63aa248234533d28e4857aa3df9e55a3a877c8e0f054508189aedabb63ff2165

Analysis

max time kernel
122s
max time network
140s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
Size

1.5MB
MD5

7afff2b785bf0648b243446e35dabf19
SHA1

8acc9c0f792d2d92ccc74d766e01029468b61709
SHA256

63aa248234533d28e4857aa3df9e55a3a877c8e0f054508189aedabb63ff2165
SHA512

3f4300e14af49fcb1ea6615192c0bb7a61e2bd88d820828157679a766e8aa506f197e8b5dedd93ded78b5b187173d1dca2447a8918f0fd1faa07af812f7a2e88
SSDEEP

3072:rxv/y9LJ3tGXRvjxCb5NgXDY7uSlkJcUa7kYQTcqW2NdQQGH/UDhSCUc4aqTB8gw:VamlKgzelZNQSBQGH/CSpWqTdmQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\L:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\N:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\G:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\H:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\J:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\K:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\M:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\O:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\E:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8162.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7F72.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX812D.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX813E.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX81B3.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7F71.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX8234.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX810B.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8183.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\readme.1xt	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX811D.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7F2F.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7F41.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8160.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8182.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7F1F.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7F40.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX806C.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX811C.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX815F.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8161.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1364	2448	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1364	2448	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe	28
PID 2448 wrote to memory of 1364	2448	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe	28
PID 2448 wrote to memory of 1364	2448	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe	28
PID 2448 wrote to memory of 1364	2448	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 744
  2⤵
  - Program crash
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
c82add56fa1bb9ee0b29c0f06f6080f9

SHA1
870c50c4090efa3190efb1af1c430c51fbcd0f82

SHA256
a9b9383d11d69fef87d6f2c1d41b87722dfec852b3c7352a4a207dba8ca9bd29

SHA512
ef523799026bb30ef831b264cee314c38b9c808471676764ce13640cc285007e5dd2da07583566ae5e647650f97035e5cdbc6ec2345a4d5dac70da5ae09104e2

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

Filesize
232KB

MD5
6f3fdb315da8f6e01296949c9bf30be2

SHA1
1dadcb468edecabd88e4f622f9dc7da573cc10b6

SHA256
0520048926be2a6429d791805fa7e7bce64a0cb43514f5b3bac8e8a01907f83d

SHA512
ba5c08c874ea5aa6d2f36406dd2a875eb37f16e718ccaeef0172e92a91fb6d9d4912647fa7b34c5c0c2686f745cc1d22a173e60405cff9378542277e63348eb6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX806C.tmp

Filesize
224KB

MD5
a7524f00336baf8007adedebeb8687a7

SHA1
58b038d63ca3ef25df04844cd59be5fbb04331b7

SHA256
543f0693202db5f594a3f9af2806f61dfe00380f49e0a03e8be8805594660abc

SHA512
897b16c76744977b52a8c57e2c780af6f4a8c57dbd386b30215135caf0f7670f73eec2639b296377dee1caaffe931ab5cc17f1a78e2a3f558a0057782325f00c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

Filesize
1.6MB

MD5
527e039ba9add8a7fac3a6bc30a6d476

SHA1
729a329265eda72cada039c1941e7c672addfc19

SHA256
4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94

SHA512
9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
276KB

MD5
6f91594cf3e14d149a79dd28c6245e80

SHA1
c62026ea4ccb8a484a90d07940be8684412bfadb

SHA256
aa4e43bc85f74b9676dbb1bf4608676ca74ec5f352610577c6ec54ce55f6aaa1

SHA512
99b97e9961cb2d6ad45bcc3ab447eb0e117cca4eca6a3c43daccb5c27a434b79c23bc59922873bb2760e2691c4b92d6688e483eb71d29179e531fea0ffa48c6c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
332KB

MD5
9b56e8164f268a120ef33f6aee39a8ea

SHA1
362233dbb247e26d8a45211fa12224bc37c57dbe

SHA256
d86d3b1563206b5309115cfd459cee6c469d20b2eba54da72fc10360f6215801

SHA512
77001eda2695e97e25319732319c2bda4b670978a682549cb7ea29fe58886879e8d602bf3bca2b6ab2b71fa5d06f20c7336243dc56813a19697ad948c878ab7c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
276KB

MD5
7c91afb2853aa0322d3c848fcb066da5

SHA1
aea9823699d7e9bd43b7db7388bfa16453289054

SHA256
16e67ac83405837dbb0053099f38b472bbbed81e34b4cc1cb99b8e2713464398

SHA512
7c0db81e186d725d78523bba7b60d09ac03c4166fe1c0af05f4847f5bf6f14180ce37b43052e66d60b7a73e775793409c053fc534b14003d231f501adcf7b15f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

Filesize
1020KB

MD5
b65d7344b0a7faa207d2e1a7adaafb60

SHA1
755ad15b1745b0e730d658d4a92e2b754425b7db

SHA256
f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92

SHA512
f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

Download Submit