3edb990fd9a987c3bff8e805972c36dffd1bfd37c7f9ea7fdb581a63929e86ec

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
Size

1.3MB
MD5

4e1f0e6735cbd11f94acfcb339e2cc50
SHA1

17eebf81ac9db26ecd383d7d94264d6036f06b6c
SHA256

3edb990fd9a987c3bff8e805972c36dffd1bfd37c7f9ea7fdb581a63929e86ec
SHA512

d422d7af95195282f39941a585f2a24fa4ec3e1c010e29db5b8ebb5ad0672c0e9c427d29561e09c16e87500e7c1d998573276ba42aa93f64fc1efe48d1c44b22
SSDEEP

24576:EU5HaYmzj2oo7xsAW7+gZEcRVTmUnhI0kZzpU/:Et1XUlstCsEcrmUnmrfA

Score

7^/10

bootkit persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BFA1C7.lnk	BFA1C7.EXE

Executes dropped EXE 1 IoCs

pid	Process
5084	BFA1C7.EXE

Loads dropped DLL 16 IoCs

pid	Process
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EBFA1C	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\com.run	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\spec_a.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\497A92\d170.inf	BFA1C7.EXE
File opened for modification	C:\Windows\SysWOW64\70B97F	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\shell.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\497A92\7fe4.inf	BFA1C7.EXE
File opened for modification	C:\Windows\SysWOW64\70B97F\eAPI.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\dp1.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\BFA1C7.EXE	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\497A92\7fe4.EDT	BFA1C7.EXE
File created	C:\Windows\SysWOW64\70B97F\cnvpe.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\shell.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\internet.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\dp1.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\spec.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\A92EFF	BFA1C7.EXE
File opened for modification	C:\Windows\SysWOW64\497A92\d170.inf	BFA1C7.EXE
File opened for modification	C:\Windows\SysWOW64\497A92\7fe4.inf	BFA1C7.EXE
File opened for modification	C:\Windows\SysWOW64\497A92\7fe4.edt	BFA1C7.EXE
File opened for modification	C:\Windows\SysWOW64\70B97F\cnvpe.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\BFA1C7.EXE	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\spec.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\krnln.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\RegEx.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\com.run	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\70B97F\RegEx.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\krnln.fnr	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File created	C:\Windows\SysWOW64\70B97F\internet.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\497A92	BFA1C7.EXE
File created	C:\Windows\SysWOW64\497A92\7fe4.EDT	BFA1C7.EXE
File created	C:\Windows\SysWOW64\70B97F\eAPI.fne	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	BFA1C7.EXE

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
804	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
5084	BFA1C7.EXE
5084	BFA1C7.EXE
804	explorer.exe
804	explorer.exe
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE
5084	BFA1C7.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 1736	3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	84
PID 3728 wrote to memory of 1736	3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	84
PID 3728 wrote to memory of 1736	3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	84
PID 3728 wrote to memory of 5084	3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	86
PID 3728 wrote to memory of 5084	3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	86
PID 3728 wrote to memory of 5084	3728	4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe	86

C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS
  2⤵
  PID:1736
- C:\Windows\SysWOW64\70B97F\BFA1C7.EXE
  C:\Windows\system32\70B97F\BFA1C7.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
4000b07d11aeff1c80de5be87658acb5

SHA1
d9ed7959112d0e2a7a5a6c0389c09c579325e6a7

SHA256
b8a4247f57edb9c2dc3ba019b76d4714ea774ad7702d4dc285df79eec519a42a

SHA512
0cc5d8cc1c92c51201e7c5bac94a8480e2e39ccc7e9d220f18a17902461f4a7fe3778fdd7ec02cbdc781573d3cf037ff2e525c098df937f3d3fc68eb5aa67578

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
e491914a6a29b084d612ab5d6da39769

SHA1
72698a97d2b48a900867250d70f9162b1335e202

SHA256
8e55908d8e25f01c00fbadc3a6daf55456a54be08b788ecb935ef343674ee5c7

SHA512
2ef0de254d3120e55f034943beb112c8bf7152b687706c5d1f05825f12a6db4db58504def98d1a87fb52ec6f596252d3e54726c3bfa1f746a04a56587a056b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
af80aac4f7df4defa356331a25e02abb

SHA1
548bfffffc6a65068da3594ddcd60c194a842958

SHA256
40c2afb52bee38b2142edad50b7e86f4f703d15ef2c0a9e47331d2aaa72a7ec5

SHA512
993a7367084d53303cc44d9cc634e862d8b208f8c975866672dd6151969cb6790eeda7e2b7655ce36578158977b7c6716d0e0bbb0eb5a4dd1c2156c9ebd7cc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
619c0838afba3c541ef4c5d5a961e2ed

SHA1
e31360f61b2325caf353ccb98d72551a4fb292d7

SHA256
b711bc978fc4dcab8b036b3a55cd78430f9aa97410d3b1931876cb5ffbe338b9

SHA512
0585713921ecabb5f0fcdc9ae783cecedaff1f21dd25b2bbe2800cc03e4393866b7b1ad61608a75ee4c42f9011441c09e97a290bced916413d66094fbdee4087

Download Submit
C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

Filesize
111KB

MD5
de23634ed0fec5944ad8269933cc0c9e

SHA1
154aea94c25b074b4a0c5f513533b5e4b8dfd7e5

SHA256
6f8170ecf7c5a29754dc408168c02bac51bc360705785e90e6ae15369fee7427

SHA512
70132afe87d543015083ddf3f9933b4bf2d5af7aa9f587551c66deda6824e7a59c87c649ee4afe56b3bee2f3096e92b35e6ff2470ffa1cdf52498766ded29fb4

Download Submit
C:\Windows\SysWOW64\70B97F\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
C:\Windows\SysWOW64\70B97F\eAPI.fne

Filesize
316KB

MD5
ff2640377b1bc22a77948242fa5c9758

SHA1
9bb7638ef6fff6e151535b9d0233a0bfae9161e6

SHA256
d8010265927d6642075a744d1158cb6bc7f45fb33b2574678ce19a25869a7085

SHA512
ed677887163eb05a4430a6b28690e7ca750d41d0718c36f58c038b413288a3930833bc94b6798f5ff4e1e2c2575b73305ee25ff8c07625be4c56ae66484f0eb3

Download Submit
memory/3728-42-0x0000000002410000-0x000000000242E000-memory.dmp

Filesize
120KB

Download
memory/3728-41-0x00000000023F0000-0x0000000002401000-memory.dmp

Filesize
68KB

Download
memory/3728-62-0x0000000002430000-0x0000000002445000-memory.dmp

Filesize
84KB

Download
memory/3728-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3728-8-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3728-98-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3728-97-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5084-68-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/5084-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-72-0x00000000023B0000-0x00000000023FA000-memory.dmp

Filesize
296KB

Download
memory/5084-94-0x0000000002EF0000-0x0000000002F4E000-memory.dmp

Filesize
376KB

Download
memory/5084-93-0x0000000002DA0000-0x0000000002DBE000-memory.dmp

Filesize
120KB

Download
memory/5084-92-0x0000000002D80000-0x0000000002D91000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads