475baa415b5eb059891d87c2f807c046dd64190404b624519028aac70763029e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 19:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
Size

289KB
MD5

b0b6edb20b72acd92b63d8fe04d56cab
SHA1

af933fcbaa1e7f5a87f122214f3e589bea1907b0
SHA256

475baa415b5eb059891d87c2f807c046dd64190404b624519028aac70763029e
SHA512

20c6f802266808a30e6e6271dc4daf84c0e09705d7d47a840a2f8ffc8314330dbdbb4625b62d0555a44068b0fa5f69b5901bfa3a4396c7cfadc65b9a40d76282
SSDEEP

3072:JihgCYCxVOuzCyk5mvQBohjiBGwOzI96cQkP3K4pLthECQT68VMJLaQljVvzUpz:JzbCxV5tvQ2hjiBGL1kECzJLaQVbU5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	SXSMNL.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\SXSMNL.exe	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
File opened for modification	C:\windows\SXSMNL.exe	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
File created	C:\windows\SXSMNL.exe.bat	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
2736	SXSMNL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
2736	SXSMNL.exe
2736	SXSMNL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2244	3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe	28
PID 3032 wrote to memory of 2244	3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe	28
PID 3032 wrote to memory of 2244	3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe	28
PID 3032 wrote to memory of 2244	3032	NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe	28
PID 2244 wrote to memory of 2736	2244	cmd.exe	30
PID 2244 wrote to memory of 2736	2244	cmd.exe	30
PID 2244 wrote to memory of 2736	2244	cmd.exe	30
PID 2244 wrote to memory of 2736	2244	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b0b6edb20b72acd92b63d8fe04d56cab_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\SXSMNL.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\windows\SXSMNL.exe
    C:\windows\SXSMNL.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SXSMNL.exe

Filesize
289KB

MD5
21c6bdc94a362180b4443c2052d0eaa1

SHA1
cd2f431b581731b82ad741f55ce673414344112e

SHA256
cfcb9d6ce2a2fc3907d9a01be82c6a76a855c662f758182922ac9fb7d92cd31c

SHA512
01788eb8934b6ed13c82aa8dc9d002b2ed7fb74a8e39703d76b15a3b988a6747525f809c3aeb561453c2c8873d36c930c3dd225abcd484519ceaf0b42f54a42d

Download Submit
C:\Windows\SXSMNL.exe.bat

Filesize
58B

MD5
6058ba01331f20f025cd193193c1053c

SHA1
090188ef885ce2a5240f61fc03b9ca55abd1614e

SHA256
af721156b8e90f9902404f026fadc1cadb40d492e72a3f31ddab666538d119f4

SHA512
56e79502dc3d774d05b89d09896858e936812ca71ac2f881682c9543649b3c0dc77d7fc21b7197ad060cb51b9335b6302b76d0d07e61c67ff9e5e66324e505b2

Download Submit
C:\windows\SXSMNL.exe

Filesize
289KB

MD5
21c6bdc94a362180b4443c2052d0eaa1

SHA1
cd2f431b581731b82ad741f55ce673414344112e

SHA256
cfcb9d6ce2a2fc3907d9a01be82c6a76a855c662f758182922ac9fb7d92cd31c

SHA512
01788eb8934b6ed13c82aa8dc9d002b2ed7fb74a8e39703d76b15a3b988a6747525f809c3aeb561453c2c8873d36c930c3dd225abcd484519ceaf0b42f54a42d

Download Submit
C:\windows\SXSMNL.exe.bat

Filesize
58B

MD5
6058ba01331f20f025cd193193c1053c

SHA1
090188ef885ce2a5240f61fc03b9ca55abd1614e

SHA256
af721156b8e90f9902404f026fadc1cadb40d492e72a3f31ddab666538d119f4

SHA512
56e79502dc3d774d05b89d09896858e936812ca71ac2f881682c9543649b3c0dc77d7fc21b7197ad060cb51b9335b6302b76d0d07e61c67ff9e5e66324e505b2

Download Submit
memory/2244-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2736-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2736-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3032-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download