Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-fbgcwaaa7z
Target 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS
SHA256 b5ac65f16b86188e50a14c0853c2d395052d78ec2e6d3be4b13bddcc7d3fac24
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b5ac65f16b86188e50a14c0853c2d395052d78ec2e6d3be4b13bddcc7d3fac24

Threat Level: Likely malicious

The file 692ce1f8cb6f66d46bf5196bada8e8f0_NEAS was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Runs ping.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 04:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 04:41

Reported

2024-05-07 04:44

Platform

win7-20240221-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\qckno.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\qckno.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\zodzf\\hrpjlyy.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe N/A
N/A N/A \??\c:\qckno.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qckno.exe
PID 2356 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qckno.exe
PID 2356 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qckno.exe
PID 2356 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qckno.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1648 wrote to memory of 2632 N/A \??\c:\qckno.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\qckno.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\qckno.exe

c:\qckno.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\zodzf\hrpjlyy.dll",init c:\qckno.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/756-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/756-1-0x0000000000320000-0x0000000000321000-memory.dmp

memory/756-3-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\qckno.exe

MD5 f1d8a4bb28c5a9bd2d35fc52cc18f05c
SHA1 a9036a53fe85f67853bea72d00fefa22227b52e4
SHA256 cf266154c4c13d36666249231b4035235c344e7b08ecd128f97f06d8e8c372d6
SHA512 f68d7f5312769f3b20696895025eac8a056e80d661cbd215e8a9cde529a37d99f66891e3e0336ea8369b384ea92f24655a7d04552982b6ed816d96cec276c49e

memory/1648-8-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2356-7-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2356-6-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1648-9-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1648-11-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\zodzf\hrpjlyy.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/2632-17-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2632-18-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2632-19-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2632-20-0x0000000010021000-0x0000000010022000-memory.dmp

memory/2632-21-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2632-22-0x0000000010000000-0x000000001002E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 04:41

Reported

2024-05-07 04:44

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\cntfown.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\cntfown.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\pykvujh\\yvfoca.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe N/A
N/A N/A \??\c:\cntfown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\cntfown.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\cntfown.exe

c:\cntfown.exe "C:\Users\Admin\AppData\Local\Temp\692ce1f8cb6f66d46bf5196bada8e8f0_NEAS.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\pykvujh\yvfoca.dll",init c:\cntfown.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/3116-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3116-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/3116-3-0x0000000000400000-0x0000000000425000-memory.dmp

C:\cntfown.exe

MD5 338db61147fb5eb25b1bff03dda3f919
SHA1 a275b42c2f1923c0388df4e4b06efa134beab299
SHA256 a026d87923f616312faf43728146907f1cab658dc1f9ac9b417b6dd59fd163c2
SHA512 624de74e23d4ef0fd67453ffd15470081d4e6b7a37638ee91f7092ea5171305fe2acc30c1849d4da129d280648a60f7be017faa3f5658e8d6dd324fc5aebf8a9

memory/4384-8-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/4384-7-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4384-10-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\pykvujh\yvfoca.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/2848-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2848-14-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2848-15-0x0000000002880000-0x0000000002980000-memory.dmp

memory/2848-16-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2848-17-0x0000000002880000-0x0000000002980000-memory.dmp