Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe
-
Size
72KB
-
MD5
692ce1f8cb6f66d46bf5196bada8e8f0
-
SHA1
c9458b3ed8876e209d882bb66e1f58db7ebfef38
-
SHA256
b5ac65f16b86188e50a14c0853c2d395052d78ec2e6d3be4b13bddcc7d3fac24
-
SHA512
e73c501c7bed11eb6da91bf7c59cd7ae412983401241e84fc9779e381da8ce7cd91f1febe25f25c511feb0a1bc8ea2238094deb710a59c15be2a6fdb566e158e
-
SSDEEP
768:qGHV45EDE477AZbUJx0rZGE3jCELoiMMj6hZ3nE+EXVmkDbjRL8Khc15Z6J1Su:qG14P477AxUYrZGoC09k0SkTRHhWqP
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2632 rundll32.exe 6 2632 rundll32.exe 10 2632 rundll32.exe 12 2632 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1648 qckno.exe -
Executes dropped EXE 1 IoCs
pid Process 1648 qckno.exe -
Loads dropped DLL 4 IoCs
pid Process 2632 rundll32.exe 2632 rundll32.exe 2632 rundll32.exe 2632 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\zodzf\\hrpjlyy.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1768 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2632 rundll32.exe 2632 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2632 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 756 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 1648 qckno.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 756 wrote to memory of 2356 756 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 28 PID 756 wrote to memory of 2356 756 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 28 PID 756 wrote to memory of 2356 756 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 28 PID 756 wrote to memory of 2356 756 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 28 PID 2356 wrote to memory of 1768 2356 cmd.exe 30 PID 2356 wrote to memory of 1768 2356 cmd.exe 30 PID 2356 wrote to memory of 1768 2356 cmd.exe 30 PID 2356 wrote to memory of 1768 2356 cmd.exe 30 PID 2356 wrote to memory of 1648 2356 cmd.exe 31 PID 2356 wrote to memory of 1648 2356 cmd.exe 31 PID 2356 wrote to memory of 1648 2356 cmd.exe 31 PID 2356 wrote to memory of 1648 2356 cmd.exe 31 PID 1648 wrote to memory of 2632 1648 qckno.exe 32 PID 1648 wrote to memory of 2632 1648 qckno.exe 32 PID 1648 wrote to memory of 2632 1648 qckno.exe 32 PID 1648 wrote to memory of 2632 1648 qckno.exe 32 PID 1648 wrote to memory of 2632 1648 qckno.exe 32 PID 1648 wrote to memory of 2632 1648 qckno.exe 32 PID 1648 wrote to memory of 2632 1648 qckno.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\qckno.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1768
-
-
\??\c:\qckno.exec:\qckno.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\zodzf\hrpjlyy.dll",init c:\qckno.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f1d8a4bb28c5a9bd2d35fc52cc18f05c
SHA1a9036a53fe85f67853bea72d00fefa22227b52e4
SHA256cf266154c4c13d36666249231b4035235c344e7b08ecd128f97f06d8e8c372d6
SHA512f68d7f5312769f3b20696895025eac8a056e80d661cbd215e8a9cde529a37d99f66891e3e0336ea8369b384ea92f24655a7d04552982b6ed816d96cec276c49e
-
Filesize
42KB
MD536e3fb5964d663272cf1169e1e1ca478
SHA158115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442