e12c254630c7ee4259687a2d5e3ee2915cfc134c9a653cbacbddd549accc6fbc

General

Target

NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
Size

208KB
MD5

69c2cd9cefc59d5c2890d2447d930e00
SHA1

d7dc1ca1172d9167babd0227eaa903c5a5370c7b
SHA256

e12c254630c7ee4259687a2d5e3ee2915cfc134c9a653cbacbddd549accc6fbc
SHA512

57c240e294aba0f40bb1c1b940096e6857e38c8fb4dd7272ed6ca25e1b2d2b1e745b016975ea595d37bb8961808783fec3d8c6290d8395d32abb150443555b4e
SSDEEP

3072:v0//fLt2xN0qmX0DFeLuK44AdfZl8WxO4NLthEjQT6j:u7e0qmXEfK44o7lEQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	YGGFXS.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\YGGFXS.exe.bat	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
File created	C:\windows\system\YGGFXS.exe	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
File opened for modification	C:\windows\system\YGGFXS.exe	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
2836	YGGFXS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
2836	YGGFXS.exe
2836	YGGFXS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2772	2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe	28
PID 2752 wrote to memory of 2772	2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe	28
PID 2752 wrote to memory of 2772	2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe	28
PID 2752 wrote to memory of 2772	2752	NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe	28
PID 2772 wrote to memory of 2836	2772	cmd.exe	30
PID 2772 wrote to memory of 2836	2772	cmd.exe	30
PID 2772 wrote to memory of 2836	2772	cmd.exe	30
PID 2772 wrote to memory of 2836	2772	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.69c2cd9cefc59d5c2890d2447d930e00.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\YGGFXS.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\windows\system\YGGFXS.exe
    C:\windows\system\YGGFXS.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\YGGFXS.exe

Filesize
208KB

MD5
938a7e16d6647bebdb8fcae73c124680

SHA1
05dd56088bb29b7abb6e90e382d4b4abd776d693

SHA256
fab12050f61cd1bd37889baa6c9a3fa4d9f3550aeb688a0be7640c4dd0465978

SHA512
01810c5cf3fa5e3aafef37c4cc9a21e7e5ca591e960622e8e973abe59ca876aa1382f315834bd6e69f9e1b54a0050e8d1d4c20ae40fd8e144a5bf3af0a8bedcd

Download Submit
C:\Windows\system\YGGFXS.exe.bat

Filesize
72B

MD5
c19a418654aa552dc38c25f7e9f17c47

SHA1
db1fb7a4ea6b61da6fc3454394dfd4662f250c5a

SHA256
fd4fa10032df7c7ac545d0ee90a74485796d9b13030455187dc70ad63a1a0da6

SHA512
f77e4dd77d6a2dccb43345bf794b633600c07503727216379527f35b46f6f2c8810967e5e0271b970ef8bccd3afc35a76dd30bbd9f2b7b36218ab11cd3d6c677

Download Submit
C:\windows\system\YGGFXS.exe

Filesize
208KB

MD5
938a7e16d6647bebdb8fcae73c124680

SHA1
05dd56088bb29b7abb6e90e382d4b4abd776d693

SHA256
fab12050f61cd1bd37889baa6c9a3fa4d9f3550aeb688a0be7640c4dd0465978

SHA512
01810c5cf3fa5e3aafef37c4cc9a21e7e5ca591e960622e8e973abe59ca876aa1382f315834bd6e69f9e1b54a0050e8d1d4c20ae40fd8e144a5bf3af0a8bedcd

Download Submit
C:\windows\system\YGGFXS.exe.bat

Filesize
72B

MD5
c19a418654aa552dc38c25f7e9f17c47

SHA1
db1fb7a4ea6b61da6fc3454394dfd4662f250c5a

SHA256
fd4fa10032df7c7ac545d0ee90a74485796d9b13030455187dc70ad63a1a0da6

SHA512
f77e4dd77d6a2dccb43345bf794b633600c07503727216379527f35b46f6f2c8810967e5e0271b970ef8bccd3afc35a76dd30bbd9f2b7b36218ab11cd3d6c677

Download Submit
\Windows\system\YGGFXS.exe

Filesize
208KB

MD5
938a7e16d6647bebdb8fcae73c124680

SHA1
05dd56088bb29b7abb6e90e382d4b4abd776d693

SHA256
fab12050f61cd1bd37889baa6c9a3fa4d9f3550aeb688a0be7640c4dd0465978

SHA512
01810c5cf3fa5e3aafef37c4cc9a21e7e5ca591e960622e8e973abe59ca876aa1382f315834bd6e69f9e1b54a0050e8d1d4c20ae40fd8e144a5bf3af0a8bedcd

Download Submit
\Windows\system\YGGFXS.exe

Filesize
208KB

MD5
938a7e16d6647bebdb8fcae73c124680

SHA1
05dd56088bb29b7abb6e90e382d4b4abd776d693

SHA256
fab12050f61cd1bd37889baa6c9a3fa4d9f3550aeb688a0be7640c4dd0465978

SHA512
01810c5cf3fa5e3aafef37c4cc9a21e7e5ca591e960622e8e973abe59ca876aa1382f315834bd6e69f9e1b54a0050e8d1d4c20ae40fd8e144a5bf3af0a8bedcd

Download Submit
memory/2752-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2752-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2836-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2836-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing