0fcbe192138b8701b5ef78ffe6f8f1acbfadef3f09f65bfebc4009bd947e3c13

General

Target

NEAS.4298879a258591451825ccdc4f5415c0.exe
Size

208KB
MD5

4298879a258591451825ccdc4f5415c0
SHA1

ebc56c2e24db24fdaff4e71d428781f2180f4a87
SHA256

0fcbe192138b8701b5ef78ffe6f8f1acbfadef3f09f65bfebc4009bd947e3c13
SHA512

3ced5d9077600eb5d9374dfd4a4b715144c01776f9c0af607ff5b795fdbe9e7b7a8dcc973f9251e8b075e5d13a816df2d67896d36d7516a97a3d5a9355e7eb99
SSDEEP

3072:7cxf+PFBDQsgEbbrYuNbUI0hbgt+Xu9zc4NLthEjQT6j:rBDQ9EbgUvM11QEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2060	HVU.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	cmd.exe
3004	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\system\HVU.exe	NEAS.4298879a258591451825ccdc4f5415c0.exe
File created	C:\windows\system\HVU.exe.bat	NEAS.4298879a258591451825ccdc4f5415c0.exe
File created	C:\windows\system\HVU.exe	NEAS.4298879a258591451825ccdc4f5415c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2468	NEAS.4298879a258591451825ccdc4f5415c0.exe
2060	HVU.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2468	NEAS.4298879a258591451825ccdc4f5415c0.exe
2468	NEAS.4298879a258591451825ccdc4f5415c0.exe
2060	HVU.exe
2060	HVU.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3004	2468	NEAS.4298879a258591451825ccdc4f5415c0.exe	28
PID 2468 wrote to memory of 3004	2468	NEAS.4298879a258591451825ccdc4f5415c0.exe	28
PID 2468 wrote to memory of 3004	2468	NEAS.4298879a258591451825ccdc4f5415c0.exe	28
PID 2468 wrote to memory of 3004	2468	NEAS.4298879a258591451825ccdc4f5415c0.exe	28
PID 3004 wrote to memory of 2060	3004	cmd.exe	30
PID 3004 wrote to memory of 2060	3004	cmd.exe	30
PID 3004 wrote to memory of 2060	3004	cmd.exe	30
PID 3004 wrote to memory of 2060	3004	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.4298879a258591451825ccdc4f5415c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4298879a258591451825ccdc4f5415c0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\HVU.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\windows\system\HVU.exe
    C:\windows\system\HVU.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HVU.exe

Filesize
208KB

MD5
58b53ad96a68ced6ed3801568b858e47

SHA1
22cca08ab0d630dfc563ad96d24159bcd3077590

SHA256
cfedbd3caff0f9284f89f6f70c3a2fda8ecbc4f3e2e87218875a4c07964cd7b3

SHA512
702ae1c4ece3199c9c5b7ca13d3ff0ebdd217c4890f911e63a469536a7cb2eb7f1f5930a975993a2b7f62c04bac6f27c00c66f849974a810875a4b2cdae5cc57

Download Submit
C:\Windows\system\HVU.exe.bat

Filesize
66B

MD5
ce1c785faedf329de5bb7c182eeabc8e

SHA1
e49a365c3c8997a5a7f378cb55c69685ced24295

SHA256
9d00e53164ae15343dde2bd0a55b557aec03d3fa443ae206ad5e7467b9194dbe

SHA512
e4c3a7a3e1e9637c1d50ddb73679f6e4fa1c63718c121893a0b3c8550384d0885d2dcb271c659a93447fcf80fbc1535dc978a1acbfb51754a4bb810b92a7c75d

Download Submit
C:\windows\system\HVU.exe

Filesize
208KB

MD5
58b53ad96a68ced6ed3801568b858e47

SHA1
22cca08ab0d630dfc563ad96d24159bcd3077590

SHA256
cfedbd3caff0f9284f89f6f70c3a2fda8ecbc4f3e2e87218875a4c07964cd7b3

SHA512
702ae1c4ece3199c9c5b7ca13d3ff0ebdd217c4890f911e63a469536a7cb2eb7f1f5930a975993a2b7f62c04bac6f27c00c66f849974a810875a4b2cdae5cc57

Download Submit
C:\windows\system\HVU.exe.bat

Filesize
66B

MD5
ce1c785faedf329de5bb7c182eeabc8e

SHA1
e49a365c3c8997a5a7f378cb55c69685ced24295

SHA256
9d00e53164ae15343dde2bd0a55b557aec03d3fa443ae206ad5e7467b9194dbe

SHA512
e4c3a7a3e1e9637c1d50ddb73679f6e4fa1c63718c121893a0b3c8550384d0885d2dcb271c659a93447fcf80fbc1535dc978a1acbfb51754a4bb810b92a7c75d

Download Submit
\Windows\system\HVU.exe

Filesize
208KB

MD5
58b53ad96a68ced6ed3801568b858e47

SHA1
22cca08ab0d630dfc563ad96d24159bcd3077590

SHA256
cfedbd3caff0f9284f89f6f70c3a2fda8ecbc4f3e2e87218875a4c07964cd7b3

SHA512
702ae1c4ece3199c9c5b7ca13d3ff0ebdd217c4890f911e63a469536a7cb2eb7f1f5930a975993a2b7f62c04bac6f27c00c66f849974a810875a4b2cdae5cc57

Download Submit
\Windows\system\HVU.exe

Filesize
208KB

MD5
58b53ad96a68ced6ed3801568b858e47

SHA1
22cca08ab0d630dfc563ad96d24159bcd3077590

SHA256
cfedbd3caff0f9284f89f6f70c3a2fda8ecbc4f3e2e87218875a4c07964cd7b3

SHA512
702ae1c4ece3199c9c5b7ca13d3ff0ebdd217c4890f911e63a469536a7cb2eb7f1f5930a975993a2b7f62c04bac6f27c00c66f849974a810875a4b2cdae5cc57

Download Submit
memory/2060-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2060-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2468-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3004-17-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing