e27d8b6e65f983269374da94af86e5bb5cd392161cff9492347b4581fa6828c3

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe
Size

395KB
MD5

0e0c8ddd12a8afaa6a90cd304dc331a0
SHA1

0738676af94d237c0261f7ee467de95b60b58e25
SHA256

e27d8b6e65f983269374da94af86e5bb5cd392161cff9492347b4581fa6828c3
SHA512

a3d0755f772ed1d76ae1a900436abf757e783669cf6a1331e1f3c43882fa5ba6861e38b207cd3d15ff24561ae0dac99a41d0f356230b790359e7883688b17566
SSDEEP

12288:AjauDReWzyMgbKHeajrMVUY0khwisHtho:ADDSMgbKHe+Y0Owiqtho

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	pvjea.exe

Loads dropped DLL 2 IoCs

pid	Process
1288	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe
1288	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\pvjea.exe"	pvjea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3004	1288	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	28
PID 1288 wrote to memory of 3004	1288	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	28
PID 1288 wrote to memory of 3004	1288	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	28
PID 1288 wrote to memory of 3004	1288	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288
- C:\ProgramData\pvjea.exe
  "C:\ProgramData\pvjea.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
395KB

MD5
fa94ab86ce3a63b3cc50b92dd994f076

SHA1
603698e5612cbf4e5282d7cff8166e368bf9313e

SHA256
eb81c0a471a30964470239729e8332dafb66b235841a7365e38d34c32d002fb8

SHA512
68876023fb398b6d12cc350c0c4a7952dd46635265d1d138e683017052cdccb3292689354b3ec4de517582cd2f43d0cd1606d9dd7d0e1f7b7ef5e2dd2a27ba5c

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
e80c459f053fdd59ceec0e85a4e8d155

SHA1
e54b69e03838bf5e8029a2670fbcbbf90eac1f11

SHA256
e088559f06b3f4caea1d06fb246da111c4b88d5e81e9f95eaa99f37e1bda9df4

SHA512
719147342d7245a2bc66d4c4b6713064b7a66ad9101cb2d679c4e68a79560970081c843dfa4dfd48d6caec2c42dd0c60a6cdafacadfde513e8b57417d059af9f

Download Submit
C:\ProgramData\pvjea.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
C:\ProgramData\pvjea.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
C:\ProgramData\pvjea.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
\ProgramData\pvjea.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
\ProgramData\pvjea.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
memory/1288-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3004-100-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads