Overview

overview

7

Static

static

3

NEAS.bc55d...40.exe

windows7-x64

7

NEAS.bc55d...40.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2023 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.bc55d0e90fa43a787928a2c6e67fe640.exe

  • Size

    7.8MB

  • MD5

    bc55d0e90fa43a787928a2c6e67fe640

  • SHA1

    673cd33651ca154c394e290069409648962dac69

  • SHA256

    1c1d0612809c1b98d0acc0258d3a28ba3543081b820863d257d2dc94d25b9ee0

  • SHA512

    37f989a7d841f7bc3a8d8b175d0a1c238c44d66ab6c7e37eb0b9f891f4223a1f6dd577806fa955527f45df1a7111fa1b201e5c9019e8ff9e8b0adba04d8f0a79

  • SSDEEP

    196608:c6ecrVcUEtl1/VgedP5Qe2MUi/cH6gmmd7I2LRtaJ9R:cWpcZ3ge3Ui/cagmaI2LRMPR

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\AtaLib\AtaLib.exe
    "C:\Program Files (x86)\AtaLib\AtaLib.exe"
    1⤵
    • Executes dropped EXE
    PID:2492
  • C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "AL1027-3"
    1⤵
      PID:1748
    • C:\Users\Admin\AppData\Local\Temp\is-37BJV.tmp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-37BJV.tmp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.tmp" /SL5="$3014E,7887567,54272,C:\Users\Admin\AppData\Local\Temp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        2⤵
          PID:1100
        • C:\Program Files (x86)\AtaLib\AtaLib.exe
          "C:\Program Files (x86)\AtaLib\AtaLib.exe" 929446be0341a6d0dfc681ad0032138a
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1484
      • C:\Users\Admin\AppData\Local\Temp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.exe
        "C:\Users\Admin\AppData\Local\Temp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\AtaLib\AtaLib.exe
        Filesize

        4.6MB

        MD5

        4de2e6d895dec511cb3ab3b316f2936b

        SHA1

        a865e237ed2d84186b385292a63c72c5bc864ce9

        SHA256

        a286d622700526fb07e02ae1f0d21b16071bfb057dc502588912465758dbc001

        SHA512

        f075c9a069e1c28a6b1f85d9b81af7dcd1deab7472a1323f450ddec3f453cd4dc7557c339b9ff7df4435f162bab3b7450db0811107a3eeb426896971765dc032

        Download Submit

      • C:\Program Files (x86)\AtaLib\AtaLib.exe
        Filesize

        4.6MB

        MD5

        4de2e6d895dec511cb3ab3b316f2936b

        SHA1

        a865e237ed2d84186b385292a63c72c5bc864ce9

        SHA256

        a286d622700526fb07e02ae1f0d21b16071bfb057dc502588912465758dbc001

        SHA512

        f075c9a069e1c28a6b1f85d9b81af7dcd1deab7472a1323f450ddec3f453cd4dc7557c339b9ff7df4435f162bab3b7450db0811107a3eeb426896971765dc032

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-37BJV.tmp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.tmp
        Filesize

        680KB

        MD5

        f7b197025e844e27abfae965860a962e

        SHA1

        270afb0d64f0c1be08c4b803ab0ac6ce724ba75f

        SHA256

        b180514812407ce53ea0b9a5b2aeddb88e30c65e2d0ec3e74f96f8a7c4562a55

        SHA512

        66a6fdba253adbe9263f1f54954ee1ede18e3fa0bc68b410919c4313bc6ef5076a4d7f9fb8015420270e16991ee72535962eaaffe11bd3825f2e45bf6912b3ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-37BJV.tmp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.tmp
        Filesize

        680KB

        MD5

        f7b197025e844e27abfae965860a962e

        SHA1

        270afb0d64f0c1be08c4b803ab0ac6ce724ba75f

        SHA256

        b180514812407ce53ea0b9a5b2aeddb88e30c65e2d0ec3e74f96f8a7c4562a55

        SHA512

        66a6fdba253adbe9263f1f54954ee1ede18e3fa0bc68b410919c4313bc6ef5076a4d7f9fb8015420270e16991ee72535962eaaffe11bd3825f2e45bf6912b3ba

        Download Submit

      • \Program Files (x86)\AtaLib\AtaLib.exe
        Filesize

        4.6MB

        MD5

        4de2e6d895dec511cb3ab3b316f2936b

        SHA1

        a865e237ed2d84186b385292a63c72c5bc864ce9

        SHA256

        a286d622700526fb07e02ae1f0d21b16071bfb057dc502588912465758dbc001

        SHA512

        f075c9a069e1c28a6b1f85d9b81af7dcd1deab7472a1323f450ddec3f453cd4dc7557c339b9ff7df4435f162bab3b7450db0811107a3eeb426896971765dc032

        Download Submit

      • \Users\Admin\AppData\Local\Temp\is-37BJV.tmp\NEAS.bc55d0e90fa43a787928a2c6e67fe640.tmp
        Filesize

        680KB

        MD5

        f7b197025e844e27abfae965860a962e

        SHA1

        270afb0d64f0c1be08c4b803ab0ac6ce724ba75f

        SHA256

        b180514812407ce53ea0b9a5b2aeddb88e30c65e2d0ec3e74f96f8a7c4562a55

        SHA512

        66a6fdba253adbe9263f1f54954ee1ede18e3fa0bc68b410919c4313bc6ef5076a4d7f9fb8015420270e16991ee72535962eaaffe11bd3825f2e45bf6912b3ba

        Download Submit

      • \Users\Admin\AppData\Local\Temp\is-D6BMH.tmp\_isetup\_iscrypt.dll
        Filesize

        2KB

        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        Download Submit

      • \Users\Admin\AppData\Local\Temp\is-D6BMH.tmp\_isetup\_shfoldr.dll
        Filesize

        22KB

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        Download Submit

      • \Users\Admin\AppData\Local\Temp\is-D6BMH.tmp\_isetup\_shfoldr.dll
        Filesize

        22KB

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        Download Submit

      • memory/1484-184-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/1484-180-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/1484-179-0x00000000002E0000-0x00000000002E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1484-178-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/1484-172-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/1484-187-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/1992-171-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1992-2-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1992-0-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2492-165-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/2492-168-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/2492-166-0x0000000000330000-0x0000000000331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2492-163-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/2492-164-0x0000000000400000-0x0000000000C9B000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/2884-173-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2884-175-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

        Download

      • memory/2884-176-0x0000000003A20000-0x00000000042BB000-memory.dmp

        Filesize

        8.6MB

        Download

      • memory/2884-8-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2884-162-0x0000000003A20000-0x00000000042BB000-memory.dmp

        Filesize

        8.6MB

        Download