Overview

overview

9

Static

static

3

NEAS.6848d...80.exe

windows7-x64

9

NEAS.6848d...80.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.6848d5d67a05a2f454fd71ab9e7cf480.exe

  • Size

    233KB

  • MD5

    6848d5d67a05a2f454fd71ab9e7cf480

  • SHA1

    1585e1cbdcd3d05c04e2328c8175f5d83ed640c3

  • SHA256

    6434d7c711f63e76325410d5a1849bd9d5bf4626e7e07eb0d772b31acc655a1e

  • SHA512

    99b712ab4d324082d3ca4b3bc880d763e0f64c223a9ef95b13c2c23ff10a192933665dd5074375acb862bf87205a822e2b8578cf63a3e68303a5107dccfc03e9

  • SSDEEP

    3072:6e7WpUV2x7L+4XGH3XGkR2SRXGkR2SnbZmZRN2jN212R2HI9D3N0NGCLOwstyhZC:RqpMH5ZmZ/2R2o9rN4ShcHUa2

Score
9/10
ransomware

Malware Config

Signatures

  • Renames multiple (635) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6848d5d67a05a2f454fd71ab9e7cf480.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6848d5d67a05a2f454fd71ab9e7cf480.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\_cpush.exe
      "_cpush.exe"
      2⤵
      • Executes dropped EXE
      PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini.exe
    Filesize

    93KB

    MD5

    c5f642a31b1f8f1ea4c1165ce0f63f92

    SHA1

    0d03cc89e08c1899eefc8eafd53e7b4595d7fd6e

    SHA256

    2839d95d709c77e7db0540bc9d11db21727f955baf1020b5859aab736d20f3fb

    SHA512

    9aef9ff8fd210c7f29a7709f241d1bc43bfb5f6c1da793f7d780629ee9cc29bf64a78eebbb74ae67b0b8ef8cfe20b517aa7ceb745caedaf9ed7b39e8dedcf8a0

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-1873812795-1433807462-1429862679-1000\desktop.ini.tmp
    Filesize

    93KB

    MD5

    c5f642a31b1f8f1ea4c1165ce0f63f92

    SHA1

    0d03cc89e08c1899eefc8eafd53e7b4595d7fd6e

    SHA256

    2839d95d709c77e7db0540bc9d11db21727f955baf1020b5859aab736d20f3fb

    SHA512

    9aef9ff8fd210c7f29a7709f241d1bc43bfb5f6c1da793f7d780629ee9cc29bf64a78eebbb74ae67b0b8ef8cfe20b517aa7ceb745caedaf9ed7b39e8dedcf8a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_cpush.exe
    Filesize

    140KB

    MD5

    1793928d1c8daf03a8b67a60a0ffbd93

    SHA1

    c777c5be2321bf493877efef590eec8c822e2072

    SHA256

    84a2bb3191f370ba456dd8637e08cd47ef1c80a54d081881cd1e16a8c67f0238

    SHA512

    64ef94fb34b637c5d40878f4d3b0db7f2d74e89be35fca959ee9354cdf8f5bd61d90e8aa1ff795ddafe60ba5d1a0d4b57c41b1bf8750d24d685aa98f4142c11a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_cpush.exe
    Filesize

    140KB

    MD5

    1793928d1c8daf03a8b67a60a0ffbd93

    SHA1

    c777c5be2321bf493877efef590eec8c822e2072

    SHA256

    84a2bb3191f370ba456dd8637e08cd47ef1c80a54d081881cd1e16a8c67f0238

    SHA512

    64ef94fb34b637c5d40878f4d3b0db7f2d74e89be35fca959ee9354cdf8f5bd61d90e8aa1ff795ddafe60ba5d1a0d4b57c41b1bf8750d24d685aa98f4142c11a

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    92KB

    MD5

    b70a5b1435b9687520df9d6340016755

    SHA1

    b035050a5133eade208ac4cb77d52849ebe70153

    SHA256

    a713f47befe287affd05649035a75691f593918d9cbb38005658d446c4596151

    SHA512

    1a69dfd2dd91fd8b8b7d246581e11ddfe055b3b219ff174c4db0265cefc1ce61afe84275b72b77abec026214f46db821a064e9b726ed32b521731d3fa959b622

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    92KB

    MD5

    b70a5b1435b9687520df9d6340016755

    SHA1

    b035050a5133eade208ac4cb77d52849ebe70153

    SHA256

    a713f47befe287affd05649035a75691f593918d9cbb38005658d446c4596151

    SHA512

    1a69dfd2dd91fd8b8b7d246581e11ddfe055b3b219ff174c4db0265cefc1ce61afe84275b72b77abec026214f46db821a064e9b726ed32b521731d3fa959b622

    Download Submit

  • memory/3272-17-0x0000000000270000-0x0000000000298000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3272-19-0x00007FFA8A370000-0x00007FFA8AE31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3272-314-0x00007FFA8A370000-0x00007FFA8AE31000-memory.dmp

    Filesize

    10.8MB

    Download