0c5fd5437a92d39a3e7855c51e8d4b1122a2584b893bf8e937a79c9cc8022541

Analysis

max time kernel
133s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
Size

208KB
MD5

f14e307c06c329102a5a86f739ae3f28
SHA1

672389b1ecebf1a50aa13e88c2ea239e81de7c91
SHA256

0c5fd5437a92d39a3e7855c51e8d4b1122a2584b893bf8e937a79c9cc8022541
SHA512

93378cb7f5917dc05b50e67d5af4a827b551b1305157dff30fc853cdf86bd7fc9ed0c91cbf64797ce7bcef8216f74442bc271c184a554f1950e708c254f8d90c
SSDEEP

3072:bfKg7VtiYiVIi/ZBhY1mgvc2xJ4FhMY9acxo7lcL6Yzh4NLthEjQT6j:bfKg7VtizIEnhSh0I4ValCfzhQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	IFGAED.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\IFGAED.exe	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
File opened for modification	C:\windows\IFGAED.exe	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
File created	C:\windows\IFGAED.exe.bat	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
2100	IFGAED.exe
2100	IFGAED.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
2100	IFGAED.exe
2100	IFGAED.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2128	2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	29
PID 2832 wrote to memory of 2128	2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	29
PID 2832 wrote to memory of 2128	2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	29
PID 2832 wrote to memory of 2128	2832	NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe	29
PID 2128 wrote to memory of 2100	2128	cmd.exe	31
PID 2128 wrote to memory of 2100	2128	cmd.exe	31
PID 2128 wrote to memory of 2100	2128	cmd.exe	31
PID 2128 wrote to memory of 2100	2128	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f14e307c06c329102a5a86f739ae3f28_JC.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\IFGAED.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\windows\IFGAED.exe
    C:\windows\IFGAED.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IFGAED.exe

Filesize
208KB

MD5
d1851a79a6eae1356ef5ff48f9cc40de

SHA1
f91602fe0a5756ce3ab1aa8aa2f9dfdf20a8bd65

SHA256
d68a741e8c3b82fbb82e7ed98a59dfd75b4aefc46089cd483d8782d0c168ec96

SHA512
6a594cdeb9bce22c7c3026b62095a7af1d2594d0e7101a75fe856e331c1c43d30dc9f46f1d5d00d3a8e8b3e5e0aa6153cb9264f0eaeb7bd4bcce6efa77d6a355

Download Submit
C:\Windows\IFGAED.exe.bat

Filesize
58B

MD5
87a16983fbedb11888e018bbecd122fd

SHA1
9006a6ed3619a4efd623c5cd1768200210f677c2

SHA256
344848a569172a6ec3967479fc43d3601220117285801799b6e6a83e2e123811

SHA512
759293c386930798eaa2810b973950d5fe0138ac165d3ad0c18f33079b56860dbab7292a8529fe5d81db4755ba518e7d94fe7d8c8c452843ef3731548e53f9d4

Download Submit
C:\windows\IFGAED.exe

Filesize
208KB

MD5
d1851a79a6eae1356ef5ff48f9cc40de

SHA1
f91602fe0a5756ce3ab1aa8aa2f9dfdf20a8bd65

SHA256
d68a741e8c3b82fbb82e7ed98a59dfd75b4aefc46089cd483d8782d0c168ec96

SHA512
6a594cdeb9bce22c7c3026b62095a7af1d2594d0e7101a75fe856e331c1c43d30dc9f46f1d5d00d3a8e8b3e5e0aa6153cb9264f0eaeb7bd4bcce6efa77d6a355

Download Submit
C:\windows\IFGAED.exe.bat

Filesize
58B

MD5
87a16983fbedb11888e018bbecd122fd

SHA1
9006a6ed3619a4efd623c5cd1768200210f677c2

SHA256
344848a569172a6ec3967479fc43d3601220117285801799b6e6a83e2e123811

SHA512
759293c386930798eaa2810b973950d5fe0138ac165d3ad0c18f33079b56860dbab7292a8529fe5d81db4755ba518e7d94fe7d8c8c452843ef3731548e53f9d4

Download Submit
memory/2100-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2128-15-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2128-17-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2128-19-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/2832-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2832-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download