Overview
overview
9Static
static
3NeonWare F...le.exe
windows7-x64
6NeonWare F...le.exe
windows10-2004-x64
6NeonWare F...er.bat
windows7-x64
7NeonWare F...er.bat
windows10-2004-x64
7NeonWare F...of.bat
windows7-x64
3NeonWare F...of.bat
windows10-2004-x64
3NeonWare F...es.bat
windows7-x64
9NeonWare F...es.bat
windows10-2004-x64
9NeonWare F...dr.sys
windows10-2004-x64
1NeonWare F...2).exe
windows7-x64
1NeonWare F...2).exe
windows10-2004-x64
1Analysis
-
max time kernel
1s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 16:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NeonWare Free Spoofer/Apple.exe
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
NeonWare Free Spoofer/Apple.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
NeonWare Free Spoofer/Trace Cleaner.bat
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
NeonWare Free Spoofer/Trace Cleaner.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral5
Sample
NeonWare Free Spoofer/alternate mac spoof.bat
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
NeonWare Free Spoofer/alternate mac spoof.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
NeonWare Free Spoofer/deep traces.bat
Resource
win7-20240705-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral8
Sample
NeonWare Free Spoofer/deep traces.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral9
Sample
NeonWare Free Spoofer/dr.sys
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
NeonWare Free Spoofer/map (2).exe
Resource
win7-20240704-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
NeonWare Free Spoofer/map (2).exe
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
NeonWare Free Spoofer/alternate mac spoof.bat
-
Size
2KB
-
MD5
cdaa7941a4356bfe23adf6c65ed7b8b1
-
SHA1
0e47e8022e4cece737fea016f13e5ef4cbc9abfc
-
SHA256
f1c330aa968765df064f743f8a2501c9a00ec262ee696d5a4d0cbd2e8035b1f2
-
SHA512
f17a8bea6372c3dfbdf85846ab62f39881e0971ff4406e2fdf9d9450ff8421a327e337626b2b0a9096cb1156e426860de77f212798400878f3efe166adb27fea
Score
3/10
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4396 WMIC.exe Token: SeSecurityPrivilege 4396 WMIC.exe Token: SeTakeOwnershipPrivilege 4396 WMIC.exe Token: SeLoadDriverPrivilege 4396 WMIC.exe Token: SeSystemProfilePrivilege 4396 WMIC.exe Token: SeSystemtimePrivilege 4396 WMIC.exe Token: SeProfSingleProcessPrivilege 4396 WMIC.exe Token: SeIncBasePriorityPrivilege 4396 WMIC.exe Token: SeCreatePagefilePrivilege 4396 WMIC.exe Token: SeBackupPrivilege 4396 WMIC.exe Token: SeRestorePrivilege 4396 WMIC.exe Token: SeShutdownPrivilege 4396 WMIC.exe Token: SeDebugPrivilege 4396 WMIC.exe Token: SeSystemEnvironmentPrivilege 4396 WMIC.exe Token: SeRemoteShutdownPrivilege 4396 WMIC.exe Token: SeUndockPrivilege 4396 WMIC.exe Token: SeManageVolumePrivilege 4396 WMIC.exe Token: 33 4396 WMIC.exe Token: 34 4396 WMIC.exe Token: 35 4396 WMIC.exe Token: 36 4396 WMIC.exe Token: SeIncreaseQuotaPrivilege 4396 WMIC.exe Token: SeSecurityPrivilege 4396 WMIC.exe Token: SeTakeOwnershipPrivilege 4396 WMIC.exe Token: SeLoadDriverPrivilege 4396 WMIC.exe Token: SeSystemProfilePrivilege 4396 WMIC.exe Token: SeSystemtimePrivilege 4396 WMIC.exe Token: SeProfSingleProcessPrivilege 4396 WMIC.exe Token: SeIncBasePriorityPrivilege 4396 WMIC.exe Token: SeCreatePagefilePrivilege 4396 WMIC.exe Token: SeBackupPrivilege 4396 WMIC.exe Token: SeRestorePrivilege 4396 WMIC.exe Token: SeShutdownPrivilege 4396 WMIC.exe Token: SeDebugPrivilege 4396 WMIC.exe Token: SeSystemEnvironmentPrivilege 4396 WMIC.exe Token: SeRemoteShutdownPrivilege 4396 WMIC.exe Token: SeUndockPrivilege 4396 WMIC.exe Token: SeManageVolumePrivilege 4396 WMIC.exe Token: 33 4396 WMIC.exe Token: 34 4396 WMIC.exe Token: 35 4396 WMIC.exe Token: 36 4396 WMIC.exe Token: SeIncreaseQuotaPrivilege 2264 WMIC.exe Token: SeSecurityPrivilege 2264 WMIC.exe Token: SeTakeOwnershipPrivilege 2264 WMIC.exe Token: SeLoadDriverPrivilege 2264 WMIC.exe Token: SeSystemProfilePrivilege 2264 WMIC.exe Token: SeSystemtimePrivilege 2264 WMIC.exe Token: SeProfSingleProcessPrivilege 2264 WMIC.exe Token: SeIncBasePriorityPrivilege 2264 WMIC.exe Token: SeCreatePagefilePrivilege 2264 WMIC.exe Token: SeBackupPrivilege 2264 WMIC.exe Token: SeRestorePrivilege 2264 WMIC.exe Token: SeShutdownPrivilege 2264 WMIC.exe Token: SeDebugPrivilege 2264 WMIC.exe Token: SeSystemEnvironmentPrivilege 2264 WMIC.exe Token: SeRemoteShutdownPrivilege 2264 WMIC.exe Token: