Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-l5bx5seb77
Target 36b05b5575e0b5cf3ad1e5fc378175f0_NEAS
SHA256 7e6a71d4114f88e1d601f7218de07176c2d79c6aef24996d0d9b24f012e39e43
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

7e6a71d4114f88e1d601f7218de07176c2d79c6aef24996d0d9b24f012e39e43

Threat Level: Shows suspicious behavior

The file 36b05b5575e0b5cf3ad1e5fc378175f0_NEAS was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Checks installed software on the system

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 10:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 10:06

Reported

2024-05-07 10:09

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe"

Signatures

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe"

Network

N/A

Files

memory/2360-0-0x0000000000400000-0x0000000000FBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 795c0ee5e9bdb35d6844f7898aaf75d2
SHA1 5609d819c7755020f10bd896590e16118ce92b02
SHA256 f9c70ebbc12852743b08d71afde13c5bc1fa18469212b184468345645880dc73
SHA512 ced8ba28a76fc904918965c0fa85ef9c05fa4958624418a7292f5baba7e6f24d891937f7e9b2d990d61172f40a4eae0149fe08bf2281ae453fe0f53ac213d899

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 ca1fb4add2d3d0ff77cc28b4ff2fe8a6
SHA1 9f7643fcb09a3b3e9ae4b6765f1e6d17cd6b3c3b
SHA256 2fd0513a15986296cc9e60d963e613050eecf7ddb6e3751c44beb20b793ff0e9
SHA512 87679923e00ec41bf132718f9f32cd7e2103374bb2711468765ffeedcbadbfecf61021d1657578998fa010bee6be4f7579bfa36fda7aae3824ea8cabc621c549

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 c4daf67eabec4e1d9dbebb9588f06344
SHA1 48dee881f6504dac4ad6cc59c00f8c788b30e9f7
SHA256 60b229bca26f8bf70d1347e0e9a450e0a991dcc9051cb8496dfde682c20d23a5
SHA512 dc28eafd2ca9bb6d817d992df80d6ed74fb31567f361c4323d1d39dfcd864d7155397238a357c79372d64df175113cca0f6597f5492fc7b5b0cba04ffb7734f4

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 558a629bad5b8c71d8bd79fade034794
SHA1 ad6153864f775b04cea448e657bcae1331249b44
SHA256 fb14e7665c13ecf1de00cf2b5464d3aa005fecca9d382ffb11f975ebb27faa70
SHA512 ffbf0bdf792c7dfca67ebe3422d3d386db72e8de25502d56080c7e072b520df0adddc826a0fcd83496a0316a55a1dac814a582917b888168ddbf88e862318963

memory/2360-75-0x00000000057D0000-0x00000000057D1000-memory.dmp

memory/2360-74-0x00000000057C0000-0x00000000057C1000-memory.dmp

memory/2360-73-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/2360-72-0x00000000057A0000-0x00000000057A1000-memory.dmp

memory/2360-71-0x0000000005780000-0x0000000005781000-memory.dmp

memory/2360-70-0x0000000005770000-0x0000000005771000-memory.dmp

memory/2360-80-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/2360-79-0x00000000057E0000-0x00000000057E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 10:06

Reported

2024-05-07 10:09

Platform

win10v2004-20240419-en

Max time kernel

138s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe"

Signatures

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\36b05b5575e0b5cf3ad1e5fc378175f0_NEAS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
GB 23.73.138.8:443 www.bing.com tcp
US 8.8.8.8:53 8.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/780-0-0x0000000000400000-0x0000000000FBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 795c0ee5e9bdb35d6844f7898aaf75d2
SHA1 5609d819c7755020f10bd896590e16118ce92b02
SHA256 f9c70ebbc12852743b08d71afde13c5bc1fa18469212b184468345645880dc73
SHA512 ced8ba28a76fc904918965c0fa85ef9c05fa4958624418a7292f5baba7e6f24d891937f7e9b2d990d61172f40a4eae0149fe08bf2281ae453fe0f53ac213d899

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 ca1fb4add2d3d0ff77cc28b4ff2fe8a6
SHA1 9f7643fcb09a3b3e9ae4b6765f1e6d17cd6b3c3b
SHA256 2fd0513a15986296cc9e60d963e613050eecf7ddb6e3751c44beb20b793ff0e9
SHA512 87679923e00ec41bf132718f9f32cd7e2103374bb2711468765ffeedcbadbfecf61021d1657578998fa010bee6be4f7579bfa36fda7aae3824ea8cabc621c549

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 c4daf67eabec4e1d9dbebb9588f06344
SHA1 48dee881f6504dac4ad6cc59c00f8c788b30e9f7
SHA256 60b229bca26f8bf70d1347e0e9a450e0a991dcc9051cb8496dfde682c20d23a5
SHA512 dc28eafd2ca9bb6d817d992df80d6ed74fb31567f361c4323d1d39dfcd864d7155397238a357c79372d64df175113cca0f6597f5492fc7b5b0cba04ffb7734f4

C:\Users\Admin\AppData\Local\Temp\User Data\Setting.set

MD5 e61130e6ba12983fa6165e6f2d462587
SHA1 7eedb63e800c0404e2b3a10bbda67b0db8f79484
SHA256 32b8f12bf5872d1abf76635f4a24ad57615b589b31d3cd360070402116b218d4
SHA512 e6f7f8889ddba658a6c3c657eb4f6b04a68a817ab078d71ee912ac87c2c84403c03040b7233b8d8a32bad2fbc0504a2a126ce94f636ced6f459285202b9fb276

memory/780-71-0x0000000005C50000-0x0000000005C51000-memory.dmp

memory/780-70-0x0000000005C30000-0x0000000005C31000-memory.dmp

memory/780-75-0x0000000005C90000-0x0000000005C91000-memory.dmp

memory/780-77-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

memory/780-76-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

memory/780-74-0x0000000005C80000-0x0000000005C81000-memory.dmp

memory/780-73-0x0000000005C70000-0x0000000005C71000-memory.dmp

memory/780-72-0x0000000005C60000-0x0000000005C61000-memory.dmp