c9a04ef4b1acf1a6f8177aa4ff0e3280075c6815caf39d5a4233a5c809c1193e

Analysis

max time kernel
148s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:20

Target

NEObrut.exe
Size

8.2MB
MD5

cce27234528a9e7368f2b03b79814610
SHA1

2d3612ed76eebb214d65c1939148ddf2c2fd5898
SHA256

7e3a2f622a28d6ede1f0bcacc2b8280d14f32b59e68145df782fabbb63c5023f
SHA512

fd2b2205366e1e8eeb466564f5bc1bb996f784ee7d10886f092d9fe4293023688b053ad8d98f5656ca6a1baa87cbc94b7728ef192eb2bc219e96ec3157c324e3
SSDEEP

98304:lkNVF0LsAp59WUocK4jfjgn6w2ggxFL2Fod/p+iuO06u/yR0JZpezENAlD5x0P/y:lkNVeLsA1UnF2gPJiuOApeJCP/LNI

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1940	NEObrut.exe
1940	NEObrut.exe

C:\Users\Admin\AppData\Local\Temp\NEObrut.exe
"C:\Users\Admin\AppData\Local\Temp\NEObrut.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1940

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1940-55-0x0000000002A40000-0x0000000002D0E000-memory.dmp

Filesize
2.8MB

Download
memory/1940-56-0x0000000000400000-0x0000000000B74000-memory.dmp

Filesize
7.5MB

Download
memory/1940-57-0x0000000002A40000-0x0000000002D0E000-memory.dmp

Filesize
2.8MB

Download
memory/1940-67-0x0000000000400000-0x0000000000B74000-memory.dmp

Filesize
7.5MB

Download
memory/1940-68-0x0000000002A40000-0x0000000002D0E000-memory.dmp

Filesize
2.8MB

Download