ffb8e49236de94627d28adee2fd275da47c8c4ce2382f71cffa9f9c73d8e1ed4

General

Target

NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
Size

208KB
MD5

ab2afefc2c61e74c1d025ebd622d32f0
SHA1

d889adbe0bc7834d705674ac34c547cea2d4f2e4
SHA256

ffb8e49236de94627d28adee2fd275da47c8c4ce2382f71cffa9f9c73d8e1ed4
SHA512

ad698fd75b4aafa2084c81fe5c57146f27aa77ce15bb0d1561b6b908c1b963da374da54544e1531369fd6b15d5ca7f827b4252a46cb96fd9272261b409bef75c
SSDEEP

3072:XU77/LICpgN+2cnMInpVfMQOjRrsfL88mkM+gSzmEV3WKo4NLthEjQT6j:YsCpBrpVdD88mZ+3zmqWZQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2648	GAHE.exe

Loads dropped DLL 2 IoCs

pid	Process
1592	cmd.exe
1592	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\GAHE.exe	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
File opened for modification	C:\windows\SysWOW64\GAHE.exe	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
File created	C:\windows\SysWOW64\GAHE.exe.bat	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
2648	GAHE.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
2648	GAHE.exe
2648	GAHE.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1592	2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe	28
PID 2092 wrote to memory of 1592	2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe	28
PID 2092 wrote to memory of 1592	2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe	28
PID 2092 wrote to memory of 1592	2092	NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe	28
PID 1592 wrote to memory of 2648	1592	cmd.exe	30
PID 1592 wrote to memory of 2648	1592	cmd.exe	30
PID 1592 wrote to memory of 2648	1592	cmd.exe	30
PID 1592 wrote to memory of 2648	1592	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ab2afefc2c61e74c1d025ebd622d32f0_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\GAHE.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\windows\SysWOW64\GAHE.exe
    C:\windows\system32\GAHE.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GAHE.exe

Filesize
208KB

MD5
e17cd7acbe52f96305810e9b20d644cd

SHA1
38434feadbc91b582cb7fa69ad2e2db114645cfc

SHA256
4858d3c6b3f31cc9821a3cfd923b9ade22644ca518084ed6febe9802a97a2360

SHA512
de70e692889fee5cd3a9137413f5609f7d6cd0f71e57c6026b3b5ff2ebe6d06be7c756499c7dd241b8783b3056b02f58e0e1c0ad541b01e60558b801ad87d2be

Download Submit
C:\Windows\SysWOW64\GAHE.exe.bat

Filesize
72B

MD5
067560d98fb3270c0f0256553665d6b9

SHA1
ee72fbb97af0ec14d41734ffbd071f87ea1dcbcb

SHA256
5968318a312f10b842adeaca0d05675d1fe151caefe8596685d2581ed4c27fad

SHA512
0e839b2c12a6c1d6796cf8d378a4ebcc6909904b7ce873093d1b3337ff2fff0451424cd2cc9f59ee55faaef1a4ac376df59237542442e16bb697c1f294377419

Download Submit
C:\windows\SysWOW64\GAHE.exe

Filesize
208KB

MD5
e17cd7acbe52f96305810e9b20d644cd

SHA1
38434feadbc91b582cb7fa69ad2e2db114645cfc

SHA256
4858d3c6b3f31cc9821a3cfd923b9ade22644ca518084ed6febe9802a97a2360

SHA512
de70e692889fee5cd3a9137413f5609f7d6cd0f71e57c6026b3b5ff2ebe6d06be7c756499c7dd241b8783b3056b02f58e0e1c0ad541b01e60558b801ad87d2be

Download Submit
C:\windows\SysWOW64\GAHE.exe.bat

Filesize
72B

MD5
067560d98fb3270c0f0256553665d6b9

SHA1
ee72fbb97af0ec14d41734ffbd071f87ea1dcbcb

SHA256
5968318a312f10b842adeaca0d05675d1fe151caefe8596685d2581ed4c27fad

SHA512
0e839b2c12a6c1d6796cf8d378a4ebcc6909904b7ce873093d1b3337ff2fff0451424cd2cc9f59ee55faaef1a4ac376df59237542442e16bb697c1f294377419

Download Submit
\Windows\SysWOW64\GAHE.exe

Filesize
208KB

MD5
e17cd7acbe52f96305810e9b20d644cd

SHA1
38434feadbc91b582cb7fa69ad2e2db114645cfc

SHA256
4858d3c6b3f31cc9821a3cfd923b9ade22644ca518084ed6febe9802a97a2360

SHA512
de70e692889fee5cd3a9137413f5609f7d6cd0f71e57c6026b3b5ff2ebe6d06be7c756499c7dd241b8783b3056b02f58e0e1c0ad541b01e60558b801ad87d2be

Download Submit
\Windows\SysWOW64\GAHE.exe

Filesize
208KB

MD5
e17cd7acbe52f96305810e9b20d644cd

SHA1
38434feadbc91b582cb7fa69ad2e2db114645cfc

SHA256
4858d3c6b3f31cc9821a3cfd923b9ade22644ca518084ed6febe9802a97a2360

SHA512
de70e692889fee5cd3a9137413f5609f7d6cd0f71e57c6026b3b5ff2ebe6d06be7c756499c7dd241b8783b3056b02f58e0e1c0ad541b01e60558b801ad87d2be

Download Submit
memory/2092-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2092-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing