Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 20:37
Behavioral task
behavioral1
Sample
NEAS.bd711982026f3a86ef657bcfc639ca30.exe
Resource
win7-20230831-en
General
-
Target
NEAS.bd711982026f3a86ef657bcfc639ca30.exe
-
Size
203KB
-
MD5
bd711982026f3a86ef657bcfc639ca30
-
SHA1
e2bd2b0dd4e8823e3a29679acefc54d2804190cb
-
SHA256
33c550e7d8a526bf5fa92c9946a292769cb78d4f54b7221a6960740feaccc8eb
-
SHA512
510bc867f1da1dbe7a31bcb5b7db9f43323388b1dc69125ba4144a363e862c4bd0bab7ae2b11702e343787b84889c03c654190c2fd213135db7cf02fc1313700
-
SSDEEP
3072:DPijU4kcITkEnbBvByrEVoULptsdXfBo/DBJBGzkP9T:LijBkcITtnbBvnjLpSa/B
Malware Config
Extracted
urelas
121.88.5.183
218.54.28.139
Signatures
-
Deletes itself 1 IoCs
pid Process 2704 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2576 shoste.exe -
Loads dropped DLL 1 IoCs
pid Process 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2576 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 28 PID 2212 wrote to memory of 2576 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 28 PID 2212 wrote to memory of 2576 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 28 PID 2212 wrote to memory of 2576 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 28 PID 2212 wrote to memory of 2704 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 29 PID 2212 wrote to memory of 2704 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 29 PID 2212 wrote to memory of 2704 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 29 PID 2212 wrote to memory of 2704 2212 NEAS.bd711982026f3a86ef657bcfc639ca30.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bd711982026f3a86ef657bcfc639ca30.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bd711982026f3a86ef657bcfc639ca30.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\shoste.exe"C:\Users\Admin\AppData\Local\Temp\shoste.exe"2⤵
- Executes dropped EXE
PID:2576
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5f51c1462254f3bb8aa00201af0b0a030
SHA160d3c892bb5c4f654c318451012f936d81164418
SHA256695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5
SHA51241059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0
-
Filesize
284B
MD5ec8c6027d576083934b133ef746f6a91
SHA1c29c6728bddf5a06a3e922ad7edca09eb586a552
SHA256a9e8324119f6d504c148e6ff00726c640a4fdc037185a63a7cf401be95e2dfe0
SHA5120a26fe53575fa2f53556ad97bc000aded5003dab82cb456b98bc3a98afdfee34ab0f6d5d2abadf8c124cce109dcdf627dc37ec7fa11db90295099ee1ed887311
-
Filesize
284B
MD5ec8c6027d576083934b133ef746f6a91
SHA1c29c6728bddf5a06a3e922ad7edca09eb586a552
SHA256a9e8324119f6d504c148e6ff00726c640a4fdc037185a63a7cf401be95e2dfe0
SHA5120a26fe53575fa2f53556ad97bc000aded5003dab82cb456b98bc3a98afdfee34ab0f6d5d2abadf8c124cce109dcdf627dc37ec7fa11db90295099ee1ed887311
-
Filesize
203KB
MD55e7c3643c3ef74bf400beff123e0263e
SHA18e9d35c3b5dcc42a288d215aa0c2dde73cb10cac
SHA256e51bb658dbe01033c0f0eb3942ef83ca23791e0a575322881b1bc210f98584ae
SHA5124c8fb1d48fac9c9bf97625e2ab5d4aad5a5d151e5c43466b26dc7b4d2c92133413ede9d4d033a5a2252c4597a838e3b2856c968953f464c394e0a1650457e718
-
Filesize
203KB
MD55e7c3643c3ef74bf400beff123e0263e
SHA18e9d35c3b5dcc42a288d215aa0c2dde73cb10cac
SHA256e51bb658dbe01033c0f0eb3942ef83ca23791e0a575322881b1bc210f98584ae
SHA5124c8fb1d48fac9c9bf97625e2ab5d4aad5a5d151e5c43466b26dc7b4d2c92133413ede9d4d033a5a2252c4597a838e3b2856c968953f464c394e0a1650457e718