Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 20:02
Behavioral task
behavioral1
Sample
NEAS.2128d65eea52936c695b39b8b54303d0.exe
Resource
win7-20230831-en
General
-
Target
NEAS.2128d65eea52936c695b39b8b54303d0.exe
-
Size
484KB
-
MD5
2128d65eea52936c695b39b8b54303d0
-
SHA1
f2afc7542687cd63fef814f699ca1dfe356c9389
-
SHA256
aae96674a0b19705dc25eef5837517d6e4eb43d0785b5d6d234d0fb001f1a587
-
SHA512
5071ec98ad8a24c78829e67c3eedeb38ccfcc317d2141443af616525050391622e437ea0ba683d1a34ffa33a263d1a01f19119d77e762ad21b3bbce46b6380cf
-
SSDEEP
6144:KxBWeMRygxDLbHxlSBxzJb1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDq+t5:63MQIDKJPTq+Xxvo0U+d3s/fCX0a5
Malware Config
Extracted
urelas
121.88.5.183
218.54.30.235
Signatures
-
Deletes itself 1 IoCs
pid Process 2784 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1676 wimoj.exe 2528 igbem.exe -
Loads dropped DLL 2 IoCs
pid Process 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 1676 wimoj.exe -
resource yara_rule behavioral1/memory/2600-0-0x0000000000B30000-0x0000000000BD7000-memory.dmp upx behavioral1/files/0x002c000000015cb4-4.dat upx behavioral1/memory/2600-6-0x0000000002960000-0x0000000002A07000-memory.dmp upx behavioral1/files/0x002c000000015cb4-9.dat upx behavioral1/memory/2600-17-0x0000000000B30000-0x0000000000BD7000-memory.dmp upx behavioral1/memory/1676-20-0x0000000000860000-0x0000000000907000-memory.dmp upx behavioral1/files/0x0004000000004ed7-23.dat upx behavioral1/memory/1676-28-0x0000000000860000-0x0000000000907000-memory.dmp upx behavioral1/files/0x0004000000004ed7-27.dat upx behavioral1/memory/1676-25-0x0000000002E40000-0x0000000002EFA000-memory.dmp upx behavioral1/memory/2528-29-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-30-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-31-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-32-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-33-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-34-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-35-0x0000000001120000-0x00000000011DA000-memory.dmp upx behavioral1/memory/2528-36-0x0000000001120000-0x00000000011DA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 1676 wimoj.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe 2528 igbem.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1676 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 28 PID 2600 wrote to memory of 1676 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 28 PID 2600 wrote to memory of 1676 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 28 PID 2600 wrote to memory of 1676 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 28 PID 2600 wrote to memory of 2784 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 29 PID 2600 wrote to memory of 2784 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 29 PID 2600 wrote to memory of 2784 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 29 PID 2600 wrote to memory of 2784 2600 NEAS.2128d65eea52936c695b39b8b54303d0.exe 29 PID 1676 wrote to memory of 2528 1676 wimoj.exe 33 PID 1676 wrote to memory of 2528 1676 wimoj.exe 33 PID 1676 wrote to memory of 2528 1676 wimoj.exe 33 PID 1676 wrote to memory of 2528 1676 wimoj.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2128d65eea52936c695b39b8b54303d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2128d65eea52936c695b39b8b54303d0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\wimoj.exe"C:\Users\Admin\AppData\Local\Temp\wimoj.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\igbem.exe"C:\Users\Admin\AppData\Local\Temp\igbem.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "2⤵
- Deletes itself
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287B
MD5085190a83c796ec4ae750fa40f950570
SHA19fd834adf35941bcd0b754c7135c95076609cc05
SHA25626be5329163392f1b37089d7cfcbefc6001ce40458991ee5afc448229b439099
SHA51283df415427403b0a075c18fb9ec70c6970663e49c7f44df9b58639cf6536e1e95e1b78677431e1f0fd3208aac5634e5c6bf1fe77d6ab604bbca242f23d47edb7
-
Filesize
287B
MD5085190a83c796ec4ae750fa40f950570
SHA19fd834adf35941bcd0b754c7135c95076609cc05
SHA25626be5329163392f1b37089d7cfcbefc6001ce40458991ee5afc448229b439099
SHA51283df415427403b0a075c18fb9ec70c6970663e49c7f44df9b58639cf6536e1e95e1b78677431e1f0fd3208aac5634e5c6bf1fe77d6ab604bbca242f23d47edb7
-
Filesize
512B
MD5b4df75d9c681682e50ad8abb10466c0b
SHA1208591109612cb0727618a4517091721f06f81d3
SHA2564403e1338c675c8f305ed6b802eea3bfa2833ff2c8f7439b8e9a77d830a3778d
SHA5121e19168bb4d2ab4e6839e5a5d6fd526889cda902d0addd2ae691e5cd94e75c13cf079bfe2fc26f8e45c72681afa87d1afa51fcbc3a1201b8e1522ec9b7ae58f3
-
Filesize
243KB
MD52e1972aef7815fb65fb0b1360cc6ae7d
SHA11c6512e67be17584bc2e2f5ea09decc7b111c9a8
SHA2560b98a657509ec15051a2edebaf25cda9abab26e36f88d9a6c1fde770791f9bd6
SHA512a5f9e45509a924f721a5581ab911bdbbcb21e1c6e53d6b62ec6773e50596dbf68d5f7f7ccb1e23e46a5ca7531418d602a7c1d0f15c91ab9980d8f65793917970
-
Filesize
484KB
MD52e9aa81b29d7684d44f91f55b92d5f3c
SHA13402350c8db076618bf1871ac89603af2c5d646c
SHA256c3ad339daab2448f8ea7cb37d3c2f0329f66ab9d3aa17cb7893427254afaa70c
SHA5129766c712bc92f340dfeff154445eaa9a1309b58e84ad4dd2afa3085cb09bea470de69be4b3c6896ef50d469006bc8542b068e4d73ddd7162d0e7a4b97fbc6cbd
-
Filesize
243KB
MD52e1972aef7815fb65fb0b1360cc6ae7d
SHA11c6512e67be17584bc2e2f5ea09decc7b111c9a8
SHA2560b98a657509ec15051a2edebaf25cda9abab26e36f88d9a6c1fde770791f9bd6
SHA512a5f9e45509a924f721a5581ab911bdbbcb21e1c6e53d6b62ec6773e50596dbf68d5f7f7ccb1e23e46a5ca7531418d602a7c1d0f15c91ab9980d8f65793917970
-
Filesize
484KB
MD52e9aa81b29d7684d44f91f55b92d5f3c
SHA13402350c8db076618bf1871ac89603af2c5d646c
SHA256c3ad339daab2448f8ea7cb37d3c2f0329f66ab9d3aa17cb7893427254afaa70c
SHA5129766c712bc92f340dfeff154445eaa9a1309b58e84ad4dd2afa3085cb09bea470de69be4b3c6896ef50d469006bc8542b068e4d73ddd7162d0e7a4b97fbc6cbd