c03bb0db13864e1174db727ad92c2db19d272be9d52bbe9adf13f9bcd6cdb9fa

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6e9f1991fc2111887951f7f225d93dac_JC.exe
Size

395KB
MD5

6e9f1991fc2111887951f7f225d93dac
SHA1

e63bcb39f9b7596b3b7ff8c31ae219884a58f5f3
SHA256

c03bb0db13864e1174db727ad92c2db19d272be9d52bbe9adf13f9bcd6cdb9fa
SHA512

746d211df553e97387b33cee0a949ad21cafb9a5a3ea4214332443a4f3960f04c118b40ccc83d1af698162e1afb0682133fa76fee5b42e8c947fbf78d32aa786
SSDEEP

6144:AjlYKRF/LReWAsUy7txeAqXubECYhdtpla+3saCyLEAJAbJe+0h:AjauDReWhHBcAbd0h

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4104	nntmc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\nntmc.exe"	nntmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4104	2020	NEAS.6e9f1991fc2111887951f7f225d93dac_JC.exe	86
PID 2020 wrote to memory of 4104	2020	NEAS.6e9f1991fc2111887951f7f225d93dac_JC.exe	86
PID 2020 wrote to memory of 4104	2020	NEAS.6e9f1991fc2111887951f7f225d93dac_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.6e9f1991fc2111887951f7f225d93dac_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6e9f1991fc2111887951f7f225d93dac_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\ProgramData\nntmc.exe
  "C:\ProgramData\nntmc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe

Filesize
395KB

MD5
aee69fa03c694550f76bade2b49d74bc

SHA1
646f0c561a70bc5b17ff45fa10c5f74856680cdd

SHA256
6a1e58d77a3749b30aaf3e77a1b07f219374bac87ba7eebad110f207a5e347e7

SHA512
e72a8a8f1a4db3d90a9d06d8c0d8bbb934647f7121bd8c67df9dcc89af1b5ff6cf1ea407f3be038a1d6fa2d53e150fceff80b8bfa25c4946e1fbe084430409ef

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
e80c459f053fdd59ceec0e85a4e8d155

SHA1
e54b69e03838bf5e8029a2670fbcbbf90eac1f11

SHA256
e088559f06b3f4caea1d06fb246da111c4b88d5e81e9f95eaa99f37e1bda9df4

SHA512
719147342d7245a2bc66d4c4b6713064b7a66ad9101cb2d679c4e68a79560970081c843dfa4dfd48d6caec2c42dd0c60a6cdafacadfde513e8b57417d059af9f

Download Submit
C:\ProgramData\nntmc.exe

Filesize
258KB

MD5
518a8527eb7808b8eea2f645d41750f8

SHA1
dce2a12505218fbf3df40727abcc92a4d4624bb7

SHA256
a28e812ca82a64797cb7bb4f2c82680ef893875579b334d8b185783c4747b10d

SHA512
463212a5349d79738fcf9ed940f15f92124e936a7de405f2da5624984df9ad711a50c7220ae44c38af355b560748f0403fe1f148f7975e45a0620efe3ae8a0a1

Download Submit
C:\ProgramData\nntmc.exe

Filesize
258KB

MD5
518a8527eb7808b8eea2f645d41750f8

SHA1
dce2a12505218fbf3df40727abcc92a4d4624bb7

SHA256
a28e812ca82a64797cb7bb4f2c82680ef893875579b334d8b185783c4747b10d

SHA512
463212a5349d79738fcf9ed940f15f92124e936a7de405f2da5624984df9ad711a50c7220ae44c38af355b560748f0403fe1f148f7975e45a0620efe3ae8a0a1

Download Submit
memory/2020-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4104-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads