Overview

overview

8

Static

static

1

NEAS.20b5e...JC.xls

windows7-x64

8

NEAS.20b5e...JC.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.20b5e22a6955b71534fa6b3b0f4b565edc129398be7b021797ab6e97a03b55dcxls_JC.xls

  • Size

    1.1MB

  • MD5

    598d71289f14f049c7c41acd0063322d

  • SHA1

    842bb20d1671d0848cd3a56de52177e48e65efd0

  • SHA256

    20b5e22a6955b71534fa6b3b0f4b565edc129398be7b021797ab6e97a03b55dc

  • SHA512

    5641a785b36187f53c6b12b1f5437d5f308fea35d942d72a90b37819f713e1aa22004bfd50eff50ec1cecff6bd5e9380ff3e3b53a1a07f57c83f1ba948be0472

  • SSDEEP

    24576:tWQmmav30xHZyuw6VC3bV3SrZypw6Ve3bVGLC2nQsoPE0fj+nowLZ:MQmmQ303K6VC3bVAd6Ve3bVWQzPtj+oY

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\NEAS.20b5e22a6955b71534fa6b3b0f4b565edc129398be7b021797ab6e97a03b55dcxls_JC.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2148
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Roaming\audiodgse.exe
      "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OaNWuw.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:584
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OaNWuw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1624
      • C:\Users\Admin\AppData\Roaming\audiodgse.exe
        "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
        3⤵
        • Executes dropped EXE
        PID:1812
      • C:\Users\Admin\AppData\Roaming\audiodgse.exe
        "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
        3⤵
        • Executes dropped EXE
        PID:1692
      • C:\Users\Admin\AppData\Roaming\audiodgse.exe
        "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
        3⤵
        • Executes dropped EXE
        PID:2404
      • C:\Users\Admin\AppData\Roaming\audiodgse.exe
        "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
        3⤵
        • Executes dropped EXE
        PID:1612
      • C:\Users\Admin\AppData\Roaming\audiodgse.exe
        "C:\Users\Admin\AppData\Roaming\audiodgse.exe"
        3⤵
        • Executes dropped EXE
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\117AAF03.emf
    Filesize

    1.4MB

    MD5

    a01b9617553432807b9b58025b338d97

    SHA1

    439bdcc450408b9735b2428c2d53d2e6977fa58c

    SHA256

    7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

    SHA512

    312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp
    Filesize

    1KB

    MD5

    ad9b39451e326b192084e4d52f6053bc

    SHA1

    fd386a6b3641809a0372e363b3adebea0fbf23c8

    SHA256

    cb94dfd4c1a3af04790d3110583df7ebf17b5a5fe5ebe07382ed8f739034bc36

    SHA512

    af2b30ea663d0266aaf1db82046ebb785013abfec014d12a868dbd0852b47bd5f78c267874d7c4ace9edf2595940c1a64312aeb9109726eacb351b00ba210969

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • \Users\Admin\AppData\Roaming\audiodgse.exe
    Filesize

    1.1MB

    MD5

    9a2273d43305150b70e4cfa69bff2231

    SHA1

    a618462130536e3a2d3c06a03473a584a1f4c070

    SHA256

    f8fe2b2ea77e10ff5a8256bc177f299d30ec5601518d6fd27de2d599d516a114

    SHA512

    b073e33bcf10c8e97f13969b83022987d0e395d1b9a5003faa1943b97a9594055f305c3937900b791ae15bb6fdad7846027274ff2fe39b1a9f2e5e534a8fe1ab

    Download Submit

  • memory/584-47-0x0000000066450000-0x00000000669FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/584-52-0x0000000066450000-0x00000000669FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/584-51-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/584-50-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/584-49-0x00000000026F0000-0x0000000002730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/584-48-0x0000000066450000-0x00000000669FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2148-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-77-0x0000000071D4D000-0x0000000071D58000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2148-1-0x0000000071D4D000-0x0000000071D58000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2148-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2148-14-0x0000000071D4D000-0x0000000071D58000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2780-24-0x00000000005E0000-0x00000000005FC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2780-46-0x000000006BEA0000-0x000000006C58E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-21-0x00000000003E0000-0x00000000004F6000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2780-22-0x000000006BEA0000-0x000000006C58E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-23-0x0000000004CE0000-0x0000000004D20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2780-28-0x0000000007910000-0x000000000798A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2780-25-0x000000006BEA0000-0x000000006C58E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2780-26-0x0000000004CE0000-0x0000000004D20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2780-27-0x0000000000580000-0x0000000000590000-memory.dmp

    Filesize

    64KB

    Download