e65150b9093bf6d957cf864641
-
SHA256
d701cb5b78ad384ed221a35e2c03313fa8803ce051104a997786b87ff4c32ea2
-
SHA512
65f85460c629ee29c8252a3cb641023e319450032942c034852189cb5480034585ce0981a5cf95491069df4c8cac00df96184ac40e3c1db47dc02ae1ff69d04f
-
SSDEEP
6144:6lez2ssftlVN+zBfGrSWm+omDAgQsSygGG2SzA9T2:H6silNoGSJ+omDAdsWGLS8k
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4636 moqygyyci.exe -
Executes dropped EXE 2 IoCs
pid Process 4636 moqygyyci.exe 3504 pto.exe -
Loads dropped DLL 1 IoCs
pid Process 3504 pto.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2436-1-0x0000000000400000-0x000000000047301D-memory.dmp upx behavioral2/files/0x000c000000023b54-3.dat upx behavioral2/memory/4636-9-0x0000000000400000-0x000000000047301D-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\fudki\\pto.exe \"c:\\Program Files\\fudki\\ptoeb.dll\",WriteErrorLog" pto.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: pto.exe File opened (read-only) \??\y: pto.exe File opened (read-only) \??\i: pto.exe File opened (read-only) \??\n: pto.exe File opened (read-only) \??\q: pto.exe File opened (read-only) \??\u: pto.exe File opened (read-only) \??\w: pto.exe File opened (read-only) \??\x: pto.exe File opened (read-only) \??\z: pto.exe File opened (read-only) \??\e: pto.exe File opened (read-only) \??\l: pto.exe File opened (read-only) \??\m: pto.exe File opened (read-only) \??\s: pto.exe File opened (read-only) \??\t: pto.exe File opened (read-only) \??\g: pto.exe File opened (read-only) \??\o: pto.exe File opened (read-only) \??\p: pto.exe File opened (read-only) \??\j: pto.exe File opened (read-only) \??\k: pto.exe File opened (read-only) \??\r: pto.exe File opened (read-only) \??\a: pto.exe File opened (read-only) \??\b: pto.exe File opened (read-only) \??\h: pto.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 pto.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\fudki moqygyyci.exe File created \??\c:\Program Files\fudki\ptoeb.dll moqygyyci.exe File created \??\c:\Program Files\fudki\pto.exe moqygyyci.exe File opened for modification \??\c:\Program Files\fudki\pto.exe moqygyyci.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pto.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pto.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4932 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3504 pto.exe 3504 pto.exe 3504 pto.exe 3504 pto.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3504 pto.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2436 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 4636 moqygyyci.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2436 wrote to memory of 3320 2436 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 84 PID 2436 wrote to memory of 3320 2436 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 84 PID 2436 wrote to memory of 3320 2436 6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe 84 PID 3320 wrote to memory of 4932 3320 cmd.exe 87 PID 3320 wrote to memory of 4932 3320 cmd.exe 87 PID 3320 wrote to memory of 4932 3320 cmd.exe 87 PID 3320 wrote to memory of 4636 3320 cmd.exe 90 PID 3320 wrote to memory of 4636 3320 cmd.exe 90 PID 3320 wrote to memory of 4636 3320 cmd.exe 90 PID 4636 wrote to memory of 3504 4636 moqygyyci.exe 91 PID 4636 wrote to memory of 3504 4636 moqygyyci.exe 91 PID 4636 wrote to memory of 3504 4636 moqygyyci.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\moqygyyci.exe "C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:4932
-
-
C:\Users\Admin\AppData\Local\Temp\moqygyyci.exeC:\Users\Admin\AppData\Local\Temp\\moqygyyci.exe "C:\Users\Admin\AppData\Local\Temp\6034c4f4fd7240dc2f0331a916a43c00_NEAS.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\Program Files\fudki\pto.exe"c:\Program Files\fudki\pto.exe" "c:\Program Files\fudki\ptoeb.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
248KB
MD5f7174f19958831c392810746534be5e3
SHA1dbfa6d2153ef7034d58e75b41c06a33bc2282b56
SHA25681f487c89ff4d938f22b53a503788e2a6e8ee66cd3bb8ca92b86f2b9b0029700
SHA5121867fcd4865271a9a72f61c4f2086dee557b352f906beafc7bda560fd5d7be8eb2ba9b7bc64159d7bf7bc8cc395740acc2e243cb0112347ce9e908538aec8049
-
Filesize
181KB
MD599b5167c22f528c05eb2585b087feef9
SHA146bc6e0c6b67f10b48ceb052d2e4bf8de53af512
SHA256a6ae455f62bfaa8bbcc430846c676408c69733749df63088f3fa7be9e066dc8c
SHA512632fe07761752ba4d5cfe655fe280095203c2eaf816368099a9f663fb1ccc9424bbe60e8905376955cb6e80e9a0ece4ad4a85bef0a31ee7809d86e6490b421e4