Overview

overview

10

Static

static

3

NEAS.7a7a7...JC.exe

windows7-x64

10

NEAS.7a7a7...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2023, 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.7a7a773679c7c7c7d4785b70573a8443_JC.exe

  • Size

    157KB

  • MD5

    7a7a773679c7c7c7d4785b70573a8443

  • SHA1

    0083357ea2c1adff3fd4c86723bbbb4a33214da9

  • SHA256

    b5388c8ec09bd245f6b71bf30001e43edb5dcebb7f1e7fb75ad3cfbd37617af3

  • SHA512

    655595969a7e9c904c69ef24ef50a0160cd74c73ca048ff2ef59a94a73d01b4f23368292ab7017a8e835aad0ce8348fd724c78adddf223adb1fb6d12a8208a88

  • SSDEEP

    3072:gyeNFuft1gx591QLSpJKZnYS6oz5FnDJT3ExnLoFTG:gyeN0fPYiLSpJ4nN6oz5PTExnLUy

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.7a7a773679c7c7c7d4785b70573a8443_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.7a7a773679c7c7c7d4785b70573a8443_JC.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    PID:5068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1228
      2⤵
      • Program crash
      PID:4736
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 5068
    1⤵
      PID:4288
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:896

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\RCXA691.tmp
        Filesize

        77KB

        MD5

        ac64343e4fffab70c744c58b271aa49d

        SHA1

        8622621d1f02b7dfdd6794ab442d00607cb822f0

        SHA256

        ebb5fe1c54768c31643319d421571b1a268540d3f9b70182e60e8e1bf62a69de

        SHA512

        965ed3eb173ee2cd0b6f5326e83d1b9952530334b9a2c34a5aaa5b39f0f243ee03e1b378a601d6ece44f78ed5e37ff70387b55047436a559ca4b92584de9d3b7

        Download Submit

      • C:\autorun.inf
        Filesize

        126B

        MD5

        163e20cbccefcdd42f46e43a94173c46

        SHA1

        4c7b5048e8608e2a75799e00ecf1bbb4773279ae

        SHA256

        7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

        SHA512

        e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

        Download Submit

      • C:\zPharaoh.exe
        Filesize

        157KB

        MD5

        64e7f552215824be3e1830188ca82d84

        SHA1

        351edac2561f0b9315bf7f4ded4b0cb59cb0a051

        SHA256

        9f9bcda18cfce54f0f98db673aa5036b481f50a4549a3a757e9d8e7cae86c91e

        SHA512

        9786bf2ad4af23585b43c805f48c6216cd7f68bafc36ee7de9c4984d75150d0b8862663fae37d73d3b7acd0c8ebb4aa7499ab69f7005c89d1cfd8fc62a63aa9d

        Download Submit

      • F:\zPharaoh.exe
        Filesize

        157KB

        MD5

        46388981b7cc4dce0f6a71481f35f5be

        SHA1

        3eaf3bb885a6a33ca621dca5b716635f0b44836a

        SHA256

        523aeb2530d679c02454c5e68c8ea992715ce4d357e03f0cb2d293f882abdd46

        SHA512

        738a9b950178a52f07a3729822c2a0bebdb886db38e840ff72d3ce38e31211ff308a2e7082626819860a18066f54655ddd991a29be446ef4067c49c3a02df268

        Download Submit

      • memory/5068-0-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/5068-28-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download