020362fe1e0b1bb14d7858e7290cf2b8c69602933921e49ffb684fdd9340e928

General

Target

NEAS.157f4dd280bac25d91450ddd086f95c0.exe
Size

987KB
MD5

157f4dd280bac25d91450ddd086f95c0
SHA1

def98872972513a04e01ad912f3f77ebe7bf2760
SHA256

020362fe1e0b1bb14d7858e7290cf2b8c69602933921e49ffb684fdd9340e928
SHA512

f35347bf457390f459e6edd4b09342c7fec133aececef35b9e5e98cbba19ead5ff7f51e356d9af30014177e720ccf221488e121a24c1c9fe1d85ea1dbf63748a
SSDEEP

24576:/1/aGLDCM4D8ay0MZo8//PT2N0K+bcpUBkGjc3JnBrzRV:wD8ay0MZoQPT2N0K+bcpUBkVND

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	peoqhn.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	NEAS.157f4dd280bac25d91450ddd086f95c0.exe
2252	NEAS.157f4dd280bac25d91450ddd086f95c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\peoqhn.exe"	peoqhn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2756	2252	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	29
PID 2252 wrote to memory of 2756	2252	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	29
PID 2252 wrote to memory of 2756	2252	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	29
PID 2252 wrote to memory of 2756	2252	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.157f4dd280bac25d91450ddd086f95c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.157f4dd280bac25d91450ddd086f95c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\ProgramData\peoqhn.exe
  "C:\ProgramData\peoqhn.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
987KB

MD5
df80440cc96b572c747552e1e2db36bd

SHA1
d9df4137d2f22d8ba5c696bb99394de9a48df526

SHA256
c5036f6499f40881bb7af40605253c32b61fab1a1be06a6a62a9d947850eef54

SHA512
ccebb4b4f955671666b1416132ce2fcbaddc357211887147e8a5444e3ebc7c9b56f0624919df5730bcfae77a470cb675c266a733bf524d35515b6fa663c487bf

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
0097732504850319971faed87f071fd4

SHA1
6f8bf40487719d18c54c85329ffc0346163e43db

SHA256
96e2cebea72e7205b4b0b53d67606ccbedd4e9eb34d852bed65bc89063541a48

SHA512
72af1a7e94544cb2b4a198713280823337a4cf4a7266320947a5b81ce4c41099c251ab86d94f753506328ad7750d3a0135d27af0ff5cf2147d01f3147d4448a7

Download Submit
C:\ProgramData\peoqhn.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
C:\ProgramData\peoqhn.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
C:\ProgramData\peoqhn.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
\ProgramData\peoqhn.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
\ProgramData\peoqhn.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
memory/2252-2-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2252-12-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2252-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2756-22-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-13-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-37-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-83-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2756-110-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads