93f6158deab32d58ba5472a0b0d0b3ba3308921cfe57daf07aa7587c3742a916

General

Target

NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
Size

208KB
MD5

a4923011e734c3e77bdc7ba986e0a5fe
SHA1

b40502bbd1a29906ea0edaec8f7e0f50c73d2a83
SHA256

93f6158deab32d58ba5472a0b0d0b3ba3308921cfe57daf07aa7587c3742a916
SHA512

c5b6187fd4f2cadb602f296ef9d385c33c81437551266f36f6f3af949a9c1f6c7557745803cece7968080a7252c1a849866a5110fed1b611a9a9c9dde47f7e84
SSDEEP

3072:4qc2rO1/J6KbrAegkJ7RDdGkAPtaMBJ9iG6lPxC6Solo+1OcdNYnzfONqjj2S4NC:42rONJ60lRx4d/6brAc3YzhjTQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	JDH.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	cmd.exe
2180	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\JDH.exe	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
File opened for modification	C:\windows\SysWOW64\JDH.exe	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
File created	C:\windows\SysWOW64\JDH.exe.bat	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
2720	JDH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
2720	JDH.exe
2720	JDH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2180	2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe	28
PID 2104 wrote to memory of 2180	2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe	28
PID 2104 wrote to memory of 2180	2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe	28
PID 2104 wrote to memory of 2180	2104	NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe	28
PID 2180 wrote to memory of 2720	2180	cmd.exe	30
PID 2180 wrote to memory of 2720	2180	cmd.exe	30
PID 2180 wrote to memory of 2720	2180	cmd.exe	30
PID 2180 wrote to memory of 2720	2180	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a4923011e734c3e77bdc7ba986e0a5fe_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\JDH.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\windows\SysWOW64\JDH.exe
    C:\windows\system32\JDH.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JDH.exe

Filesize
208KB

MD5
f1b8ff0612ce767293c463da880d6138

SHA1
37d3f171ff50a444ab4aacc3b8e3af7ee83a88d8

SHA256
ad895f83ce0147dd2585a07ff153c1c73b95c8c72a91fe0c01801a2eac896d7f

SHA512
0c2dcea411bd6b916c961a05f4cfce6fe16089765d0f09f635fe9810269c1c3f928ee030706079356431763e56e5770dca3b5555667d148b827fb9cf55f527af

Download Submit
C:\Windows\SysWOW64\JDH.exe.bat

Filesize
70B

MD5
fc19a5dcea385f6a540766606e03f4ae

SHA1
dfe0f04fee8039aedb41e366abf5d897ff077edb

SHA256
eea81ee02e26fed9a01a7e3d77dc4ee0e3d6eb7879602bda6964c90be5045586

SHA512
3102778c45682d85700ba583902246e43c026d4ad0eabd01b060a2dc8ef07ca402307830209c2f9cb6cfd71941fc19f5b34eb97ca40ebea266f417fd27f48efd

Download Submit
C:\windows\SysWOW64\JDH.exe

Filesize
208KB

MD5
f1b8ff0612ce767293c463da880d6138

SHA1
37d3f171ff50a444ab4aacc3b8e3af7ee83a88d8

SHA256
ad895f83ce0147dd2585a07ff153c1c73b95c8c72a91fe0c01801a2eac896d7f

SHA512
0c2dcea411bd6b916c961a05f4cfce6fe16089765d0f09f635fe9810269c1c3f928ee030706079356431763e56e5770dca3b5555667d148b827fb9cf55f527af

Download Submit
C:\windows\SysWOW64\JDH.exe.bat

Filesize
70B

MD5
fc19a5dcea385f6a540766606e03f4ae

SHA1
dfe0f04fee8039aedb41e366abf5d897ff077edb

SHA256
eea81ee02e26fed9a01a7e3d77dc4ee0e3d6eb7879602bda6964c90be5045586

SHA512
3102778c45682d85700ba583902246e43c026d4ad0eabd01b060a2dc8ef07ca402307830209c2f9cb6cfd71941fc19f5b34eb97ca40ebea266f417fd27f48efd

Download Submit
\Windows\SysWOW64\JDH.exe

Filesize
208KB

MD5
f1b8ff0612ce767293c463da880d6138

SHA1
37d3f171ff50a444ab4aacc3b8e3af7ee83a88d8

SHA256
ad895f83ce0147dd2585a07ff153c1c73b95c8c72a91fe0c01801a2eac896d7f

SHA512
0c2dcea411bd6b916c961a05f4cfce6fe16089765d0f09f635fe9810269c1c3f928ee030706079356431763e56e5770dca3b5555667d148b827fb9cf55f527af

Download Submit
\Windows\SysWOW64\JDH.exe

Filesize
208KB

MD5
f1b8ff0612ce767293c463da880d6138

SHA1
37d3f171ff50a444ab4aacc3b8e3af7ee83a88d8

SHA256
ad895f83ce0147dd2585a07ff153c1c73b95c8c72a91fe0c01801a2eac896d7f

SHA512
0c2dcea411bd6b916c961a05f4cfce6fe16089765d0f09f635fe9810269c1c3f928ee030706079356431763e56e5770dca3b5555667d148b827fb9cf55f527af

Download Submit
memory/2104-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2180-15-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2180-18-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2180-22-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2720-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing