2aae91540654beeb760c3d3886d1231848590a521648b19102766b1523209c3f

General

Target

NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
Size

208KB
MD5

43fcbebdd75b7774ee42e6fe6df2a990
SHA1

8cd0b48cfc999ab2821a2145b1b856a5f6277401
SHA256

2aae91540654beeb760c3d3886d1231848590a521648b19102766b1523209c3f
SHA512

0f9940ec7c134a67a1e938fccf7fd37bf2613de50e6081b1e00e06bfcabadc89370ebda2a8644275724c412a8f4cd67c4530701c477e7b7bba0082817752b415
SSDEEP

6144:bliU73B+lV6syypZWKzvxisgPwKubvhTIjoQEj1:xinozqZWKD9gPw1hTIjoQC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1088	PBFIX.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	cmd.exe
2204	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\PBFIX.exe	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
File opened for modification	C:\windows\system\PBFIX.exe	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
File created	C:\windows\system\PBFIX.exe.bat	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
1088	PBFIX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
1088	PBFIX.exe
1088	PBFIX.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2204	2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe	28
PID 2188 wrote to memory of 2204	2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe	28
PID 2188 wrote to memory of 2204	2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe	28
PID 2188 wrote to memory of 2204	2188	NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe	28
PID 2204 wrote to memory of 1088	2204	cmd.exe	30
PID 2204 wrote to memory of 1088	2204	cmd.exe	30
PID 2204 wrote to memory of 1088	2204	cmd.exe	30
PID 2204 wrote to memory of 1088	2204	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.43fcbebdd75b7774ee42e6fe6df2a990.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\PBFIX.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\windows\system\PBFIX.exe
    C:\windows\system\PBFIX.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\PBFIX.exe

Filesize
208KB

MD5
6d1a8c3d7e2910ec125c5b4ec68e4311

SHA1
254eae3a9d307680995c8d00061d6fb5b20fe1b6

SHA256
1a05f3e7bca634b8d95e603bc2e4f43c71c44fe1c4f68577c13fb6ae622da45b

SHA512
be900f94a832aa9350a373b1ce24369bbc35fd5737efaf97c7de3a6dd907f24c151dbc1a7b2b657eab46cb01419f6d28a87021dbc563019373bc2283993eebf3

Download Submit
C:\Windows\system\PBFIX.exe.bat

Filesize
70B

MD5
6c118cace990f3f03a7dbfcbc2ce1811

SHA1
3c15e7b8945d76f967da3040dfaa239a13277d2f

SHA256
d7f5d04e811d78988d6bda51d93bc60d4272ade81c39d6fc40b8ca2a6dc2d388

SHA512
12fce6f681b3ab7edaa0bcde4d11513c173c78e2a7bbe230350df509d796aa52645a48d002b9ac9e80a788d927a0ac678ca499dd0183022e47973cbec3c5f8d9

Download Submit
C:\windows\system\PBFIX.exe

Filesize
208KB

MD5
6d1a8c3d7e2910ec125c5b4ec68e4311

SHA1
254eae3a9d307680995c8d00061d6fb5b20fe1b6

SHA256
1a05f3e7bca634b8d95e603bc2e4f43c71c44fe1c4f68577c13fb6ae622da45b

SHA512
be900f94a832aa9350a373b1ce24369bbc35fd5737efaf97c7de3a6dd907f24c151dbc1a7b2b657eab46cb01419f6d28a87021dbc563019373bc2283993eebf3

Download Submit
C:\windows\system\PBFIX.exe.bat

Filesize
70B

MD5
6c118cace990f3f03a7dbfcbc2ce1811

SHA1
3c15e7b8945d76f967da3040dfaa239a13277d2f

SHA256
d7f5d04e811d78988d6bda51d93bc60d4272ade81c39d6fc40b8ca2a6dc2d388

SHA512
12fce6f681b3ab7edaa0bcde4d11513c173c78e2a7bbe230350df509d796aa52645a48d002b9ac9e80a788d927a0ac678ca499dd0183022e47973cbec3c5f8d9

Download Submit
\Windows\system\PBFIX.exe

Filesize
208KB

MD5
6d1a8c3d7e2910ec125c5b4ec68e4311

SHA1
254eae3a9d307680995c8d00061d6fb5b20fe1b6

SHA256
1a05f3e7bca634b8d95e603bc2e4f43c71c44fe1c4f68577c13fb6ae622da45b

SHA512
be900f94a832aa9350a373b1ce24369bbc35fd5737efaf97c7de3a6dd907f24c151dbc1a7b2b657eab46cb01419f6d28a87021dbc563019373bc2283993eebf3

Download Submit
\Windows\system\PBFIX.exe

Filesize
208KB

MD5
6d1a8c3d7e2910ec125c5b4ec68e4311

SHA1
254eae3a9d307680995c8d00061d6fb5b20fe1b6

SHA256
1a05f3e7bca634b8d95e603bc2e4f43c71c44fe1c4f68577c13fb6ae622da45b

SHA512
be900f94a832aa9350a373b1ce24369bbc35fd5737efaf97c7de3a6dd907f24c151dbc1a7b2b657eab46cb01419f6d28a87021dbc563019373bc2283993eebf3

Download Submit
memory/1088-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2204-18-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing