77c0d4d67099fa6c6de16ff5ff186bef857f1ccc72fb36ac0f0d8d52a638eed2

Analysis

max time kernel
151s
max time network
142s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.29f2b6f5b318405e59511be58d4d96f0.exe
Size

422KB
MD5

29f2b6f5b318405e59511be58d4d96f0
SHA1

de60aeec98db1c43f744ed8e108573ddc883c506
SHA256

77c0d4d67099fa6c6de16ff5ff186bef857f1ccc72fb36ac0f0d8d52a638eed2
SHA512

7c7120f98820757865d11667b1df78b6415eec6413bfd674f0078d750d3d52f5d88267157c6941780e78843d7eea77350d06fbee3d856799f9fb3c8f915848be
SSDEEP

12288:47KAnqKJIUADVGBRZJrBFGcyh5SQ2usfvecpwK:47KAnqKJIUABGBRbBFGcyh5S1usfvecL

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	Sysceamcvocg.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	Sysceamcvocg.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	NEAS.29f2b6f5b318405e59511be58d4d96f0.exe
2032	NEAS.29f2b6f5b318405e59511be58d4d96f0.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2032-9-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/files/0x001c000000013a4e-11.dat	upx
behavioral1/files/0x001c000000013a4e-12.dat	upx
behavioral1/files/0x001c000000013a4e-13.dat	upx
behavioral1/files/0x001c000000013a4e-17.dat	upx
behavioral1/files/0x001c000000013a4e-18.dat	upx
behavioral1/memory/2032-20-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2548-21-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe
2548	Sysceamcvocg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2548	2032	NEAS.29f2b6f5b318405e59511be58d4d96f0.exe	30
PID 2032 wrote to memory of 2548	2032	NEAS.29f2b6f5b318405e59511be58d4d96f0.exe	30
PID 2032 wrote to memory of 2548	2032	NEAS.29f2b6f5b318405e59511be58d4d96f0.exe	30
PID 2032 wrote to memory of 2548	2032	NEAS.29f2b6f5b318405e59511be58d4d96f0.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.29f2b6f5b318405e59511be58d4d96f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.29f2b6f5b318405e59511be58d4d96f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe

Filesize
422KB

MD5
85f05172bdf302005d0e07f8d5498b17

SHA1
c8c6be1a2edbd1b837456db8f34210b18e7433e2

SHA256
c27f3e12a2fd64597f00ba3cbfccf4ba69e2e8efe64f804f24a1c6ee025e7588

SHA512
2b03a99c379c7119dffd9132a5ee9e0b415b09b79d4c453d4caf8beae15e534ac00d7e17876aa85b0dfa342775a0817db2fe31ccea50428711e299bed607a993

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe

Filesize
422KB

MD5
85f05172bdf302005d0e07f8d5498b17

SHA1
c8c6be1a2edbd1b837456db8f34210b18e7433e2

SHA256
c27f3e12a2fd64597f00ba3cbfccf4ba69e2e8efe64f804f24a1c6ee025e7588

SHA512
2b03a99c379c7119dffd9132a5ee9e0b415b09b79d4c453d4caf8beae15e534ac00d7e17876aa85b0dfa342775a0817db2fe31ccea50428711e299bed607a993

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe

Filesize
422KB

MD5
85f05172bdf302005d0e07f8d5498b17

SHA1
c8c6be1a2edbd1b837456db8f34210b18e7433e2

SHA256
c27f3e12a2fd64597f00ba3cbfccf4ba69e2e8efe64f804f24a1c6ee025e7588

SHA512
2b03a99c379c7119dffd9132a5ee9e0b415b09b79d4c453d4caf8beae15e534ac00d7e17876aa85b0dfa342775a0817db2fe31ccea50428711e299bed607a993

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
75B

MD5
29ff3f6c9768a006dc87c7fd1159450d

SHA1
ed1971597a075d06abe6cc3de080e2b789d59c25

SHA256
3610a9c2cba139fc7fb9cfd29786b2cfa20a09fe42450a3b69287124952fa170

SHA512
1cb412453fe0f14b039561e0e70cd4c44f534cedc1e9576e67d1abedb5b2a4a3ae9da6aa1311608fa6173830b83365722696b6fe3bde21ea36388b8e491ef57f

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe

Filesize
422KB

MD5
85f05172bdf302005d0e07f8d5498b17

SHA1
c8c6be1a2edbd1b837456db8f34210b18e7433e2

SHA256
c27f3e12a2fd64597f00ba3cbfccf4ba69e2e8efe64f804f24a1c6ee025e7588

SHA512
2b03a99c379c7119dffd9132a5ee9e0b415b09b79d4c453d4caf8beae15e534ac00d7e17876aa85b0dfa342775a0817db2fe31ccea50428711e299bed607a993

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamcvocg.exe

Filesize
422KB

MD5
85f05172bdf302005d0e07f8d5498b17

SHA1
c8c6be1a2edbd1b837456db8f34210b18e7433e2

SHA256
c27f3e12a2fd64597f00ba3cbfccf4ba69e2e8efe64f804f24a1c6ee025e7588

SHA512
2b03a99c379c7119dffd9132a5ee9e0b415b09b79d4c453d4caf8beae15e534ac00d7e17876aa85b0dfa342775a0817db2fe31ccea50428711e299bed607a993

Download Submit
memory/2032-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-9-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-20-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2548-21-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download