dfa83e0a985772156d60061f77cebcf1d7e6569c57704ba567cb7eb9e1fee802

General

Target

NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
Size

340KB
MD5

0b2ca15b3f0c2af1ee646d50f9917d20
SHA1

839b2b3b09f5947fe6818e925feeb0af97d3f603
SHA256

dfa83e0a985772156d60061f77cebcf1d7e6569c57704ba567cb7eb9e1fee802
SHA512

2bc66352a39c2edd4bcf005d565368975e6e92195a16a8ae23b2a37e8f74d6792e78d4a473263670017c912cc6ae3614b7e49f28c210d56b412d73a7afea18eb
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2xsyxr8ceQdWTw:Zv1nWdQP1EDhZPxsyFDdWTw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2708	Isass.exe
2736	LD_NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe

Loads dropped DLL 4 IoCs

pid	Process
2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
2672	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
2708	Isass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2708	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	28
PID 2124 wrote to memory of 2708	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	28
PID 2124 wrote to memory of 2708	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	28
PID 2124 wrote to memory of 2708	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	28
PID 2124 wrote to memory of 2736	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	29
PID 2124 wrote to memory of 2736	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	29
PID 2124 wrote to memory of 2736	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	29
PID 2124 wrote to memory of 2736	2124	NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\LD_NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\LD_NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
32766791428d36d8752c892633c1ddc4

SHA1
01d489f3ffdd82b1d3a33d0d4dc5d5bd076ac930

SHA256
54fe80d5413a4c94c8063b768715fbaee9555cb1c19f7bf1af22689b20ffbb35

SHA512
5e15a2714afdd1f9c2fc1112d973d98e5044d9d96e805b4b7844d8d07637b924cf7f7c350a7f740671f011f6242b4dc1d745bce06ade13a7f02e223c1de7f823

Download Submit
C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
32766791428d36d8752c892633c1ddc4

SHA1
01d489f3ffdd82b1d3a33d0d4dc5d5bd076ac930

SHA256
54fe80d5413a4c94c8063b768715fbaee9555cb1c19f7bf1af22689b20ffbb35

SHA512
5e15a2714afdd1f9c2fc1112d973d98e5044d9d96e805b4b7844d8d07637b924cf7f7c350a7f740671f011f6242b4dc1d745bce06ade13a7f02e223c1de7f823

Download Submit
C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
32766791428d36d8752c892633c1ddc4

SHA1
01d489f3ffdd82b1d3a33d0d4dc5d5bd076ac930

SHA256
54fe80d5413a4c94c8063b768715fbaee9555cb1c19f7bf1af22689b20ffbb35

SHA512
5e15a2714afdd1f9c2fc1112d973d98e5044d9d96e805b4b7844d8d07637b924cf7f7c350a7f740671f011f6242b4dc1d745bce06ade13a7f02e223c1de7f823

Download Submit
C:\Users\Admin\AppData\Local\Temp\LD_NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe

Filesize
99KB

MD5
add15a53fd06b29b67959d7a527b16b7

SHA1
a93b3d6d129e3f99e32b6c2ea6a96e896c090b1a

SHA256
786e68ded8af18f36274d78ea00ff11289c27107dd9f8fdd2f6b4732a3b8a2da

SHA512
ff7b4461448820a8a7f09f5b0282dd4fd042050072719838ab72dc6f8aac9e25982b568dbb2ba9877db2b66018bda46043fd98ef123c07af446b1fb161be2430

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
32766791428d36d8752c892633c1ddc4

SHA1
01d489f3ffdd82b1d3a33d0d4dc5d5bd076ac930

SHA256
54fe80d5413a4c94c8063b768715fbaee9555cb1c19f7bf1af22689b20ffbb35

SHA512
5e15a2714afdd1f9c2fc1112d973d98e5044d9d96e805b4b7844d8d07637b924cf7f7c350a7f740671f011f6242b4dc1d745bce06ade13a7f02e223c1de7f823

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
32766791428d36d8752c892633c1ddc4

SHA1
01d489f3ffdd82b1d3a33d0d4dc5d5bd076ac930

SHA256
54fe80d5413a4c94c8063b768715fbaee9555cb1c19f7bf1af22689b20ffbb35

SHA512
5e15a2714afdd1f9c2fc1112d973d98e5044d9d96e805b4b7844d8d07637b924cf7f7c350a7f740671f011f6242b4dc1d745bce06ade13a7f02e223c1de7f823

Download Submit
\Users\Admin\AppData\Local\Temp\LD_NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe

Filesize
99KB

MD5
add15a53fd06b29b67959d7a527b16b7

SHA1
a93b3d6d129e3f99e32b6c2ea6a96e896c090b1a

SHA256
786e68ded8af18f36274d78ea00ff11289c27107dd9f8fdd2f6b4732a3b8a2da

SHA512
ff7b4461448820a8a7f09f5b0282dd4fd042050072719838ab72dc6f8aac9e25982b568dbb2ba9877db2b66018bda46043fd98ef123c07af446b1fb161be2430

Download Submit
\Users\Admin\AppData\Local\Temp\LD_NEAS.0b2ca15b3f0c2af1ee646d50f9917d20_JC.exe

Filesize
99KB

MD5
add15a53fd06b29b67959d7a527b16b7

SHA1
a93b3d6d129e3f99e32b6c2ea6a96e896c090b1a

SHA256
786e68ded8af18f36274d78ea00ff11289c27107dd9f8fdd2f6b4732a3b8a2da

SHA512
ff7b4461448820a8a7f09f5b0282dd4fd042050072719838ab72dc6f8aac9e25982b568dbb2ba9877db2b66018bda46043fd98ef123c07af446b1fb161be2430

Download Submit
memory/2124-17-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2124-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2124-18-0x0000000003FF0000-0x0000000005297000-memory.dmp

Filesize
18.7MB

Download
memory/2124-12-0x0000000003FF0000-0x0000000005297000-memory.dmp

Filesize
18.7MB

Download
memory/2124-0-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-30-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-31-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-24-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-27-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-13-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2708-20-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-34-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-41-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-42-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-43-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-44-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-45-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-46-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2708-47-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads