f2c2769ec393e23556e8ca4c8e9f0b14e1e5f6292016da94dda8ed0c4e99b09e

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0770c8d577ea496e5e9de3498bcb4039.exe
Size

1.5MB
MD5

0770c8d577ea496e5e9de3498bcb4039
SHA1

074d9e9888759aee5db28d83945148b495f432b5
SHA256

f2c2769ec393e23556e8ca4c8e9f0b14e1e5f6292016da94dda8ed0c4e99b09e
SHA512

4564c08c135c0e005f98e3807832f274178540dbdba4e7edc85a9afe46edc1510a6ac6bf3f3a12b301cf9af3e2dfcc4e296288639ab287716767305aee8b4ab9
SSDEEP

3072:NLsnN+833NHAF20aniRklWj8uHp1+2/J4cUorjTE6hWT83idKP50KC:ZsN+QhAPai5tHz+w4VoH46hMKPX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2492	rywuyhp.exe
2704	~DFA1A0.tmp

Loads dropped DLL 4 IoCs

pid	Process
2904	NEAS.0770c8d577ea496e5e9de3498bcb4039.exe
2904	NEAS.0770c8d577ea496e5e9de3498bcb4039.exe
2492	rywuyhp.exe
2492	rywuyhp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	~DFA1A0.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2492	2904	NEAS.0770c8d577ea496e5e9de3498bcb4039.exe	2
PID 2904 wrote to memory of 2492	2904	NEAS.0770c8d577ea496e5e9de3498bcb4039.exe	2
PID 2904 wrote to memory of 2492	2904	NEAS.0770c8d577ea496e5e9de3498bcb4039.exe	2
PID 2904 wrote to memory of 2492	2904	NEAS.0770c8d577ea496e5e9de3498bcb4039.exe	2
PID 2492 wrote to memory of 2704	2492	rywuyhp.exe	1
PID 2492 wrote to memory of 2704	2492	rywuyhp.exe	1
PID 2492 wrote to memory of 2704	2492	rywuyhp.exe	1
PID 2492 wrote to memory of 2704	2492	rywuyhp.exe	1

C:\Users\Admin\AppData\Local\Temp\~DFA1A0.tmp
C:\Users\Admin\AppData\Local\Temp\~DFA1A0.tmp OK
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Users\Admin\AppData\Local\Temp\rywuyhp.exe
C:\Users\Admin\AppData\Local\Temp\rywuyhp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\NEAS.0770c8d577ea496e5e9de3498bcb4039.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0770c8d577ea496e5e9de3498bcb4039.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
30916b2b9135d6466d914bd76eb219f7

SHA1
a7298db8640346a1b426347415642188dfb91a15

SHA256
520a2614877e7966be16603af81e2121fc6442c1968881f5c1ed248ec62c2544

SHA512
7bd16286b23e25469bd04a3ae6cd922f2ef82c92f5eeff5bd7aa3f56c275a9e06d36357c0931e27b15468ddd726bb7d45beb0ede925ddea0285ddd3c3ae60b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywuyhp.exe

Filesize
1.5MB

MD5
a507e1b1bbe389b0a8ab15946dfc8937

SHA1
d62fd3695da617a4fd7f1dfb950201d7501cdc6a

SHA256
e3878bae0e42eb7e2857f040ad9ef1a2de24f5ef4d11e9462c059e035de69c1e

SHA512
e5e077e23ee62681dc462a7735e1fff0a2f6d7e5c6ef34f225ebcb25a72d258607ddf9189cf179407f8c2a235d6ac455e1d85db6f7367723a08343d7e6617006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywuyhp.exe

Filesize
1.5MB

MD5
a507e1b1bbe389b0a8ab15946dfc8937

SHA1
d62fd3695da617a4fd7f1dfb950201d7501cdc6a

SHA256
e3878bae0e42eb7e2857f040ad9ef1a2de24f5ef4d11e9462c059e035de69c1e

SHA512
e5e077e23ee62681dc462a7735e1fff0a2f6d7e5c6ef34f225ebcb25a72d258607ddf9189cf179407f8c2a235d6ac455e1d85db6f7367723a08343d7e6617006

