Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
21/10/2023, 21:36
Behavioral task
behavioral1
Sample
NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe
Resource
win7-20230831-en
General
-
Target
NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe
-
Size
243KB
-
MD5
eb4f61cdbba43d2b9b567e06a981f760
-
SHA1
b9738f36b4fb5451fa28cc23f0eff794d7b6b647
-
SHA256
27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359
-
SHA512
433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca
-
SSDEEP
6144:LEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:LE32xpoaxBFg1ugMeS
Malware Config
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3060 explothe.exe -
Loads dropped DLL 1 IoCs
pid Process 2288 NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2288 wrote to memory of 3060 2288 NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe 38 PID 2288 wrote to memory of 3060 2288 NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe 38 PID 2288 wrote to memory of 3060 2288 NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe 38 PID 2288 wrote to memory of 3060 2288 NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe 38 PID 3060 wrote to memory of 2600 3060 explothe.exe 29 PID 3060 wrote to memory of 2600 3060 explothe.exe 29 PID 3060 wrote to memory of 2600 3060 explothe.exe 29 PID 3060 wrote to memory of 2600 3060 explothe.exe 29 PID 3060 wrote to memory of 2648 3060 explothe.exe 31 PID 3060 wrote to memory of 2648 3060 explothe.exe 31 PID 3060 wrote to memory of 2648 3060 explothe.exe 31 PID 3060 wrote to memory of 2648 3060 explothe.exe 31 PID 2648 wrote to memory of 2768 2648 cmd.exe 37 PID 2648 wrote to memory of 2768 2648 cmd.exe 37 PID 2648 wrote to memory of 2768 2648 cmd.exe 37 PID 2648 wrote to memory of 2768 2648 cmd.exe 37 PID 2648 wrote to memory of 2936 2648 cmd.exe 36 PID 2648 wrote to memory of 2936 2648 cmd.exe 36 PID 2648 wrote to memory of 2936 2648 cmd.exe 36 PID 2648 wrote to memory of 2936 2648 cmd.exe 36 PID 2648 wrote to memory of 2616 2648 cmd.exe 32 PID 2648 wrote to memory of 2616 2648 cmd.exe 32 PID 2648 wrote to memory of 2616 2648 cmd.exe 32 PID 2648 wrote to memory of 2616 2648 cmd.exe 32 PID 2648 wrote to memory of 2356 2648 cmd.exe 35 PID 2648 wrote to memory of 2356 2648 cmd.exe 35 PID 2648 wrote to memory of 2356 2648 cmd.exe 35 PID 2648 wrote to memory of 2356 2648 cmd.exe 35 PID 2648 wrote to memory of 2920 2648 cmd.exe 34 PID 2648 wrote to memory of 2920 2648 cmd.exe 34 PID 2648 wrote to memory of 2920 2648 cmd.exe 34 PID 2648 wrote to memory of 2920 2648 cmd.exe 34 PID 2648 wrote to memory of 2828 2648 cmd.exe 33 PID 2648 wrote to memory of 2828 2648 cmd.exe 33 PID 2648 wrote to memory of 2828 2648 cmd.exe 33 PID 2648 wrote to memory of 2828 2648 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F1⤵
- Creates scheduled task(s)
PID:2600
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E2⤵PID:2616
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E2⤵PID:2828
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"2⤵PID:2920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2356
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"2⤵PID:2936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD5eb4f61cdbba43d2b9b567e06a981f760
SHA1b9738f36b4fb5451fa28cc23f0eff794d7b6b647
SHA25627a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359
SHA512433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca
-
Filesize
243KB
MD5eb4f61cdbba43d2b9b567e06a981f760
SHA1b9738f36b4fb5451fa28cc23f0eff794d7b6b647
SHA25627a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359
SHA512433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca
-
Filesize
243KB
MD5eb4f61cdbba43d2b9b567e06a981f760
SHA1b9738f36b4fb5451fa28cc23f0eff794d7b6b647
SHA25627a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359
SHA512433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca
-
Filesize
243KB
MD5eb4f61cdbba43d2b9b567e06a981f760
SHA1b9738f36b4fb5451fa28cc23f0eff794d7b6b647
SHA25627a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359
SHA512433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca