ff50dd3dbaad979ffdb64de2b5499f95fd2a7b623e1de878da0ebaab1d2ee4a1

General

Target

NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe
Size

293KB
MD5

071970c7809187ee84aa7c5742c7a660
SHA1

169b37114bc36f5fd8ae42eb62cc871a5032f764
SHA256

ff50dd3dbaad979ffdb64de2b5499f95fd2a7b623e1de878da0ebaab1d2ee4a1
SHA512

6c3f6910105b1ee7ed3e9b3372b3bd067a188cab83e852abc73325f9852fd4aab24e3570e2e4e72cac365cef64e48fd2319bffdc47c7b6cb4f41ce1118ebf1c4
SSDEEP

6144:e5uRH38i5OBwdmR62zdpuQtv3NxjMjtG6ZLlYBJ:e0RH3nCwdmR62Vv3NuLZLlYBJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	s8027.exe

Loads dropped DLL 4 IoCs

pid	Process
2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe
2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe
2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe
2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe
2576	s8027.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	s8027.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2576	s8027.exe
2576	s8027.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2576	2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe	27
PID 2748 wrote to memory of 2576	2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe	27
PID 2748 wrote to memory of 2576	2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe	27
PID 2748 wrote to memory of 2576	2748	NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.071970c7809187ee84aa7c5742c7a660_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\n8027\s8027.exe
  "C:\Users\Admin\AppData\Local\Temp\n8027\s8027.exe" ins.exe /e11805942 /u50b892e5-d96c-476b-834e-555c5bc06f2f
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
\Users\Admin\AppData\Local\Temp\n8027\s8027.exe

Filesize
269KB

MD5
18332589d7068650441ab03e352a3441

SHA1
df6c95c22d184cff4003e5048282eb007389b86c

SHA256
4b2956d97453ae7889ba67a84c88c3e64f19786c7f871a1e79217e168cbe133f

SHA512
6923bf1cbe68508ed146b26ab4ee8f74b6949d5dde2706e7a888ed334f9dde9f659daa5de48b3dbaff34ab46e6a5dbbd4be118f97d31fc25e1d1df2ef2d88f34

Download Submit
memory/2576-17-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-21-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-16-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2576-14-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/2576-18-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-19-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-20-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-15-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2576-22-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-23-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2576-24-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2576-25-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-26-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-27-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-28-0x0000000000B10000-0x0000000000B90000-memory.dmp

Filesize
512KB

Download
memory/2576-29-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing