Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 17:29
Behavioral task
behavioral1
Sample
installer_NEAS.exe
Resource
win7-20240221-en
General
-
Target
installer_NEAS.exe
-
Size
2.7MB
-
MD5
c29c49f54236b95c5f6228af66c651c5
-
SHA1
92c2a13c39757b0b656b44e0d1bc55e98ed5cc00
-
SHA256
0218dd62759681af9aa77bfbd8f43af8de695b7426bb74aecdcd9f25ee53f3da
-
SHA512
4fd926d42951e3e29a9d7a78b787567d86a5ae01a5bdcbf56058dc61a86d71d6b7bf4254a6136e9844cf2530f1a9bb5f645b40e804cc1cc2602d89bf193a505d
-
SSDEEP
49152:P9eUwdL4wRqh7YqAVpymthcNRhuvo5NMAN7q4HmfT5RhJRr0UUK81Ezw6HdPd5ik:85zgSt+svYNMAN7jOhJRDrwId
Malware Config
Extracted
cryptbot
oct3m.top
oct3e.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
installer_NEAS.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ installer_NEAS.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
installer_NEAS.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion installer_NEAS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion installer_NEAS.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4928-0-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-3-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-2-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-4-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-6-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-5-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-121-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-124-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-127-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-130-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-133-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-136-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-139-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-142-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-145-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-148-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-151-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-154-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-157-0x0000000000020000-0x000000000071E000-memory.dmp themida behavioral2/memory/4928-160-0x0000000000020000-0x000000000071E000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
installer_NEAS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA installer_NEAS.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
installer_NEAS.exepid process 4928 installer_NEAS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
installer_NEAS.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 installer_NEAS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString installer_NEAS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
installer_NEAS.exepid process 4928 installer_NEAS.exe 4928 installer_NEAS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\installer_NEAS.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\JHtcuJDxWK.zipFilesize
50KB
MD51ee53b171dfeec69748bd7c9dc29b6ca
SHA1286bb38a11ee0212dac0c5366b1fb9a4a54d31c9
SHA2565412bf1c23f89139a81c46de56490f7756b2cdbf17ef586424a1aec33c9983a1
SHA51259452f400143d00aa2bd6520930f3915467e8de342061038f1f7b69348c47738935e8765578793adc82d6728874bd6409feccfc5f45b025cfcdd25a025e38ef8
-
C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\_Files\_Information.txtFilesize
1KB
MD53a30a40543d7f5d8476fd806497cdd62
SHA13f6320eb4a3dd11591a881ce1b301aec85d88a7a
SHA256035b1e7082654f983dc255eaa829121350e4cd3430f2f38ef33a3d5611a749f2
SHA512e8be495b15ab0c4145bb84e1fb8339d5adea0f8dece81ad4ea96e8b4525d9a2b75eb7e268bf8e9cc8a67559d8c94e7db37d41cb6c1129117e785b2f31dcbce4a
-
C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\_Files\_Information.txtFilesize
7KB
MD5302b2b14283952d2407bfe70d469bdc5
SHA1792aba00b74a50beea87ef31d361cf52537f71d8
SHA25610307cb5fb3bb63b698ea0aab8485842a63a1d6196722c0576b903f720010e34
SHA5126e19ebd9eec8c690f57050090443c8116bcf3418240c5345d1683b5f93d54cfca59ef71c9ce2178ba24c6415d3b0d07f570132490492ede22bffc0fce5638915
-
C:\Users\Admin\AppData\Local\Temp\PocEUQmSNQ\_Files\_Screen_Desktop.jpegFilesize
56KB
MD59bf45f41a67f67264088280db47c3f7d
SHA1e4944f7b2be7219cd84a68c757e51c2bd63013ba
SHA25678798bcf9351a99a705c9aef7037ab2fe9ff8c06294311c95f5863e823de7d52
SHA5123c5d31f318bf6601dd3b44b027a9175496a292a40f1a7f930adaef3cc8bd639083d625f2bf67693381a49a55a070b9966a14c42444ab030f701e533b25388818
-
memory/4928-5-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-133-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-0-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-4-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-2-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-3-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-121-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-124-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-1-0x0000000077204000-0x0000000077206000-memory.dmpFilesize
8KB
-
memory/4928-127-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-130-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-6-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-136-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-139-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-142-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-145-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-148-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-151-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-154-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-157-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB
-
memory/4928-160-0x0000000000020000-0x000000000071E000-memory.dmpFilesize
7.0MB