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywuyhp.exe

Filesize
1.5MB

MD5
a507e1b1bbe389b0a8ab15946dfc8937

SHA1
d62fd3695da617a4fd7f1dfb950201d7501cdc6a

SHA256
e3878bae0e42eb7e2857f040ad9ef1a2de24f5ef4d11e9462c059e035de69c1e

SHA512
e5e077e23ee62681dc462a7735e1fff0a2f6d7e5c6ef34f225ebcb25a72d258607ddf9189cf179407f8c2a235d6ac455e1d85db6f7367723a08343d7e6617006

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA1A0.tmp

Filesize
1.5MB

MD5
5c977c1069ab6a470951bcce9100fec1

SHA1
d824ae6aa0e25cc3ae489e849780b1dda659322f

SHA256
7a9dc7d092a0161bbdcdbb26031f1effc7836038960a31e5b6d16ae15f66d45b

SHA512
a71b590b5e6ba64bbf5937e5b102e49b0cdfc42b6a9070085c19fdbd21aef678568d1b364ae3ec79a6df80c86f456147576092357eb8e8464ccf3c0b1a407fd2

Download Submit
\Users\Admin\AppData\Local\Temp\rywuyhp.exe

Filesize
1.5MB

MD5
a507e1b1bbe389b0a8ab15946dfc8937

SHA1
d62fd3695da617a4fd7f1dfb950201d7501cdc6a

SHA256
e3878bae0e42eb7e2857f040ad9ef1a2de24f5ef4d11e9462c059e035de69c1e

SHA512
e5e077e23ee62681dc462a7735e1fff0a2f6d7e5c6ef34f225ebcb25a72d258607ddf9189cf179407f8c2a235d6ac455e1d85db6f7367723a08343d7e6617006

Download Submit
\Users\Admin\AppData\Local\Temp\rywuyhp.exe

Filesize
1.5MB

MD5
a507e1b1bbe389b0a8ab15946dfc8937

SHA1
d62fd3695da617a4fd7f1dfb950201d7501cdc6a

SHA256
e3878bae0e42eb7e2857f040ad9ef1a2de24f5ef4d11e9462c059e035de69c1e

SHA512
e5e077e23ee62681dc462a7735e1fff0a2f6d7e5c6ef34f225ebcb25a72d258607ddf9189cf179407f8c2a235d6ac455e1d85db6f7367723a08343d7e6617006

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA1A0.tmp

Filesize
1.5MB

MD5
5c977c1069ab6a470951bcce9100fec1

SHA1
d824ae6aa0e25cc3ae489e849780b1dda659322f

SHA256
7a9dc7d092a0161bbdcdbb26031f1effc7836038960a31e5b6d16ae15f66d45b

SHA512
a71b590b5e6ba64bbf5937e5b102e49b0cdfc42b6a9070085c19fdbd21aef678568d1b364ae3ec79a6df80c86f456147576092357eb8e8464ccf3c0b1a407fd2

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA1A0.tmp

Filesize
1.5MB

MD5
5c977c1069ab6a470951bcce9100fec1

SHA1
d824ae6aa0e25cc3ae489e849780b1dda659322f

SHA256
7a9dc7d092a0161bbdcdbb26031f1effc7836038960a31e5b6d16ae15f66d45b

SHA512
a71b590b5e6ba64bbf5937e5b102e49b0cdfc42b6a9070085c19fdbd21aef678568d1b364ae3ec79a6df80c86f456147576092357eb8e8464ccf3c0b1a407fd2

Download Submit
memory/2492-15-0x0000000000B90000-0x0000000000C61000-memory.dmp

Filesize
836KB

Download
memory/2492-30-0x0000000000B90000-0x0000000000C61000-memory.dmp

Filesize
836KB

Download
memory/2704-28-0x00000000001B0000-0x0000000000281000-memory.dmp

Filesize
836KB

Download
memory/2704-31-0x00000000001B0000-0x0000000000281000-memory.dmp

Filesize
836KB

Download
memory/2704-36-0x00000000001B0000-0x0000000000281000-memory.dmp

Filesize
836KB

Download
memory/2904-12-0x00000000003A0000-0x0000000000471000-memory.dmp

Filesize
836KB

Download
memory/2904-29-0x00000000003A0000-0x0000000000471000-memory.dmp

Filesize
836KB

Download
memory/2904-27-0x00000000009F0000-0x0000000000AC1000-memory.dmp

Filesize
836KB

Download
memory/2904-0-0x00000000009F0000-0x0000000000AC1000-memory.dmp

Filesize
836KB

Download