Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-m34qtafg37
Target 4e1f0e6735cbd11f94acfcb339e2cc50_NEAS
SHA256 3edb990fd9a987c3bff8e805972c36dffd1bfd37c7f9ea7fdb581a63929e86ec
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3edb990fd9a987c3bff8e805972c36dffd1bfd37c7f9ea7fdb581a63929e86ec

Threat Level: Shows suspicious behavior

The file 4e1f0e6735cbd11f94acfcb339e2cc50_NEAS was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Drops startup file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 11:00

Reported

2024-05-07 11:02

Platform

win10v2004-20240419-en

Max time kernel

130s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BFA1C7.lnk C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\EBFA1C C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec_a.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\EBFA1C\A1C7046D.TXT C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\shell.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\dp1.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\A92EFF C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\d170.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.inf C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\497A92\7fe4.edt C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File opened for modification C:\Windows\SysWOW64\70B97F\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\BFA1C7.EXE C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\spec.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\com.run C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\70B97F\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\krnln.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\70B97F\internet.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\497A92 C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\497A92\7fe4.EDT C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A
File created C:\Windows\SysWOW64\70B97F\eAPI.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\70B97F\BFA1C7.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

C:\Windows\system32\70B97F\BFA1C7.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3728-5-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 af80aac4f7df4defa356331a25e02abb
SHA1 548bfffffc6a65068da3594ddcd60c194a842958
SHA256 40c2afb52bee38b2142edad50b7e86f4f703d15ef2c0a9e47331d2aaa72a7ec5
SHA512 993a7367084d53303cc44d9cc634e862d8b208f8c975866672dd6151969cb6790eeda7e2b7655ce36578158977b7c6716d0e0bbb0eb5a4dd1c2156c9ebd7cc3b

memory/3728-8-0x0000000010000000-0x000000001011D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 619c0838afba3c541ef4c5d5a961e2ed
SHA1 e31360f61b2325caf353ccb98d72551a4fb292d7
SHA256 b711bc978fc4dcab8b036b3a55cd78430f9aa97410d3b1931876cb5ffbe338b9
SHA512 0585713921ecabb5f0fcdc9ae783cecedaff1f21dd25b2bbe2800cc03e4393866b7b1ad61608a75ee4c42f9011441c09e97a290bced916413d66094fbdee4087

C:\Windows\SysWOW64\70B97F\eAPI.fne

MD5 ff2640377b1bc22a77948242fa5c9758
SHA1 9bb7638ef6fff6e151535b9d0233a0bfae9161e6
SHA256 d8010265927d6642075a744d1158cb6bc7f45fb33b2574678ce19a25869a7085
SHA512 ed677887163eb05a4430a6b28690e7ca750d41d0718c36f58c038b413288a3930833bc94b6798f5ff4e1e2c2575b73305ee25ff8c07625be4c56ae66484f0eb3

memory/3728-42-0x0000000002410000-0x000000000242E000-memory.dmp

memory/3728-41-0x00000000023F0000-0x0000000002401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 e491914a6a29b084d612ab5d6da39769
SHA1 72698a97d2b48a900867250d70f9162b1335e202
SHA256 8e55908d8e25f01c00fbadc3a6daf55456a54be08b788ecb935ef343674ee5c7
SHA512 2ef0de254d3120e55f034943beb112c8bf7152b687706c5d1f05825f12a6db4db58504def98d1a87fb52ec6f596252d3e54726c3bfa1f746a04a56587a056b18

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

MD5 4000b07d11aeff1c80de5be87658acb5
SHA1 d9ed7959112d0e2a7a5a6c0389c09c579325e6a7
SHA256 b8a4247f57edb9c2dc3ba019b76d4714ea774ad7702d4dc285df79eec519a42a
SHA512 0cc5d8cc1c92c51201e7c5bac94a8480e2e39ccc7e9d220f18a17902461f4a7fe3778fdd7ec02cbdc781573d3cf037ff2e525c098df937f3d3fc68eb5aa67578

memory/3728-62-0x0000000002430000-0x0000000002445000-memory.dmp

C:\Windows\SysWOW64\70B97F\BFA1C7.EXE

MD5 de23634ed0fec5944ad8269933cc0c9e
SHA1 154aea94c25b074b4a0c5f513533b5e4b8dfd7e5
SHA256 6f8170ecf7c5a29754dc408168c02bac51bc360705785e90e6ae15369fee7427
SHA512 70132afe87d543015083ddf3f9933b4bf2d5af7aa9f587551c66deda6824e7a59c87c649ee4afe56b3bee2f3096e92b35e6ff2470ffa1cdf52498766ded29fb4

memory/5084-68-0x0000000010000000-0x000000001011D000-memory.dmp

memory/5084-67-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\SysWOW64\70B97F\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/5084-72-0x00000000023B0000-0x00000000023FA000-memory.dmp

memory/5084-94-0x0000000002EF0000-0x0000000002F4E000-memory.dmp

memory/5084-93-0x0000000002DA0000-0x0000000002DBE000-memory.dmp

memory/5084-92-0x0000000002D80000-0x0000000002D91000-memory.dmp

memory/3728-98-0x0000000010000000-0x000000001011D000-memory.dmp

memory/3728-97-0x0000000000400000-0x0000000000473000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 11:00