SeUndockPrivilege 2264 WMIC.exe Token: SeManageVolumePrivilege 2264 WMIC.exe Token: 33 2264 WMIC.exe Token: 34 2264 WMIC.exe Token: 35 2264 WMIC.exe Token: 36 2264 WMIC.exe Token: SeIncreaseQuotaPrivilege 2264 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4584 wrote to memory of 1044 4584 cmd.exe 85 PID 4584 wrote to memory of 1044 4584 cmd.exe 85 PID 1044 wrote to memory of 4396 1044 cmd.exe 86 PID 1044 wrote to memory of 4396 1044 cmd.exe 86 PID 1044 wrote to memory of 4848 1044 cmd.exe 87 PID 1044 wrote to memory of 4848 1044 cmd.exe 87 PID 4584 wrote to memory of 732 4584 cmd.exe 89 PID 4584 wrote to memory of 732 4584 cmd.exe 89 PID 4584 wrote to memory of 1132 4584 cmd.exe 90 PID 4584 wrote to memory of 1132 4584 cmd.exe 90 PID 4584 wrote to memory of 2668 4584 cmd.exe 91 PID 4584 wrote to memory of 2668 4584 cmd.exe 91 PID 4584 wrote to memory of 1336 4584 cmd.exe 92 PID 4584 wrote to memory of 1336 4584 cmd.exe 92 PID 4584 wrote to memory of 4628 4584 cmd.exe 93 PID 4584 wrote to memory of 4628 4584 cmd.exe 93 PID 4628 wrote to memory of 2264 4628 cmd.exe 94 PID 4628 wrote to memory of 2264 4628 cmd.exe 94 PID 4628 wrote to memory of 560 4628 cmd.exe 95 PID 4628 wrote to memory of 560 4628 cmd.exe 95 PID 4584 wrote to memory of 4572 4584 cmd.exe 97 PID 4584 wrote to memory of 4572 4584 cmd.exe 97 PID 4584 wrote to memory of 3028 4584 cmd.exe 98 PID 4584 wrote to memory of 3028 4584 cmd.exe 98 PID 4584 wrote to memory of 5116 4584 cmd.exe 99 PID 4584 wrote to memory of 5116 4584 cmd.exe 99 PID 4584 wrote to memory of 3540 4584 cmd.exe 101 PID 4584 wrote to memory of 3540 4584 cmd.exe 101 PID 4584 wrote to memory of 3592 4584 cmd.exe 102 PID 4584 wrote to memory of 3592 4584 cmd.exe 102 PID 3592 wrote to memory of 1948 3592 cmd.exe 103 PID 3592 wrote to memory of 1948 3592 cmd.exe 103 PID 4584 wrote to memory of 3080 4584 cmd.exe 104 PID 4584 wrote to memory of 3080 4584 cmd.exe 104 PID 4584 wrote to memory of 1044 4584 cmd.exe 85 PID 4584 wrote to memory of 1044 4584 cmd.exe 85 PID 1044 wrote to memory of 4396 1044 cmd.exe 86 PID 1044 wrote to memory of 4396 1044 cmd.exe 86 PID 1044 wrote to memory of 4848 1044 cmd.exe 87 PID 1044 wrote to memory of 4848 1044 cmd.exe 87 PID 4584 wrote to memory of 732 4584 cmd.exe 89 PID 4584 wrote to memory of 732 4584 cmd.exe 89 PID 4584 wrote to memory of 1132 4584 cmd.exe 90 PID 4584 wrote to memory of 1132 4584 cmd.exe 90 PID 4584 wrote to memory of 2668 4584 cmd.exe 91 PID 4584 wrote to memory of 2668 4584 cmd.exe 91 PID 4584 wrote to memory of 1336 4584 cmd.exe 92 PID 4584 wrote to memory of 1336 4584 cmd.exe 92 PID 4584 wrote to memory of 4628 4584 cmd.exe 93 PID 4584 wrote to memory of 4628 4584 cmd.exe 93 PID 4628 wrote to memory of 2264 4628 cmd.exe 94 PID 4628 wrote to memory of 2264 4628 cmd.exe 94 PID 4628 wrote to memory of 560 4628 cmd.exe 95 PID 4628 wrote to memory of 560 4628 cmd.exe 95 PID 4584 wrote to memory of 4572 4584 cmd.exe 97 PID 4584 wrote to memory of 4572 4584 cmd.exe 97 PID 4584 wrote to memory of 3028 4584 cmd.exe 98 PID 4584 wrote to memory of 3028 4584 cmd.exe 98 PID 4584 wrote to memory of 5116 4584 cmd.exe 99 PID 4584 wrote to memory of 5116 4584 cmd.exe 99 PID 4584 wrote to memory of 3540 4584 cmd.exe 101 PID 4584 wrote to memory of 3540 4584 cmd.exe 101 PID 4584 wrote to memory of 3592 4584 cmd.exe 102 PID 4584 wrote to memory of 3592 4584 cmd.exe 102
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NeonWare Free Spoofer\alternate mac spoof.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:4848
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:732
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:1132
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:2668
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 52754EC17593 /f2⤵PID:1336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]2⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\system32\findstr.exefindstr [0-9]3⤵PID:560
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\012⤵PID:4572
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012⤵PID:3028
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00012⤵PID:5116
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"2⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv3⤵PID:1948
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3080
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:4120