Analysis
-
max time kernel
61s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
21-10-2023 21:30
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe
-
Size
61KB
-
MD5
bcc09d62005ce6c95f3ea8b75d8e6800
-
SHA1
29c5d51367b51d6d3c43a3314fcee38dee4c8a7d
-
SHA256
d5db5e6a0bf23fd2041f9e6a0c9d1395b241c55e2cb790e8ecf95ab298fafece
-
SHA512
356cbef170423b13b76ea66917b0bf4bc89eac27f6a53e8a44d6822c006233bf53e7a2b7267a376b3299379956d1750d917aba0b3462bcccb3f95b052c7272ea
-
SSDEEP
768:vYnI9ZvPg2k4u+hJDdv260OAhAH4Ii7u9bp6uqcl2aauA:vwIrHuCtd3FAhAYIi78xlba
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1624 dfv88vv2s.exe -
Loads dropped DLL 2 IoCs
pid Process 1100 NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe 1100 NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\voqph6 = "C:\\Users\\Admin\\AppData\\Roaming\\dfv88vv2s.exe" NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1624 1100 NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe 28 PID 1100 wrote to memory of 1624 1100 NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe 28 PID 1100 wrote to memory of 1624 1100 NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe 28 PID 1100 wrote to memory of 1624 1100 NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bcc09d62005ce6c95f3ea8b75d8e6800.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Roaming\dfv88vv2s.exeC:\Users\Admin\AppData\Roaming\dfv88vv2s.exe2⤵
- Executes dropped EXE
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD57c0b3e6a4feff14da44af35ef5eccf29
SHA1a0f5bf47fb2a8cdc93c1424e797b80970a3d7692
SHA2565ae65e0a6a7f2e168bfdbb7f03e9aace312467b9ba0d5179bfdee3e3af80357e
SHA512351379a241b30ef0e6652e1562e64ff442da87dd71aca686a918de62a701b8984640175313619c91fc5a10644b936a78bf54cf2cf3abfa740945145aee07aa32
-
Filesize
61KB
MD57c0b3e6a4feff14da44af35ef5eccf29
SHA1a0f5bf47fb2a8cdc93c1424e797b80970a3d7692
SHA2565ae65e0a6a7f2e168bfdbb7f03e9aace312467b9ba0d5179bfdee3e3af80357e
SHA512351379a241b30ef0e6652e1562e64ff442da87dd71aca686a918de62a701b8984640175313619c91fc5a10644b936a78bf54cf2cf3abfa740945145aee07aa32
-
Filesize
61KB
MD57c0b3e6a4feff14da44af35ef5eccf29
SHA1a0f5bf47fb2a8cdc93c1424e797b80970a3d7692
SHA2565ae65e0a6a7f2e168bfdbb7f03e9aace312467b9ba0d5179bfdee3e3af80357e
SHA512351379a241b30ef0e6652e1562e64ff442da87dd71aca686a918de62a701b8984640175313619c91fc5a10644b936a78bf54cf2cf3abfa740945145aee07aa32
-
Filesize
61KB
MD57c0b3e6a4feff14da44af35ef5eccf29
SHA1a0f5bf47fb2a8cdc93c1424e797b80970a3d7692
SHA2565ae65e0a6a7f2e168bfdbb7f03e9aace312467b9ba0d5179bfdee3e3af80357e
SHA512351379a241b30ef0e6652e1562e64ff442da87dd71aca686a918de62a701b8984640175313619c91fc5a10644b936a78bf54cf2cf3abfa740945145aee07aa32
-
Filesize
61KB
MD57c0b3e6a4feff14da44af35ef5eccf29
SHA1a0f5bf47fb2a8cdc93c1424e797b80970a3d7692
SHA2565ae65e0a6a7f2e168bfdbb7f03e9aace312467b9ba0d5179bfdee3e3af80357e
SHA512351379a241b30ef0e6652e1562e64ff442da87dd71aca686a918de62a701b8984640175313619c91fc5a10644b936a78bf54cf2cf3abfa740945145aee07aa32