020362fe1e0b1bb14d7858e7290cf2b8c69602933921e49ffb684fdd9340e928

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.157f4dd280bac25d91450ddd086f95c0.exe
Size

987KB
MD5

157f4dd280bac25d91450ddd086f95c0
SHA1

def98872972513a04e01ad912f3f77ebe7bf2760
SHA256

020362fe1e0b1bb14d7858e7290cf2b8c69602933921e49ffb684fdd9340e928
SHA512

f35347bf457390f459e6edd4b09342c7fec133aececef35b9e5e98cbba19ead5ff7f51e356d9af30014177e720ccf221488e121a24c1c9fe1d85ea1dbf63748a
SSDEEP

24576:/1/aGLDCM4D8ay0MZo8//PT2N0K+bcpUBkGjc3JnBrzRV:wD8ay0MZoQPT2N0K+bcpUBkVND

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3848	jooal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\jooal.exe"	jooal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3848	4424	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	86
PID 4424 wrote to memory of 3848	4424	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	86
PID 4424 wrote to memory of 3848	4424	NEAS.157f4dd280bac25d91450ddd086f95c0.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.157f4dd280bac25d91450ddd086f95c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.157f4dd280bac25d91450ddd086f95c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\ProgramData\jooal.exe
  "C:\ProgramData\jooal.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
987KB

MD5
9624525cbbf8add33228da9a286108fe

SHA1
332a954de4efb32285c1514905f9c3281abdb484

SHA256
1f61a86255fd201629b0d129a6a4ba69271945e5b77a103fa8b26bfc0d953c62

SHA512
514bd1d33fd49594480695454fe2623ce9a3a7c37e2293c0aae93b134901d00cd401c3e93c1f29c91d4aa01d4bbc42bc1352ff2a941d01afb09bf5a1fe8973f2

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
0097732504850319971faed87f071fd4

SHA1
6f8bf40487719d18c54c85329ffc0346163e43db

SHA256
96e2cebea72e7205b4b0b53d67606ccbedd4e9eb34d852bed65bc89063541a48

SHA512
72af1a7e94544cb2b4a198713280823337a4cf4a7266320947a5b81ce4c41099c251ab86d94f753506328ad7750d3a0135d27af0ff5cf2147d01f3147d4448a7

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
0097732504850319971faed87f071fd4

SHA1
6f8bf40487719d18c54c85329ffc0346163e43db

SHA256
96e2cebea72e7205b4b0b53d67606ccbedd4e9eb34d852bed65bc89063541a48

SHA512
72af1a7e94544cb2b4a198713280823337a4cf4a7266320947a5b81ce4c41099c251ab86d94f753506328ad7750d3a0135d27af0ff5cf2147d01f3147d4448a7

Download Submit
C:\ProgramData\jooal.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
C:\ProgramData\jooal.exe

Filesize
509KB

MD5
190203c0ed5c49f712b3bfa863cecd6b

SHA1
32fc7cd8a95a338139c48b2fac545627d60c1395

SHA256
e79e567d10676b5ada9470ff6b993c3392f0d4bfefe2441815d4e23c05ae175f

SHA512
dec61dfaf04260aad14809858db52e81360041464efd81a160ef1ab6339c2c3b66494c31bfe41420f1b33db9a8cb5b2e51a653e4c8709781fe99785934d78226

Download Submit
memory/3848-38-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3848-42-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3848-73-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3848-195-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4424-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/4424-8-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads