e0674636210292f8c3a6292f5f5c8f96e6a505af7e6a268b96c7153c5ef0aedb

General

Target

NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
Size

208KB
MD5

7b9b9853ef5877b00cc43e9760590ab0
SHA1

7b4893137e7518b060ee6a0e185e53d779d841ad
SHA256

e0674636210292f8c3a6292f5f5c8f96e6a505af7e6a268b96c7153c5ef0aedb
SHA512

01b4da351de22899f9152375230cb77f7f8a1bdb3de2ebf67971c0abf6b08e5c55d244a7f0e32c48d39c1d0c6ae9f6163616e6ef0ce58740007998ce4f4f4c1b
SSDEEP

6144:YwDrqb3DppfVf07P1uxsyAIxh6SqWyKQEj1:Ywi/PNf07P1aQIxh6Sq/KQC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2120	JUF.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	cmd.exe
2780	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\JUF.exe	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
File opened for modification	C:\windows\SysWOW64\JUF.exe	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
File created	C:\windows\SysWOW64\JUF.exe.bat	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
2120	JUF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
2120	JUF.exe
2120	JUF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2780	2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	27
PID 2776 wrote to memory of 2780	2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	27
PID 2776 wrote to memory of 2780	2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	27
PID 2776 wrote to memory of 2780	2776	NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe	27
PID 2780 wrote to memory of 2120	2780	cmd.exe	29
PID 2780 wrote to memory of 2120	2780	cmd.exe	29
PID 2780 wrote to memory of 2120	2780	cmd.exe	29
PID 2780 wrote to memory of 2120	2780	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7b9b9853ef5877b00cc43e9760590ab0.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\JUF.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\windows\SysWOW64\JUF.exe
    C:\windows\system32\JUF.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JUF.exe

Filesize
208KB

MD5
dde050bf1a4c2e69b4e127a4e95032ea

SHA1
4358d6f8277639f5c130f012d7c354bf4bc0b38b

SHA256
f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb

SHA512
d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd

Download Submit
C:\Windows\SysWOW64\JUF.exe.bat

Filesize
70B

MD5
d00bd537d8d99408a5d72556c51e62a4

SHA1
d41715cd7dbd11bad743cd9bdce51a18fec6f952

SHA256
a1c3231c6e6c6af35896edd1d00af6eee79a2a9e4e0f4f715020846e2852c58d

SHA512
ed39f8352212f70187c4003b742da0fcc494cc38888a5e108dc0b2c259cf0243e4a05d8d0c4d2c154137eee00b8f18aa9756d7517c5dedcdbb253f7d0b8c1786

Download Submit
C:\windows\SysWOW64\JUF.exe

Filesize
208KB

MD5
dde050bf1a4c2e69b4e127a4e95032ea

SHA1
4358d6f8277639f5c130f012d7c354bf4bc0b38b

SHA256
f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb

SHA512
d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd

Download Submit
C:\windows\SysWOW64\JUF.exe.bat

Filesize
70B

MD5
d00bd537d8d99408a5d72556c51e62a4

SHA1
d41715cd7dbd11bad743cd9bdce51a18fec6f952

SHA256
a1c3231c6e6c6af35896edd1d00af6eee79a2a9e4e0f4f715020846e2852c58d

SHA512
ed39f8352212f70187c4003b742da0fcc494cc38888a5e108dc0b2c259cf0243e4a05d8d0c4d2c154137eee00b8f18aa9756d7517c5dedcdbb253f7d0b8c1786

Download Submit
\Windows\SysWOW64\JUF.exe

Filesize
208KB

MD5
dde050bf1a4c2e69b4e127a4e95032ea

SHA1
4358d6f8277639f5c130f012d7c354bf4bc0b38b

SHA256
f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb

SHA512
d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd

Download Submit
\Windows\SysWOW64\JUF.exe

Filesize
208KB

MD5
dde050bf1a4c2e69b4e127a4e95032ea

SHA1
4358d6f8277639f5c130f012d7c354bf4bc0b38b

SHA256
f5da62c2c86cefb65253376a4aa1e16acccb8281aa6c40a02427b814d7214ccb

SHA512
d8e7e865a4b3c321b7f2e6383bcc9b2123f2963637cbbdd9d0f9a7e830a5a533796d1b0caad0010f6f838b6ba411704edfc1f140077e7403a8eec420e2ac60fd

Download Submit
memory/2120-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2120-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2780-16-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing