Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
21/10/2023, 21:17
General
-
Target
NEAS.3c101d481dc1283c3789f7d210a5ea30.exe
-
Size
124KB
-
MD5
3c101d481dc1283c3789f7d210a5ea30
-
SHA1
05cb82d4f529cc308442980a66409619bb9867ad
-
SHA256
687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
-
SHA512
54cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
SSDEEP
3072:nS6eWjnFO6q+7kEEbXExseoeHqHpOcdElGIrGMhF:SQrFO6q+hIXExbn
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3c101d481dc1283c3789f7d210a5ea30.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3c101d481dc1283c3789f7d210a5ea30.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3c101d481dc1283c3789f7d210a5ea30.exe782⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\litit.exe"C:\Users\Admin\litit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1964⤵
- Loads dropped DLL
- Program crash
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
124KB
MD53c101d481dc1283c3789f7d210a5ea30
SHA105cb82d4f529cc308442980a66409619bb9867ad
SHA256687809e071572866c02b4a70a1f44bedc8497a79cdf1af467a9b57d3abe5fb3c
SHA51254cd954603d8d1b5b9db77453e7234bcfb961db018925a574227728c9975065f7f0f1f8ab34e8d78d77e75a8aa72aecb24e52b0390e2fa039743a4d887176cb1
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB