74b74188693eb5890f4ac66406811ffec79eafcb9a61db2963b01ca10b36bc0b

General

Target

NEAS.c8bd8b72c98c385e2692b8d515288570.exe
Size

500KB
MD5

c8bd8b72c98c385e2692b8d515288570
SHA1

f86f39886be85a8ea6bf112cea487e92eb7a7f15
SHA256

74b74188693eb5890f4ac66406811ffec79eafcb9a61db2963b01ca10b36bc0b
SHA512

aa035d4a3df17d38f9c56fbbe29861574a65f74ecca18a78f9b8fffc219f8d42e1f92dcb46325741d315ec69a02133646f9a1c8f6499cedc41741c2a9f0c1baa
SSDEEP

12288:8T8M7/OfD5CsvMzNoQa7fudskfA2tp6cLUsBzvwWP7OLD:8oM/Ob8GMpobbudN1tpzLUsdwWPG

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4784	UTSCSI.EXE

Loads dropped DLL 5 IoCs

pid	Process
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1344-0-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/1344-26-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/1344-28-0x0000000000400000-0x000000000054D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\D:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\M:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\N:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\T:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\V:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\O:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\R:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\X:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\E:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\F:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\H:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\K:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\L:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\Y:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\Z:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\G:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\J:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\Q:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\I:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\P:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\S:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File opened (read-only)	\??\U:	NEAS.c8bd8b72c98c385e2692b8d515288570.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\UTSCSI.EXE	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
File created	C:\Windows\SysWOW64\UTSCSI.EXE	NEAS.c8bd8b72c98c385e2692b8d515288570.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe
1344	NEAS.c8bd8b72c98c385e2692b8d515288570.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.c8bd8b72c98c385e2692b8d515288570.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c8bd8b72c98c385e2692b8d515288570.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SysWOW64\UTSCSI.EXE
C:\Windows\SysWOW64\UTSCSI.EXE
1⤵
- Executes dropped EXE
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\168FlashSDK.dll

Filesize
352KB

MD5
b245463d28a74a95dc7d2300d4dc86b3

SHA1
b70fca051994614bd65f4fc5ce547e18d2d743ba

SHA256
65f35380ce93bc33a59d4a4cc9c8bc09c7836a060847048c4f8727c5a5406685

SHA512
c5ffa53cd5179aa5b7b89a85a580d0967ca67a10422b5a86700f60bd25ce81fac9bfa0f3def7828337a2d3e5701861ae9b2319d7e6fb8421a288c1a9d7a50d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\168FlashSDK.dll

Filesize
352KB

MD5
b245463d28a74a95dc7d2300d4dc86b3

SHA1
b70fca051994614bd65f4fc5ce547e18d2d743ba

SHA256
65f35380ce93bc33a59d4a4cc9c8bc09c7836a060847048c4f8727c5a5406685

SHA512
c5ffa53cd5179aa5b7b89a85a580d0967ca67a10422b5a86700f60bd25ce81fac9bfa0f3def7828337a2d3e5701861ae9b2319d7e6fb8421a288c1a9d7a50d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\168FlashSDK.dll

Filesize
352KB

MD5
b245463d28a74a95dc7d2300d4dc86b3

SHA1
b70fca051994614bd65f4fc5ce547e18d2d743ba

SHA256
65f35380ce93bc33a59d4a4cc9c8bc09c7836a060847048c4f8727c5a5406685

SHA512
c5ffa53cd5179aa5b7b89a85a580d0967ca67a10422b5a86700f60bd25ce81fac9bfa0f3def7828337a2d3e5701861ae9b2319d7e6fb8421a288c1a9d7a50d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ITEuDLL.dll

Filesize
104KB

MD5
76f16faccd249018e86a7444a7c210f0

SHA1
4990dc0d8606bf6fd1cfd85746924760ce9b7f57

SHA256
0d9edafea25f75d13e56faa217f7796eb1377102d50aab5cd2842ac89cd80282

SHA512
bc6d9748c18d45c4aa10b016367c1c893dc3dfd29955ed0ecc4e18fb47c614323e43f404de3f01390c564d8b563e46c2e93e0d4724ec8bbda40b2288d46b215a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ITEuDLL.dll

Filesize
104KB

MD5
76f16faccd249018e86a7444a7c210f0

SHA1
4990dc0d8606bf6fd1cfd85746924760ce9b7f57

SHA256
0d9edafea25f75d13e56faa217f7796eb1377102d50aab5cd2842ac89cd80282

SHA512
bc6d9748c18d45c4aa10b016367c1c893dc3dfd29955ed0ecc4e18fb47c614323e43f404de3f01390c564d8b563e46c2e93e0d4724ec8bbda40b2288d46b215a

Download Submit
C:\Users\Admin\AppData\Local\Temp\udll.dll

Filesize
460KB

MD5
e69ea9fdfb9617a76675497bb97155a0

SHA1
7759712f6fb0e93e9f8cb4fe0594b105c13a0f29

SHA256
f6b659e773e57c50a7eee084d9dd7d86ad996740800d57c633459811428e4b60

SHA512
e24ffeb3fad14215aad5fe94566b253bc1e96e5a158617eb71a625c888e9ff164b22bd0b7850bbf8f6e838e9ef29ebd8f819eb65c808e0c698bda9bdac58dd73

Download Submit
C:\Windows\SysWOW64\UTSCSI.EXE

Filesize
44KB

MD5
8afffda081cff3057391fedbbb483601

SHA1
761ef44a81a4a2fae950d5ee2b1e2808083056ee

SHA256
c44ea66c31ca8a425a4289fb0e7503a37ffe121cb6f50baa474c5980e92aaef8

SHA512
2d735671670397f61844e80ac64ccc6fdab5407634d87bfcc74d36641762086d6e18858feba8a6175910815ece279cfbdfabfa57adcefb7a5453c6f93b34cc65

Download Submit
C:\Windows\SysWOW64\UTSCSI.EXE

Filesize
44KB

MD5
8afffda081cff3057391fedbbb483601

SHA1
761ef44a81a4a2fae950d5ee2b1e2808083056ee

SHA256
c44ea66c31ca8a425a4289fb0e7503a37ffe121cb6f50baa474c5980e92aaef8

SHA512
2d735671670397f61844e80ac64ccc6fdab5407634d87bfcc74d36641762086d6e18858feba8a6175910815ece279cfbdfabfa57adcefb7a5453c6f93b34cc65

Download Submit
memory/1344-14-0x0000000002500000-0x000000000252C000-memory.dmp

Filesize
176KB

Download
memory/1344-0-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1344-20-0x0000000002530000-0x000000000258C000-memory.dmp

Filesize
368KB

Download
memory/1344-26-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1344-28-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing