Overview

overview

8

Static

static

3

NEAS.29a98...50.exe

windows7-x64

8

NEAS.29a98...50.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2023 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.29a98a2e7b592b81b1575da3f1450150.exe

  • Size

    473KB

  • MD5

    29a98a2e7b592b81b1575da3f1450150

  • SHA1

    abb5a5799db34a07d72ed67d17a2439712b3c257

  • SHA256

    8a3b0fadb3d29acc80da1aab63d7a8d966a0a30af1652578f37cabdbda619863

  • SHA512

    4a1f805e54f8f465991c82ecfb7f4961a1cf8fee30cf44cd3873ecb54b02abb57650430e559e33bf0f1841ab27c6f7002135b7d25325866105e82f82ba2d441e

  • SSDEEP

    1536:ur3Z5IfQmv81a1xyXHZ+NGQSLNmCm6oyz7jBd7qDmbNPMJAVC+++h:yJOfQm01mxyXHZKG7pm6j77Z

Score
8/10
evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.29a98a2e7b592b81b1575da3f1450150.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.29a98a2e7b592b81b1575da3f1450150.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\iuyhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\NEAS29~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2160
  • C:\Windows\Debug\iuyhost.exe
    C:\Windows\Debug\iuyhost.exe
    1⤵
    • Executes dropped EXE
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Debug\iuyhost.exe
    Filesize

    473KB

    MD5

    ece6d60fd2077f31affd481bc5c3a7a7

    SHA1

    395994708e1951857e216f0ecefef951b8c69f43

    SHA256

    d8850768b2d2b12bb02460d7db56dc83b98e24188cc0c1a20aef877d1ce4842b

    SHA512

    9148c4d23cf7bf90973be52936ef94949f92f4839a7d3121ff36b9a391a492593361fc01529ebe7520935cb5af854fae60bf7c4a8b2c8476bf8b6e128a2951ad

    Download Submit

  • C:\Windows\debug\iuyhost.exe
    Filesize

    473KB

    MD5

    ece6d60fd2077f31affd481bc5c3a7a7

    SHA1

    395994708e1951857e216f0ecefef951b8c69f43

    SHA256

    d8850768b2d2b12bb02460d7db56dc83b98e24188cc0c1a20aef877d1ce4842b

    SHA512

    9148c4d23cf7bf90973be52936ef94949f92f4839a7d3121ff36b9a391a492593361fc01529ebe7520935cb5af854fae60bf7c4a8b2c8476bf8b6e128a2951ad

    Download Submit