e27d8b6e65f983269374da94af86e5bb5cd392161cff9492347b4581fa6828c3

Analysis

max time kernel
154s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe
Size

395KB
MD5

0e0c8ddd12a8afaa6a90cd304dc331a0
SHA1

0738676af94d237c0261f7ee467de95b60b58e25
SHA256

e27d8b6e65f983269374da94af86e5bb5cd392161cff9492347b4581fa6828c3
SHA512

a3d0755f772ed1d76ae1a900436abf757e783669cf6a1331e1f3c43882fa5ba6861e38b207cd3d15ff24561ae0dac99a41d0f356230b790359e7883688b17566
SSDEEP

12288:AjauDReWzyMgbKHeajrMVUY0khwisHtho:ADDSMgbKHe+Y0Owiqtho

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3096	flnoty.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\flnoty.exe"	flnoty.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 3096	768	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	85
PID 768 wrote to memory of 3096	768	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	85
PID 768 wrote to memory of 3096	768	NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0e0c8ddd12a8afaa6a90cd304dc331a0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\ProgramData\flnoty.exe
  "C:\ProgramData\flnoty.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe

Filesize
395KB

MD5
7b15166d71d9c6a6d78a3fb1753c7840

SHA1
aee4d9a079b595a67221a7362fc462ae60e9f889

SHA256
7819333a07e2e2efdaca6500d122b9957c3300f96d4157c7cefc207871c9c588

SHA512
224f4d4e3edb41ae08619e802555f349ca04fcd98cf6ffecc3966959daff91415eac5cbfeef21c2163f582e45bc691ca44bb04fbd3515e54f874565e92eef3e4

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
e80c459f053fdd59ceec0e85a4e8d155

SHA1
e54b69e03838bf5e8029a2670fbcbbf90eac1f11

SHA256
e088559f06b3f4caea1d06fb246da111c4b88d5e81e9f95eaa99f37e1bda9df4

SHA512
719147342d7245a2bc66d4c4b6713064b7a66ad9101cb2d679c4e68a79560970081c843dfa4dfd48d6caec2c42dd0c60a6cdafacadfde513e8b57417d059af9f

Download Submit
C:\ProgramData\flnoty.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
C:\ProgramData\flnoty.exe

Filesize
258KB

MD5
8810e358b299a34e6c9015eba9c8f76d

SHA1
44bdb3b296623f0580c244f67b0f3ffcab754470

SHA256
e0ff49b01d6dc7ccc23b467a68eff052f4be44003a400c84a88caa5b7411fa85

SHA512
46756ed028210ce4591f87b36bafbf55b9da095626aef49c6e3745e8fb4de4f8605fe19df4101da71c8a67f795c73e16b3c8ce52601fff72b7f3303d8d4fbd60

Download Submit
memory/768-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3096-75-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3096-189-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads