b4919ff881c789de532dfa1bf3ece92dfb7cf49d1d7ae961dfdaf4cfe68d2659

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe
Size

343KB
MD5

ceb94cda69c5e27157208d9fff9a9d40
SHA1

284a5277a4567bca9e3f231c91c6cb445f41d7ff
SHA256

b4919ff881c789de532dfa1bf3ece92dfb7cf49d1d7ae961dfdaf4cfe68d2659
SHA512

deb9e60035ccbbc3a1b5d41ef226e2fa83aa6a66a27533817ecb8a4602283844dbe1bb65ea297aa2f188b0b2e4b7d1dd58ec9e11e4fc70bb2b3e3eeab825879e
SSDEEP

6144:S5FrtlrIiswtAyxmbeoYRMHpeW+5GZhgNhHgwNWdVot:SHrtqi3trxg4uHJXZhgNhHg/dc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	Sysceamswnso.exe

Loads dropped DLL 2 IoCs

pid	Process
1264	NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe
1264	NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe
2992	Sysceamswnso.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2992	1264	NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe	28
PID 1264 wrote to memory of 2992	1264	NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe	28
PID 1264 wrote to memory of 2992	1264	NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe	28
PID 1264 wrote to memory of 2992	1264	NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ceb94cda69c5e27157208d9fff9a9d40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe

Filesize
343KB

MD5
bdf5b522d4c676b9166e442e0ac92990

SHA1
9df895bc47c7c397c35b21c5b3ee5e7a2d772220

SHA256
41e2211152cc9bc63ddc8b0577909da7fd9d84b645b0d310a3979d935aaaf5cc

SHA512
6d30db8e162d4f89d90264db3e9f772bea4bc3994976464b6bb2db96a2b9ce8f53243b340128c299156b308e3ee12329f65ef238b8b4096e3423c8d7204f1be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe

Filesize
343KB

MD5
bdf5b522d4c676b9166e442e0ac92990

SHA1
9df895bc47c7c397c35b21c5b3ee5e7a2d772220

SHA256
41e2211152cc9bc63ddc8b0577909da7fd9d84b645b0d310a3979d935aaaf5cc

SHA512
6d30db8e162d4f89d90264db3e9f772bea4bc3994976464b6bb2db96a2b9ce8f53243b340128c299156b308e3ee12329f65ef238b8b4096e3423c8d7204f1be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe

Filesize
343KB

MD5
bdf5b522d4c676b9166e442e0ac92990

SHA1
9df895bc47c7c397c35b21c5b3ee5e7a2d772220

SHA256
41e2211152cc9bc63ddc8b0577909da7fd9d84b645b0d310a3979d935aaaf5cc

SHA512
6d30db8e162d4f89d90264db3e9f772bea4bc3994976464b6bb2db96a2b9ce8f53243b340128c299156b308e3ee12329f65ef238b8b4096e3423c8d7204f1be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
75B

MD5
4473550fde5489e1fc14543f768f2f1e

SHA1
025896cb6b861395498724e9667e3b2228a6dfa6

SHA256
95f969cd15694b967113fa73bb7a644611f3f3e62e387b1a9532b69c473bed17

SHA512
696d39ab702c56e7458f3539e22470e102bd57562dcacc2129db977ed5035d0d983b3322b24c0642eb2a90db58825116adc1410a5957278e7d8e858e7a5baf33

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe

Filesize
343KB

MD5
bdf5b522d4c676b9166e442e0ac92990

SHA1
9df895bc47c7c397c35b21c5b3ee5e7a2d772220

SHA256
41e2211152cc9bc63ddc8b0577909da7fd9d84b645b0d310a3979d935aaaf5cc

SHA512
6d30db8e162d4f89d90264db3e9f772bea4bc3994976464b6bb2db96a2b9ce8f53243b340128c299156b308e3ee12329f65ef238b8b4096e3423c8d7204f1be6

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamswnso.exe

Filesize
343KB

MD5
bdf5b522d4c676b9166e442e0ac92990

SHA1
9df895bc47c7c397c35b21c5b3ee5e7a2d772220

SHA256
41e2211152cc9bc63ddc8b0577909da7fd9d84b645b0d310a3979d935aaaf5cc

SHA512
6d30db8e162d4f89d90264db3e9f772bea4bc3994976464b6bb2db96a2b9ce8f53243b340128c299156b308e3ee12329f65ef238b8b4096e3423c8d7204f1be6

Download Submit