3edb990fd9a987c3bff8e805972c36dffd1bfd37c7f9ea7fdb581a63929e86ec

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
Size

1.3MB
MD5

4e1f0e6735cbd11f94acfcb339e2cc50
SHA1

17eebf81ac9db26ecd383d7d94264d6036f06b6c
SHA256

3edb990fd9a987c3bff8e805972c36dffd1bfd37c7f9ea7fdb581a63929e86ec
SHA512

d422d7af95195282f39941a585f2a24fa4ec3e1c010e29db5b8ebb5ad0672c0e9c427d29561e09c16e87500e7c1d998573276ba42aa93f64fc1efe48d1c44b22
SSDEEP

24576:EU5HaYmzj2oo7xsAW7+gZEcRVTmUnhI0kZzpU/:Et1XUlstCsEcrmUnmrfA

Score

7^/10

bootkit persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9DB5FA.lnk	9DB5FA.EXE

Executes dropped EXE 1 IoCs

pid	Process
2624	9DB5FA.EXE

Loads dropped DLL 12 IoCs

pid	Process
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	\??\PhysicalDrive0	9DB5FA.EXE

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\5CB269	9DB5FA.EXE
File created	C:\Windows\SysWOW64\2CB5CB\d632.EDT	9DB5FA.EXE
File opened for modification	C:\Windows\SysWOW64\2CB5CB\d632.EDT	9DB5FA.EXE
File created	C:\Windows\SysWOW64\B9DB5F\B5FA1562.TXT	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\RegEx.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\spec.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\RegEx.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\2CB5CB\2ec8.inf	9DB5FA.EXE
File opened for modification	C:\Windows\SysWOW64\B9DB5F	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\cnvpe.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\2CB5CB\d632.edt	9DB5FA.EXE
File created	C:\Windows\SysWOW64\2CB5CB\d632.inf	9DB5FA.EXE
File opened for modification	C:\Windows\SysWOW64\C8F5D6\eAPI.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\com.run	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\spec.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\2CB5CB	9DB5FA.EXE
File opened for modification	C:\Windows\SysWOW64\2CB5CB\d632.inf	9DB5FA.EXE
File created	C:\Windows\SysWOW64\C8F5D6\dp1.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\dp1.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\krnln.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\com.run	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\internet.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\spec_a.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\shell.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\2CB5CB\2ec8.inf	9DB5FA.EXE
File opened for modification	C:\Windows\SysWOW64\C8F5D6\krnln.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\B9DB5F\B5FA1562.TXT	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\cnvpe.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\C8F5D6\eAPI.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\shell.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\C8F5D6\internet.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TypedURLs	9DB5FA.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	9DB5FA.EXE

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2624	9DB5FA.EXE
2768	explorer.exe
2768	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2888	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	28
PID 1744 wrote to memory of 2888	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	28
PID 1744 wrote to memory of 2888	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	28
PID 1744 wrote to memory of 2888	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	28
PID 1744 wrote to memory of 2624	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	30
PID 1744 wrote to memory of 2624	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	30
PID 1744 wrote to memory of 2624	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	30
PID 1744 wrote to memory of 2624	1744	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	30

C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS
  2⤵
  PID:2888
- C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE
  C:\Windows\system32\C8F5D6\9DB5FA.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\C8F5D6\cnvpe.fne

Filesize
60KB

MD5
4000b07d11aeff1c80de5be87658acb5

SHA1
d9ed7959112d0e2a7a5a6c0389c09c579325e6a7

SHA256
b8a4247f57edb9c2dc3ba019b76d4714ea774ad7702d4dc285df79eec519a42a

SHA512
0cc5d8cc1c92c51201e7c5bac94a8480e2e39ccc7e9d220f18a17902461f4a7fe3778fdd7ec02cbdc781573d3cf037ff2e525c098df937f3d3fc68eb5aa67578

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
e491914a6a29b084d612ab5d6da39769

SHA1
72698a97d2b48a900867250d70f9162b1335e202

SHA256
8e55908d8e25f01c00fbadc3a6daf55456a54be08b788ecb935ef343674ee5c7

SHA512
2ef0de254d3120e55f034943beb112c8bf7152b687706c5d1f05825f12a6db4db58504def98d1a87fb52ec6f596252d3e54726c3bfa1f746a04a56587a056b18

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
af80aac4f7df4defa356331a25e02abb

SHA1
548bfffffc6a65068da3594ddcd60c194a842958

SHA256
40c2afb52bee38b2142edad50b7e86f4f703d15ef2c0a9e47331d2aaa72a7ec5

SHA512
993a7367084d53303cc44d9cc634e862d8b208f8c975866672dd6151969cb6790eeda7e2b7655ce36578158977b7c6716d0e0bbb0eb5a4dd1c2156c9ebd7cc3b

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
619c0838afba3c541ef4c5d5a961e2ed

SHA1
e31360f61b2325caf353ccb98d72551a4fb292d7

SHA256
b711bc978fc4dcab8b036b3a55cd78430f9aa97410d3b1931876cb5ffbe338b9

SHA512
0585713921ecabb5f0fcdc9ae783cecedaff1f21dd25b2bbe2800cc03e4393866b7b1ad61608a75ee4c42f9011441c09e97a290bced916413d66094fbdee4087

Download Submit
\Windows\SysWOW64\C8F5D6\9DB5FA.EXE

Filesize
111KB

MD5
de23634ed0fec5944ad8269933cc0c9e

SHA1
154aea94c25b074b4a0c5f513533b5e4b8dfd7e5

SHA256
6f8170ecf7c5a29754dc408168c02bac51bc360705785e90e6ae15369fee7427

SHA512
70132afe87d543015083ddf3f9933b4bf2d5af7aa9f587551c66deda6824e7a59c87c649ee4afe56b3bee2f3096e92b35e6ff2470ffa1cdf52498766ded29fb4

Download Submit
\Windows\SysWOW64\C8F5D6\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
\Windows\SysWOW64\C8F5D6\eAPI.fne

Filesize
316KB

MD5
ff2640377b1bc22a77948242fa5c9758

SHA1
9bb7638ef6fff6e151535b9d0233a0bfae9161e6

SHA256
d8010265927d6642075a744d1158cb6bc7f45fb33b2574678ce19a25869a7085

SHA512
ed677887163eb05a4430a6b28690e7ca750d41d0718c36f58c038b413288a3930833bc94b6798f5ff4e1e2c2575b73305ee25ff8c07625be4c56ae66484f0eb3

Download Submit
memory/1744-8-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1744-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1744-47-0x0000000000500000-0x0000000000515000-memory.dmp

Filesize
84KB

Download
memory/1744-11-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1744-50-0x0000000000520000-0x000000000053F000-memory.dmp

Filesize
124KB

Download
memory/1744-82-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1744-83-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1744-30-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/2624-72-0x0000000000530000-0x000000000054E000-memory.dmp

Filesize
120KB

Download
memory/2624-62-0x00000000001C0000-0x000000000020A000-memory.dmp

Filesize
296KB

Download
memory/2624-81-0x0000000001CB0000-0x0000000001D0E000-memory.dmp

Filesize
376KB

Download
memory/2624-59-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2624-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-68-0x0000000000510000-0x0000000000521000-memory.dmp

Filesize
68KB

Download
memory/2624-86-0x0000000001EE0000-0x0000000001EF0000-memory.dmp

Filesize
64KB

Download
memory/2768-46-0x0000000003D10000-0x0000000003D20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads