Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2023 20:33

General

  • Target

    NEAS.a5286233435ccb36498e3471e2d89cf0.exe

  • Size

    410KB

  • MD5

    a5286233435ccb36498e3471e2d89cf0

  • SHA1

    d63ec5915a67148f2a7df7f7032697b1ebe7b5a6

  • SHA256

    144e9dd08a106661f6d17b1d4c6909efa2744249ecd2a59341138ea5becf3444

  • SHA512

    e7e3508d0102d659c9f00b74ab50c820032410b23200c16c9331074a8eb1beafb6085a9752ccb7057b9fc121763dc2adb3ff5613cefc3de1070b215aa5c1f8b6

  • SSDEEP

    12288:CxIK9V14ImyHY8UslEHnvauZqb0dQYYrsOVweznq:CJEyY8UslEHnvafb0nYrBVwyq

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.a5286233435ccb36498e3471e2d89cf0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.a5286233435ccb36498e3471e2d89cf0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\ProgramData\cxjqy.exe
      "C:\ProgramData\cxjqy.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings .exe

    Filesize

    410KB

    MD5

    f45f92bd944450968c30629f181b3cda

    SHA1

    c50b4085c2ecaf88e598d59c5440e6626a077305

    SHA256

    071c2e8638f3f77e31fe7da96fbd1f8a8ad210c98eccc215e172c92fdca2c69a

    SHA512

    c6428d11df8f9177927e6748ad8b933ff4d087ee7cc4729334738abf85a9e548f4d1dfd985ac55ef420168219c48a7c5b968a2033cc450944bab3e33f11e8681

  • C:\ProgramData\Saaaalamm\Mira.h

    Filesize

    72KB

    MD5

    01637d94bb9cc8ea42e50b0f37bd28e4

    SHA1

    f0c94b8e86a8fd1940d4a3b75ebdcbd793a09718

    SHA256

    4956168a18d00165f1e0eda737821b1456707f76ecdf3b6b821078a460778302

    SHA512

    0539e0da657479e0b5a3d6d768898d5cc0d8be80b5a374f8442f079a0d7184e5ba2c653a6b223ff34021907117ed7398463c6e285fd66b80317e45156b6604fa

  • C:\ProgramData\Saaaalamm\Mira.h

    Filesize

    150KB

    MD5

    aef10b9ba25f907727558514f2dfbab0

    SHA1

    d67383ef1b23d4da72339d66de9541c2e1efaf53

    SHA256

    f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad

    SHA512

    5e607a70ca3fa489897f8df0c96570709839364cd8cabd5f76386dfff01ca2986d50c120cf82926dff950c7d7b6ec833ea7558b64ec8f0dfe2e5070abf1da103

  • C:\ProgramData\cxjqy.exe

    Filesize

    259KB

    MD5

    86b3a84ed2b5ccb12e41c74c1329c556

    SHA1

    059a0e05e2e579e6f10ffec66806f180debd5562

    SHA256

    3a91dbb8e5f401b92221da86602cff211db97cf42562626c4969bfcb3b4899b3

    SHA512

    a17c7e00fba5aff36862c4c289f15342a8be78e98b921dc7faf7e23d9e6f77a215f9018ea815c17158c71fe3c0863e383354a1e97bab53e639d8cbd2426df85b

  • C:\ProgramData\cxjqy.exe

    Filesize

    259KB

    MD5

    86b3a84ed2b5ccb12e41c74c1329c556

    SHA1

    059a0e05e2e579e6f10ffec66806f180debd5562

    SHA256

    3a91dbb8e5f401b92221da86602cff211db97cf42562626c4969bfcb3b4899b3

    SHA512

    a17c7e00fba5aff36862c4c289f15342a8be78e98b921dc7faf7e23d9e6f77a215f9018ea815c17158c71fe3c0863e383354a1e97bab53e639d8cbd2426df85b

  • C:\ProgramData\cxjqy.exe

    Filesize

    259KB

    MD5

    86b3a84ed2b5ccb12e41c74c1329c556

    SHA1

    059a0e05e2e579e6f10ffec66806f180debd5562

    SHA256

    3a91dbb8e5f401b92221da86602cff211db97cf42562626c4969bfcb3b4899b3

    SHA512

    a17c7e00fba5aff36862c4c289f15342a8be78e98b921dc7faf7e23d9e6f77a215f9018ea815c17158c71fe3c0863e383354a1e97bab53e639d8cbd2426df85b

  • \ProgramData\cxjqy.exe

    Filesize

    259KB

    MD5

    86b3a84ed2b5ccb12e41c74c1329c556

    SHA1

    059a0e05e2e579e6f10ffec66806f180debd5562

    SHA256

    3a91dbb8e5f401b92221da86602cff211db97cf42562626c4969bfcb3b4899b3

    SHA512

    a17c7e00fba5aff36862c4c289f15342a8be78e98b921dc7faf7e23d9e6f77a215f9018ea815c17158c71fe3c0863e383354a1e97bab53e639d8cbd2426df85b

  • \ProgramData\cxjqy.exe

    Filesize

    259KB

    MD5

    86b3a84ed2b5ccb12e41c74c1329c556

    SHA1

    059a0e05e2e579e6f10ffec66806f180debd5562

    SHA256

    3a91dbb8e5f401b92221da86602cff211db97cf42562626c4969bfcb3b4899b3

    SHA512

    a17c7e00fba5aff36862c4c289f15342a8be78e98b921dc7faf7e23d9e6f77a215f9018ea815c17158c71fe3c0863e383354a1e97bab53e639d8cbd2426df85b

  • memory/1044-86-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/1044-126-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/1044-193-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

  • memory/2344-0-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

  • memory/2344-14-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

  • memory/2344-1-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB