Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe
Resource
win10v2004-20240419-en
General
-
Target
692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe
-
Size
72KB
-
MD5
692ce1f8cb6f66d46bf5196bada8e8f0
-
SHA1
c9458b3ed8876e209d882bb66e1f58db7ebfef38
-
SHA256
b5ac65f16b86188e50a14c0853c2d395052d78ec2e6d3be4b13bddcc7d3fac24
-
SHA512
e73c501c7bed11eb6da91bf7c59cd7ae412983401241e84fc9779e381da8ce7cd91f1febe25f25c511feb0a1bc8ea2238094deb710a59c15be2a6fdb566e158e
-
SSDEEP
768:qGHV45EDE477AZbUJx0rZGE3jCELoiMMj6hZ3nE+EXVmkDbjRL8Khc15Z6J1Su:qG14P477AxUYrZGoC09k0SkTRHhWqP
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 21 2848 rundll32.exe 22 2848 rundll32.exe 31 2848 rundll32.exe -
Deletes itself 1 IoCs
pid Process 4384 cntfown.exe -
Executes dropped EXE 1 IoCs
pid Process 4384 cntfown.exe -
Loads dropped DLL 1 IoCs
pid Process 2848 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\pykvujh\\yvfoca.dll\",init" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\x: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1532 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2848 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3116 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 4384 cntfown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3116 wrote to memory of 1144 3116 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 85 PID 3116 wrote to memory of 1144 3116 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 85 PID 3116 wrote to memory of 1144 3116 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe 85 PID 1144 wrote to memory of 1532 1144 cmd.exe 87 PID 1144 wrote to memory of 1532 1144 cmd.exe 87 PID 1144 wrote to memory of 1532 1144 cmd.exe 87 PID 1144 wrote to memory of 4384 1144 cmd.exe 91 PID 1144 wrote to memory of 4384 1144 cmd.exe 91 PID 1144 wrote to memory of 4384 1144 cmd.exe 91 PID 4384 wrote to memory of 2848 4384 cntfown.exe 92 PID 4384 wrote to memory of 2848 4384 cntfown.exe 92 PID 4384 wrote to memory of 2848 4384 cntfown.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\cntfown.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1532
-
-
\??\c:\cntfown.exec:\cntfown.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\pykvujh\yvfoca.dll",init c:\cntfown.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5338db61147fb5eb25b1bff03dda3f919
SHA1a275b42c2f1923c0388df4e4b06efa134beab299
SHA256a026d87923f616312faf43728146907f1cab658dc1f9ac9b417b6dd59fd163c2
SHA512624de74e23d4ef0fd67453ffd15470081d4e6b7a37638ee91f7092ea5171305fe2acc30c1849d4da129d280648a60f7be017faa3f5658e8d6dd324fc5aebf8a9
-
Filesize
42KB
MD536e3fb5964d663272cf1169e1e1ca478
SHA158115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442