Overview

overview

9

Static

static

3

NEAS.f1bbf...50.exe

windows7-x64

9

NEAS.f1bbf...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 08:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f1bbfb1244664890886c4856cf8f1a50.exe

  • Size

    194KB

  • MD5

    f1bbfb1244664890886c4856cf8f1a50

  • SHA1

    75629c39a63ade301f7280e0c911bc4e3276885e

  • SHA256

    5e31001ae72f205d6e529f3f4d0347867176b1ef500307aa0a9ec5977502bee4

  • SHA512

    e7ba58a9107686903e2b6b5fbb9ba5b775f7bf7a4c5c3123fe34643cc9022f3aab9741e02aefea09a41c1d12135c475b0827013b2c5f8f6ae4f2bbb3d991dc4f

  • SSDEEP

    3072:6e7WpmSWfE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2Ex1:RqgSWc95pK7ShcHUaq

Score
9/10
ransomware

Malware Config

Signatures

  • Renames multiple (229) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f1bbfb1244664890886c4856cf8f1a50.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f1bbfb1244664890886c4856cf8f1a50.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\_clist.exe
      "_clist.exe"
      2⤵
      • Executes dropped EXE
      PID:2636
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2188

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2180306848-1874213455-4093218721-1000\desktop.ini.tmp
          Filesize

          51KB

          MD5

          21c975831bed9b49265634408743bb38

          SHA1

          cbe6caeae7ea07cd80077608de77a935017a19d0

          SHA256

          735562cc4bad99d53361f94732faf7b135a25ac3edbb6eb1e8448ac725425c10

          SHA512

          84cfc15893f91da763e3fa34a5a594a7bc162f3b4646ced2f827eab50ed1a2c701aa09cef513df0acb15c5ea702e44c2e6fe9fb82478f513e870445d206ad018

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_clist.exe
          Filesize

          143KB

          MD5

          b27ea830fb39bc056e65f9a2260ae216

          SHA1

          b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

          SHA256

          fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

          SHA512

          22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_clist.exe
          Filesize

          143KB

          MD5

          b27ea830fb39bc056e65f9a2260ae216

          SHA1

          b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

          SHA256

          fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

          SHA512

          22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

          Download Submit

        • C:\Windows\SysWOW64\Zombie.exe
          Filesize

          50KB

          MD5

          c209291356e538a49ff5952f123f6771

          SHA1

          eea21f3861860d0cbf1920752b964eb67dba7160

          SHA256

          a4121425a5e9fec3d82244866e6fa713581dfe6ec621df9c269377e6e8e3bfd6

          SHA512

          ae1a508a1180cb6ea85e6a43b7c664b23a031f98cbc78ead67a87446abd8d486c99a60215e11eecd3d238faf2caf11c363529c8e0b4e49717e4c23ea38033e98

          Download Submit

        • C:\Windows\SysWOW64\Zombie.exe
          Filesize

          50KB

          MD5

          c209291356e538a49ff5952f123f6771

          SHA1

          eea21f3861860d0cbf1920752b964eb67dba7160

          SHA256

          a4121425a5e9fec3d82244866e6fa713581dfe6ec621df9c269377e6e8e3bfd6

          SHA512

          ae1a508a1180cb6ea85e6a43b7c664b23a031f98cbc78ead67a87446abd8d486c99a60215e11eecd3d238faf2caf11c363529c8e0b4e49717e4c23ea38033e98

          Download Submit

        • C:\Windows\SysWOW64\Zombie.exe
          Filesize

          50KB

          MD5

          c209291356e538a49ff5952f123f6771

          SHA1

          eea21f3861860d0cbf1920752b964eb67dba7160

          SHA256

          a4121425a5e9fec3d82244866e6fa713581dfe6ec621df9c269377e6e8e3bfd6

          SHA512

          ae1a508a1180cb6ea85e6a43b7c664b23a031f98cbc78ead67a87446abd8d486c99a60215e11eecd3d238faf2caf11c363529c8e0b4e49717e4c23ea38033e98

          Download Submit

        • \Users\Admin\AppData\Local\Temp\_clist.exe
          Filesize

          143KB

          MD5

          b27ea830fb39bc056e65f9a2260ae216

          SHA1

          b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

          SHA256

          fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

          SHA512

          22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

          Download Submit

        • \Windows\SysWOW64\Zombie.exe
          Filesize

          50KB

          MD5

          c209291356e538a49ff5952f123f6771

          SHA1

          eea21f3861860d0cbf1920752b964eb67dba7160

          SHA256

          a4121425a5e9fec3d82244866e6fa713581dfe6ec621df9c269377e6e8e3bfd6

          SHA512

          ae1a508a1180cb6ea85e6a43b7c664b23a031f98cbc78ead67a87446abd8d486c99a60215e11eecd3d238faf2caf11c363529c8e0b4e49717e4c23ea38033e98

          Download Submit

        • \Windows\SysWOW64\Zombie.exe
          Filesize

          50KB

          MD5

          c209291356e538a49ff5952f123f6771

          SHA1

          eea21f3861860d0cbf1920752b964eb67dba7160

          SHA256

          a4121425a5e9fec3d82244866e6fa713581dfe6ec621df9c269377e6e8e3bfd6

          SHA512

          ae1a508a1180cb6ea85e6a43b7c664b23a031f98cbc78ead67a87446abd8d486c99a60215e11eecd3d238faf2caf11c363529c8e0b4e49717e4c23ea38033e98

          Download Submit

        • memory/2636-19-0x0000000001130000-0x0000000001158000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2636-20-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2636-31-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

          Filesize

          9.9MB

          Download