1383f199f9b09d086a731c9a290909a0419e02fc1e12b4d016cb4109de411ede

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
Size

282KB
MD5

f9970831c7ef7d9a9b544cff6314f220
SHA1

cce902bcfe531c43c01dec177cfbb14f39521455
SHA256

1383f199f9b09d086a731c9a290909a0419e02fc1e12b4d016cb4109de411ede
SHA512

186e3b6757c00caa92c03724b514e832c389e6b6c3ae0ae3194e7d08b02de9278e1576205e4a592ef64c5b6e7a9f6dff308a72f85d0724fdb01b366efbf02120
SSDEEP

6144:QtnqqrpY8RapeqHSJyoFkaGoZxkEjiPISUOgW9X+hOGzC/:QtnqqrZQQqHSJyoFkaGoZxkmZzcukG2/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	IPTQ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\IPTQ.exe.bat	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
File created	C:\windows\IPTQ.exe	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
File opened for modification	C:\windows\IPTQ.exe	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
2652	IPTQ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
2652	IPTQ.exe
2652	IPTQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2376	2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe	28
PID 2204 wrote to memory of 2376	2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe	28
PID 2204 wrote to memory of 2376	2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe	28
PID 2204 wrote to memory of 2376	2204	NEAS.f9970831c7ef7d9a9b544cff6314f220.exe	28
PID 2376 wrote to memory of 2652	2376	cmd.exe	30
PID 2376 wrote to memory of 2652	2376	cmd.exe	30
PID 2376 wrote to memory of 2652	2376	cmd.exe	30
PID 2376 wrote to memory of 2652	2376	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.f9970831c7ef7d9a9b544cff6314f220.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f9970831c7ef7d9a9b544cff6314f220.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\IPTQ.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\windows\IPTQ.exe
    C:\windows\IPTQ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IPTQ.exe

Filesize
282KB

MD5
cd4ddb6addbe1d82dc0f4f1b8fbe9c01

SHA1
3313d5cf424aa5ebd44e9a3d7338458dcf7ebc82

SHA256
d7a56ea3010b08778a53709d480a7cecf9a2266a97c61d47b350a539114ece8f

SHA512
e6627e6ff221309882145c15cf4a2dbeb3dc92002131b809e0d3c578219023b3b6d5dffe4dc4f086c30fbf1a3523036d79e541405f64d75df715bc93c9453b50

Download Submit
C:\Windows\IPTQ.exe.bat

Filesize
54B

MD5
99368407fd72ab2da099474194d5a307

SHA1
59743fea640c88bfe60f157449a1ada9017f052e

SHA256
e8af982a7c8ccf5760f9c36c870ecb759e903da8cd794759cca35be2bc623557

SHA512
b77cd7337975695fe5cd5b7a8a7a09dd629fc7bf30d358dfab419c02102f17c61e60c7069289dbcf32b64e9b4a8f4594edb8d6e80487cdcdb462132ad95a750e

Download Submit
C:\windows\IPTQ.exe

Filesize
282KB

MD5
cd4ddb6addbe1d82dc0f4f1b8fbe9c01

SHA1
3313d5cf424aa5ebd44e9a3d7338458dcf7ebc82

SHA256
d7a56ea3010b08778a53709d480a7cecf9a2266a97c61d47b350a539114ece8f

SHA512
e6627e6ff221309882145c15cf4a2dbeb3dc92002131b809e0d3c578219023b3b6d5dffe4dc4f086c30fbf1a3523036d79e541405f64d75df715bc93c9453b50

Download Submit
C:\windows\IPTQ.exe.bat

Filesize
54B

MD5
99368407fd72ab2da099474194d5a307

SHA1
59743fea640c88bfe60f157449a1ada9017f052e

SHA256
e8af982a7c8ccf5760f9c36c870ecb759e903da8cd794759cca35be2bc623557

SHA512
b77cd7337975695fe5cd5b7a8a7a09dd629fc7bf30d358dfab419c02102f17c61e60c7069289dbcf32b64e9b4a8f4594edb8d6e80487cdcdb462132ad95a750e

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2204-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-15-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/2376-17-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/2376-19-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/2652-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download