514e59411af128c6c86bd1a40aa05b599360ccc4955820f461b43120c27d3f20

Analysis

max time kernel
190s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 18:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe
Size

25KB
MD5

aa46f1de8188b2aa2afa984cb76c3310
SHA1

6651518fc54ad699cc025fa27ae6d17020ba879f
SHA256

514e59411af128c6c86bd1a40aa05b599360ccc4955820f461b43120c27d3f20
SHA512

42460c0fc48411c2a4774705a15c5735f7d05bc3b085e7de5b13c489c6937d455c33f1a07c92518a00f0996e4750148ac6abf8650759855c68391b43e765a649
SSDEEP

384:vRDKJBGSmr6vTUnUgGWAxpr6+A9PfnfLBrJ14umG:kWSo6vwUgGBxkj3DBrnMG

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000e000000011ec3-4.dat	aspack_v212_v242
behavioral1/files/0x000e000000011ec3-9.dat	aspack_v212_v242
behavioral1/files/0x000e000000011ec3-11.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2752	zbhnd.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2752	1732	NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe	29
PID 1732 wrote to memory of 2752	1732	NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe	29
PID 1732 wrote to memory of 2752	1732	NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe	29
PID 1732 wrote to memory of 2752	1732	NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aa46f1de8188b2aa2afa984cb76c3310_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\zbhnd.exe
  "C:\Users\Admin\AppData\Local\Temp\zbhnd.exe"
  2⤵
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
25KB

MD5
2bdf1a3354cb6d6a7cb7c3ab0cf9a930

SHA1
4800d2f43e90303febf7dc3f7e48cab2b4676866

SHA256
32ce316d3a1584560f923b4392cd2e3e2c06678c265554a4411d0d9d3d03157c

SHA512
91137328e782292ce02019fa11ce572c5613019be386cfac16ce3d16c6014c25184e16465a9b6fddce9649244c1a0e23d90c811e2f4f2f0038810083a975eb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
25KB

MD5
2bdf1a3354cb6d6a7cb7c3ab0cf9a930

SHA1
4800d2f43e90303febf7dc3f7e48cab2b4676866

SHA256
32ce316d3a1584560f923b4392cd2e3e2c06678c265554a4411d0d9d3d03157c

SHA512
91137328e782292ce02019fa11ce572c5613019be386cfac16ce3d16c6014c25184e16465a9b6fddce9649244c1a0e23d90c811e2f4f2f0038810083a975eb78

Download Submit
\Users\Admin\AppData\Local\Temp\zbhnd.exe

Filesize
25KB

MD5
2bdf1a3354cb6d6a7cb7c3ab0cf9a930

SHA1
4800d2f43e90303febf7dc3f7e48cab2b4676866

SHA256
32ce316d3a1584560f923b4392cd2e3e2c06678c265554a4411d0d9d3d03157c

SHA512
91137328e782292ce02019fa11ce572c5613019be386cfac16ce3d16c6014c25184e16465a9b6fddce9649244c1a0e23d90c811e2f4f2f0038810083a975eb78

Download Submit
memory/1732-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1732-1-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2752-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2752-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download