86549e176609e78395b4d5db04e2476cd9e03ee81994c3f9324916be1897676a

General

Target

NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe
Size

800KB
MD5

a1d6ed7b4c13673bffde94fc43eeca83
SHA1

745502b298264668d89e948a7b338281c5a263d5
SHA256

86549e176609e78395b4d5db04e2476cd9e03ee81994c3f9324916be1897676a
SHA512

44534c106f72ea3464864dd249ff17a56a6e769cab9e37d5790100876f9819a3fa3dea3dd1fc7d7d6ec0afbff90cdab63af749b0ee35b69aa71de1eb824832ea
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSd2N3YGCLM6B5:P1/aGLDCM4D8ayGMZo8/AIFSZ4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	yoonu.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe
2136	NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\yoonu.exe"	yoonu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2340	2136	NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe	28
PID 2136 wrote to memory of 2340	2136	NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe	28
PID 2136 wrote to memory of 2340	2136	NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe	28
PID 2136 wrote to memory of 2340	2136	NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a1d6ed7b4c13673bffde94fc43eeca83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\ProgramData\yoonu.exe
  "C:\ProgramData\yoonu.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
800KB

MD5
66568dbcdd650ed0dd50e35cb5ce3d9c

SHA1
890ddda2384dc39c1635cc89264d0a74101608b2

SHA256
64d9cd6800db9d4b0da3c2220da86528ee053a4c66ead3a9239ebbede8643a6e

SHA512
5a3480d2ad5eb3cc0fd195d0f886ef52690e1228df6768de05c531efc6746217ab0bddac91e922ff774c5a74f7bce369e01fdffad49b563d86b12362700b34f5

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
70d6cb7dd01ebd5a21af02945d2ae12f

SHA1
05260b3e17a221e66b58d1e5ed1d0f518392159a

SHA256
136fb79a4b868976a011043345fbef2cb088dd799757ec3970480eb99d9f2e92

SHA512
b2c4c5b6bc5519ebb8e701c37eb298f6bdbb89b09bbf93a4f5c7a0e5b809b7bb3a6355087797e5064c1cc67a1555cbdab782fcba2f8a9d0f18d4f53337a34ea9

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
70d6cb7dd01ebd5a21af02945d2ae12f

SHA1
05260b3e17a221e66b58d1e5ed1d0f518392159a

SHA256
136fb79a4b868976a011043345fbef2cb088dd799757ec3970480eb99d9f2e92

SHA512
b2c4c5b6bc5519ebb8e701c37eb298f6bdbb89b09bbf93a4f5c7a0e5b809b7bb3a6355087797e5064c1cc67a1555cbdab782fcba2f8a9d0f18d4f53337a34ea9

Download Submit
C:\ProgramData\yoonu.exe

Filesize
322KB

MD5
c55578d50bc95bd3871d74de949abeb0

SHA1
7c5672a5dae74aef35aa44d0acbc2e3d961e5e16

SHA256
84f3164ba16ecf66348f98eab1fad1d3fc0ae4fcde348f7c35c6c23d77772ffa

SHA512
86247a2ef40dd03ae7239724c93b001a5ee944ad6de0cc08a186fc42d271da73716c29047f9fb8c28db21beba39052aa077aef22d7de1b30eb2ba726c9af6b2c

Download Submit
C:\ProgramData\yoonu.exe

Filesize
322KB

MD5
c55578d50bc95bd3871d74de949abeb0

SHA1
7c5672a5dae74aef35aa44d0acbc2e3d961e5e16

SHA256
84f3164ba16ecf66348f98eab1fad1d3fc0ae4fcde348f7c35c6c23d77772ffa

SHA512
86247a2ef40dd03ae7239724c93b001a5ee944ad6de0cc08a186fc42d271da73716c29047f9fb8c28db21beba39052aa077aef22d7de1b30eb2ba726c9af6b2c

Download Submit
C:\ProgramData\yoonu.exe

Filesize
322KB

MD5
c55578d50bc95bd3871d74de949abeb0

SHA1
7c5672a5dae74aef35aa44d0acbc2e3d961e5e16

SHA256
84f3164ba16ecf66348f98eab1fad1d3fc0ae4fcde348f7c35c6c23d77772ffa

SHA512
86247a2ef40dd03ae7239724c93b001a5ee944ad6de0cc08a186fc42d271da73716c29047f9fb8c28db21beba39052aa077aef22d7de1b30eb2ba726c9af6b2c

Download Submit
\ProgramData\yoonu.exe

Filesize
322KB

MD5
c55578d50bc95bd3871d74de949abeb0

SHA1
7c5672a5dae74aef35aa44d0acbc2e3d961e5e16

SHA256
84f3164ba16ecf66348f98eab1fad1d3fc0ae4fcde348f7c35c6c23d77772ffa

SHA512
86247a2ef40dd03ae7239724c93b001a5ee944ad6de0cc08a186fc42d271da73716c29047f9fb8c28db21beba39052aa077aef22d7de1b30eb2ba726c9af6b2c

Download Submit
\ProgramData\yoonu.exe

Filesize
322KB

MD5
c55578d50bc95bd3871d74de949abeb0

SHA1
7c5672a5dae74aef35aa44d0acbc2e3d961e5e16

SHA256
84f3164ba16ecf66348f98eab1fad1d3fc0ae4fcde348f7c35c6c23d77772ffa

SHA512
86247a2ef40dd03ae7239724c93b001a5ee944ad6de0cc08a186fc42d271da73716c29047f9fb8c28db21beba39052aa077aef22d7de1b30eb2ba726c9af6b2c

Download Submit
memory/2136-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2340-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads