0d08d283fffdb272d919d7395002b79cc1aaf7b0b77449c34cab7ebaf31bdb64

General

Target

NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe
Size

987KB
MD5

1793005e5bb5f4165dbfabe1f593d6cd
SHA1

6cc266d42809a22c923a4a6085a8a6a1c4671dfe
SHA256

0d08d283fffdb272d919d7395002b79cc1aaf7b0b77449c34cab7ebaf31bdb64
SHA512

7fafcff9cb95ae085ae28f34eba232aaac9b27b55a1fa45c8616d933a8a29142b07d83986bac7b49dc67cff3539e531d3b4145e61d887c0920707ec28a5884c5
SSDEEP

24576:/1/aGLDCM4D8ay0MZo8//67jPped/cUaMo4AvrnVtqIk8R:wD8ay0MZobf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	gshca.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe
1728	NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\gshca.exe"	gshca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2676	1728	NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe	28
PID 1728 wrote to memory of 2676	1728	NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe	28
PID 1728 wrote to memory of 2676	1728	NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe	28
PID 1728 wrote to memory of 2676	1728	NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS1793005e5bb5f4165dbfabe1f593d6cdexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\ProgramData\gshca.exe
  "C:\ProgramData\gshca.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
987KB

MD5
5784a262d61054d77bd54022b0bc5a12

SHA1
f5b77ece6b05c5795f48493b4aa7d5ff9b3fa151

SHA256
225d21fed9894bb857a8a7d92ab15c55dd64856fed444135aa298278140feb36

SHA512
dc54aed86f63bcd7fd46a97ba7e4e13f03a190cfabc21ec7f587055212c07294d49edbf841993cd9cf8e626eb6d9c9f9649bbff1e99b33b696297101c664dd97

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
0097732504850319971faed87f071fd4

SHA1
6f8bf40487719d18c54c85329ffc0346163e43db

SHA256
96e2cebea72e7205b4b0b53d67606ccbedd4e9eb34d852bed65bc89063541a48

SHA512
72af1a7e94544cb2b4a198713280823337a4cf4a7266320947a5b81ce4c41099c251ab86d94f753506328ad7750d3a0135d27af0ff5cf2147d01f3147d4448a7

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
0097732504850319971faed87f071fd4

SHA1
6f8bf40487719d18c54c85329ffc0346163e43db

SHA256
96e2cebea72e7205b4b0b53d67606ccbedd4e9eb34d852bed65bc89063541a48

SHA512
72af1a7e94544cb2b4a198713280823337a4cf4a7266320947a5b81ce4c41099c251ab86d94f753506328ad7750d3a0135d27af0ff5cf2147d01f3147d4448a7

Download Submit
C:\ProgramData\gshca.exe

Filesize
509KB

MD5
963f878a7817d7ac43536d4d76ab8e75

SHA1
f2822aede178506ea3ac0eeed5db5ff8ff5a11f4

SHA256
f05988ec8027b15339faf871d43284290e60f19ec1192142fd56e6dff4f20ae0

SHA512
9e5abbae3718a523377824a86a4f15df682a9ab3d729f175e26b878f661fad541fd7c852b3e5b42065b63014202d3dabf4c98c1e99ca2295cb49e1eb542e4491

Download Submit
C:\ProgramData\gshca.exe

Filesize
509KB

MD5
963f878a7817d7ac43536d4d76ab8e75

SHA1
f2822aede178506ea3ac0eeed5db5ff8ff5a11f4

SHA256
f05988ec8027b15339faf871d43284290e60f19ec1192142fd56e6dff4f20ae0

SHA512
9e5abbae3718a523377824a86a4f15df682a9ab3d729f175e26b878f661fad541fd7c852b3e5b42065b63014202d3dabf4c98c1e99ca2295cb49e1eb542e4491

Download Submit
C:\ProgramData\gshca.exe

Filesize
509KB

MD5
963f878a7817d7ac43536d4d76ab8e75

SHA1
f2822aede178506ea3ac0eeed5db5ff8ff5a11f4

SHA256
f05988ec8027b15339faf871d43284290e60f19ec1192142fd56e6dff4f20ae0

SHA512
9e5abbae3718a523377824a86a4f15df682a9ab3d729f175e26b878f661fad541fd7c852b3e5b42065b63014202d3dabf4c98c1e99ca2295cb49e1eb542e4491

Download Submit
\ProgramData\gshca.exe

Filesize
509KB

MD5
963f878a7817d7ac43536d4d76ab8e75

SHA1
f2822aede178506ea3ac0eeed5db5ff8ff5a11f4

SHA256
f05988ec8027b15339faf871d43284290e60f19ec1192142fd56e6dff4f20ae0

SHA512
9e5abbae3718a523377824a86a4f15df682a9ab3d729f175e26b878f661fad541fd7c852b3e5b42065b63014202d3dabf4c98c1e99ca2295cb49e1eb542e4491

Download Submit
\ProgramData\gshca.exe

Filesize
509KB

MD5
963f878a7817d7ac43536d4d76ab8e75

SHA1
f2822aede178506ea3ac0eeed5db5ff8ff5a11f4

SHA256
f05988ec8027b15339faf871d43284290e60f19ec1192142fd56e6dff4f20ae0

SHA512
9e5abbae3718a523377824a86a4f15df682a9ab3d729f175e26b878f661fad541fd7c852b3e5b42065b63014202d3dabf4c98c1e99ca2295cb49e1eb542e4491

Download Submit
memory/1728-13-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1728-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2676-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2676-154-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2676-250-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads