Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 17:29
Behavioral task
behavioral1
Sample
installer_NEAS.exe
Resource
win7-20240221-en
General
-
Target
installer_NEAS.exe
-
Size
2.7MB
-
MD5
c29c49f54236b95c5f6228af66c651c5
-
SHA1
92c2a13c39757b0b656b44e0d1bc55e98ed5cc00
-
SHA256
0218dd62759681af9aa77bfbd8f43af8de695b7426bb74aecdcd9f25ee53f3da
-
SHA512
4fd926d42951e3e29a9d7a78b787567d86a5ae01a5bdcbf56058dc61a86d71d6b7bf4254a6136e9844cf2530f1a9bb5f645b40e804cc1cc2602d89bf193a505d
-
SSDEEP
49152:P9eUwdL4wRqh7YqAVpymthcNRhuvo5NMAN7q4HmfT5RhJRr0UUK81Ezw6HdPd5ik:85zgSt+svYNMAN7jOhJRDrwId
Malware Config
Extracted
cryptbot
oct3m.top
oct3e.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
installer_NEAS.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ installer_NEAS.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
installer_NEAS.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion installer_NEAS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion installer_NEAS.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/808-0-0x0000000001370000-0x0000000001A6E000-memory.dmp themida behavioral1/memory/808-2-0x0000000001370000-0x0000000001A6E000-memory.dmp themida behavioral1/memory/808-3-0x0000000001370000-0x0000000001A6E000-memory.dmp themida behavioral1/memory/808-5-0x0000000001370000-0x0000000001A6E000-memory.dmp themida behavioral1/memory/808-6-0x0000000001370000-0x0000000001A6E000-memory.dmp themida behavioral1/memory/808-4-0x0000000001370000-0x0000000001A6E000-memory.dmp themida behavioral1/memory/808-7-0x0000000001370000-0x0000000001A6E000-memory.dmp themida -
Processes:
installer_NEAS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA installer_NEAS.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
installer_NEAS.exepid process 808 installer_NEAS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
installer_NEAS.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString installer_NEAS.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 installer_NEAS.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2532 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
installer_NEAS.exepid process 808 installer_NEAS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
installer_NEAS.execmd.exedescription pid process target process PID 808 wrote to memory of 2012 808 installer_NEAS.exe cmd.exe PID 808 wrote to memory of 2012 808 installer_NEAS.exe cmd.exe PID 808 wrote to memory of 2012 808 installer_NEAS.exe cmd.exe PID 808 wrote to memory of 2012 808 installer_NEAS.exe cmd.exe PID 2012 wrote to memory of 2532 2012 cmd.exe timeout.exe PID 2012 wrote to memory of 2532 2012 cmd.exe timeout.exe PID 2012 wrote to memory of 2532 2012 cmd.exe timeout.exe PID 2012 wrote to memory of 2532 2012 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\DPOLdGavsSdAE & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-0-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB
-
memory/808-1-0x00000000774A0000-0x00000000774A2000-memory.dmpFilesize
8KB
-
memory/808-2-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB
-
memory/808-3-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB
-
memory/808-5-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB
-
memory/808-6-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB
-
memory/808-4-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB
-
memory/808-7-0x0000000001370000-0x0000000001A6E000-memory.dmpFilesize
7.0MB