Reported

2024-05-07 11:02

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9DB5FA.lnk C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\5CB269 C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File created C:\Windows\SysWOW64\2CB5CB\d632.EDT C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File opened for modification C:\Windows\SysWOW64\2CB5CB\d632.EDT C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File created C:\Windows\SysWOW64\B9DB5F\B5FA1562.TXT C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\spec.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\RegEx.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\2CB5CB\2ec8.inf C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File opened for modification C:\Windows\SysWOW64\B9DB5F C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\2CB5CB\d632.edt C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File created C:\Windows\SysWOW64\2CB5CB\d632.inf C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\eAPI.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\com.run C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\spec.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\2CB5CB C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File opened for modification C:\Windows\SysWOW64\2CB5CB\d632.inf C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File created C:\Windows\SysWOW64\C8F5D6\dp1.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\dp1.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\krnln.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\com.run C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\internet.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\spec_a.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6 C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\shell.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\2CB5CB\2ec8.inf C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\krnln.fnr C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\B9DB5F\B5FA1562.TXT C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\cnvpe.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File created C:\Windows\SysWOW64\C8F5D6\eAPI.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\shell.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A
File opened for modification C:\Windows\SysWOW64\C8F5D6\internet.fne C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Windows\explorer.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\4e1f0e6735cbd11f94acfcb339e2cc50_NEAS

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\C8F5D6\9DB5FA.EXE

C:\Windows\system32\C8F5D6\9DB5FA.EXE

Network

N/A

Files

memory/1744-5-0x0000000000400000-0x0000000000473000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

MD5 af80aac4f7df4defa356331a25e02abb
SHA1 548bfffffc6a65068da3594ddcd60c194a842958
SHA256 40c2afb52bee38b2142edad50b7e86f4f703d15ef2c0a9e47331d2aaa72a7ec5
SHA512 993a7367084d53303cc44d9cc634e862d8b208f8c975866672dd6151969cb6790eeda7e2b7655ce36578158977b7c6716d0e0bbb0eb5a4dd1c2156c9ebd7cc3b

memory/1744-8-0x0000000010000000-0x000000001011D000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

MD5 619c0838afba3c541ef4c5d5a961e2ed
SHA1 e31360f61b2325caf353ccb98d72551a4fb292d7
SHA256 b711bc978fc4dcab8b036b3a55cd78430f9aa97410d3b1931876cb5ffbe338b9
SHA512 0585713921ecabb5f0fcdc9ae783cecedaff1f21dd25b2bbe2800cc03e4393866b7b1ad61608a75ee4c42f9011441c09e97a290bced916413d66094fbdee4087

\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

MD5 e491914a6a29b084d612ab5d6da39769
SHA1 72698a97d2b48a900867250d70f9162b1335e202
SHA256 8e55908d8e25f01c00fbadc3a6daf55456a54be08b788ecb935ef343674ee5c7
SHA512 2ef0de254d3120e55f034943beb112c8bf7152b687706c5d1f05825f12a6db4db58504def98d1a87fb52ec6f596252d3e54726c3bfa1f746a04a56587a056b18

memory/1744-11-0x0000000000220000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\C8F5D6\cnvpe.fne

MD5 4000b07d11aeff1c80de5be87658acb5
SHA1 d9ed7959112d0e2a7a5a6c0389c09c579325e6a7
SHA256 b8a4247f57edb9c2dc3ba019b76d4714ea774ad7702d4dc285df79eec519a42a
SHA512 0cc5d8cc1c92c51201e7c5bac94a8480e2e39ccc7e9d220f18a17902461f4a7fe3778fdd7ec02cbdc781573d3cf037ff2e525c098df937f3d3fc68eb5aa67578

memory/1744-30-0x0000000000250000-0x000000000026E000-memory.dmp

memory/2768-46-0x0000000003D10000-0x0000000003D20000-memory.dmp

memory/1744-47-0x0000000000500000-0x0000000000515000-memory.dmp

\Windows\SysWOW64\C8F5D6\9DB5FA.EXE

MD5 de23634ed0fec5944ad8269933cc0c9e
SHA1 154aea94c25b074b4a0c5f513533b5e4b8dfd7e5
SHA256 6f8170ecf7c5a29754dc408168c02bac51bc360705785e90e6ae15369fee7427
SHA512 70132afe87d543015083ddf3f9933b4bf2d5af7aa9f587551c66deda6824e7a59c87c649ee4afe56b3bee2f3096e92b35e6ff2470ffa1cdf52498766ded29fb4

memory/1744-50-0x0000000000520000-0x000000000053F000-memory.dmp

memory/2624-56-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2624-59-0x0000000010000000-0x000000001011D000-memory.dmp

memory/2624-62-0x00000000001C0000-0x000000000020A000-memory.dmp

\Windows\SysWOW64\C8F5D6\com.run

MD5 ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1 b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256 eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512 d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

memory/2624-72-0x0000000000530000-0x000000000054E000-memory.dmp

memory/2624-81-0x0000000001CB0000-0x0000000001D0E000-memory.dmp

\Windows\SysWOW64\C8F5D6\eAPI.fne

MD5 ff2640377b1bc22a77948242fa5c9758
SHA1 9bb7638ef6fff6e151535b9d0233a0bfae9161e6
SHA256 d8010265927d6642075a744d1158cb6bc7f45fb33b2574678ce19a25869a7085
SHA512 ed677887163eb05a4430a6b28690e7ca750d41d0718c36f58c038b413288a3930833bc94b6798f5ff4e1e2c2575b73305ee25ff8c07625be4c56ae66484f0eb3

memory/1744-83-0x0000000010000000-0x000000001011D000-memory.dmp

memory/1744-82-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2624-68-0x0000000000510000-0x0000000000521000-memory.dmp

memory/2624-86-0x0000000001EE0000-0x0000000001EF0000-memory.dmp