63aa248234533d28e4857aa3df9e55a3a877c8e0f054508189aedabb63ff2165

General

Target

NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
Size

1.5MB
MD5

7afff2b785bf0648b243446e35dabf19
SHA1

8acc9c0f792d2d92ccc74d766e01029468b61709
SHA256

63aa248234533d28e4857aa3df9e55a3a877c8e0f054508189aedabb63ff2165
SHA512

3f4300e14af49fcb1ea6615192c0bb7a61e2bd88d820828157679a766e8aa506f197e8b5dedd93ded78b5b187173d1dca2447a8918f0fd1faa07af812f7a2e88
SSDEEP

3072:rxv/y9LJ3tGXRvjxCb5NgXDY7uSlkJcUa7kYQTcqW2NdQQGH/UDhSCUc4aqTB8gw:VamlKgzelZNQSBQGH/CSpWqTdmQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\H:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\K:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\L:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\G:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\I:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\J:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\M:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\N:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened (read-only)	\??\O:	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX5ED.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX5FD.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\readme.1xt	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX56C.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX59D.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX55B.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX58C.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX5BD.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX54A.tmp	NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	3800	WerFault.exe	81

C:\Users\Admin\AppData\Local\Temp\NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7afff2b785bf0648b243446e35dabf19_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 740
  2⤵
  - Program crash
  PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3800 -ip 3800
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
96555ee5f7b5dcc300a84fdb46dc51ef

SHA1
b0378e67fe5291525103ccf2e49f0c7dc888e532

SHA256
1d2faac85bbd3d2822741f36f4bb414ee85938ff66a595b04272fe1ec80dd638

SHA512
68e8d466099c38b3751968b320c24a232f5b81b20a52b783892b91201facbfa3b0caf2d73257ab768d3ea9b6f367d1c0768afdff7a9b38f9a695e81522d22b40

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX5ED.tmp

Filesize
224KB

MD5
a7524f00336baf8007adedebeb8687a7

SHA1
58b038d63ca3ef25df04844cd59be5fbb04331b7

SHA256
543f0693202db5f594a3f9af2806f61dfe00380f49e0a03e8be8805594660abc

SHA512
897b16c76744977b52a8c57e2c780af6f4a8c57dbd386b30215135caf0f7670f73eec2639b296377dee1caaffe931ab5cc17f1a78e2a3f558a0057782325f00c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit

Analysis

Sharing