da5ad9339746d2bc31b85b9c607bee8aff6fceebe9f1c24e1d9a474b35e8fd71

General

Target

NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
Size

208KB
MD5

51ba3b2fd5c1c28c2975790e50371b40
SHA1

ba5f99d9322f1891ce1fd6c06dc0500da0782b1f
SHA256

da5ad9339746d2bc31b85b9c607bee8aff6fceebe9f1c24e1d9a474b35e8fd71
SHA512

0cad42c313ffb0b8bd21f016394bd0c9f3e0e80a71318796cc2fc077c633182dcbbb0394d2a0e6fbe99fcde85e39b88c516526b803376d9da7f1920241bf54a7
SSDEEP

3072:Pe7iOsyAvZnZonpwRRc3hyJZ2eDi4F3HQ47JrU4MrUT2yecHlFvwEfuJfc4NLthC:ssyAvZrnJZ2g3wmZhRSyeyAANQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	MPFEZDX.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	cmd.exe
2756	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\MPFEZDX.exe.bat	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
File created	C:\windows\system\MPFEZDX.exe	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
File opened for modification	C:\windows\system\MPFEZDX.exe	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
2696	MPFEZDX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
2696	MPFEZDX.exe
2696	MPFEZDX.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2756	2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe	28
PID 2768 wrote to memory of 2756	2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe	28
PID 2768 wrote to memory of 2756	2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe	28
PID 2768 wrote to memory of 2756	2768	NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe	28
PID 2756 wrote to memory of 2696	2756	cmd.exe	30
PID 2756 wrote to memory of 2696	2756	cmd.exe	30
PID 2756 wrote to memory of 2696	2756	cmd.exe	30
PID 2756 wrote to memory of 2696	2756	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.51ba3b2fd5c1c28c2975790e50371b40.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\MPFEZDX.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\windows\system\MPFEZDX.exe
    C:\windows\system\MPFEZDX.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\MPFEZDX.exe

Filesize
208KB

MD5
4cbccfe403a91ca3ec9fc620856d6fcd

SHA1
b87d12c85a31633eac9eed39a018e5f71733427f

SHA256
d7e279b1eee279fe271170f38f9d907b373a355fbae1cc48767dffcd733bcc7a

SHA512
a809789be6b6f955d093119da58aeb43fae31f88ffc5efb1b4a80a593d20eccc60c81ade89a805046380631552a54d87d1697b748bf2a6c96d4e11754181c466

Download Submit
C:\Windows\system\MPFEZDX.exe.bat

Filesize
74B

MD5
1ebe514cda3b1262906fe9bda08f0e7c

SHA1
cf0eba03228728a12c45d131c68da9b2c768ca32

SHA256
a9d9c22d463ce0c291c35566174c93405084f186b02053c3df6b0a7dd7cec484

SHA512
8ab66f818cee0267690770a5cece1b89ac82a662196d9265dcb7d7741f24dca9af3da7c589bbe7ddcc662d32b14cf61fac1e13b6fbf920e105af0f26a5b2c5c3

Download Submit
C:\windows\system\MPFEZDX.exe

Filesize
208KB

MD5
4cbccfe403a91ca3ec9fc620856d6fcd

SHA1
b87d12c85a31633eac9eed39a018e5f71733427f

SHA256
d7e279b1eee279fe271170f38f9d907b373a355fbae1cc48767dffcd733bcc7a

SHA512
a809789be6b6f955d093119da58aeb43fae31f88ffc5efb1b4a80a593d20eccc60c81ade89a805046380631552a54d87d1697b748bf2a6c96d4e11754181c466

Download Submit
C:\windows\system\MPFEZDX.exe.bat

Filesize
74B

MD5
1ebe514cda3b1262906fe9bda08f0e7c

SHA1
cf0eba03228728a12c45d131c68da9b2c768ca32

SHA256
a9d9c22d463ce0c291c35566174c93405084f186b02053c3df6b0a7dd7cec484

SHA512
8ab66f818cee0267690770a5cece1b89ac82a662196d9265dcb7d7741f24dca9af3da7c589bbe7ddcc662d32b14cf61fac1e13b6fbf920e105af0f26a5b2c5c3

Download Submit
\Windows\system\MPFEZDX.exe

Filesize
208KB

MD5
4cbccfe403a91ca3ec9fc620856d6fcd

SHA1
b87d12c85a31633eac9eed39a018e5f71733427f

SHA256
d7e279b1eee279fe271170f38f9d907b373a355fbae1cc48767dffcd733bcc7a

SHA512
a809789be6b6f955d093119da58aeb43fae31f88ffc5efb1b4a80a593d20eccc60c81ade89a805046380631552a54d87d1697b748bf2a6c96d4e11754181c466

Download Submit
\Windows\system\MPFEZDX.exe

Filesize
208KB

MD5
4cbccfe403a91ca3ec9fc620856d6fcd

SHA1
b87d12c85a31633eac9eed39a018e5f71733427f

SHA256
d7e279b1eee279fe271170f38f9d907b373a355fbae1cc48767dffcd733bcc7a

SHA512
a809789be6b6f955d093119da58aeb43fae31f88ffc5efb1b4a80a593d20eccc60c81ade89a805046380631552a54d87d1697b748bf2a6c96d4e11754181c466

Download Submit
memory/2696-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2696-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2768-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2768-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing