f6618ecceed655db5c80d702fe9511dbe206f981c8df937dc0f5f88893808e3e

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
Size

34KB
MD5

e93e1dfb06e791938d6b2e090da85e60
SHA1

a4ec634d143d8a2a5c1bd1d2ec0f6269bab08b9f
SHA256

f6618ecceed655db5c80d702fe9511dbe206f981c8df937dc0f5f88893808e3e
SHA512

3fc8fe58e1f774cefe6b0ac13b3e658dad9e7df337bbf0625a98e1bbb55de6e62c663db505dba5aba53b1af380a22671cc5cb01b99566564493c9a0714f3931a
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0qwmC:btB9g/WItCSsAGjX7r3BTwmC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
844	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1316	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
844	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 844	1316	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	28
PID 1316 wrote to memory of 844	1316	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	28
PID 1316 wrote to memory of 844	1316	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	28
PID 1316 wrote to memory of 844	1316	NEAS.e93e1dfb06e791938d6b2e090da85e60.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.e93e1dfb06e791938d6b2e090da85e60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e93e1dfb06e791938d6b2e090da85e60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
da3494c3243b75033b2dd3b4007d4fbf

SHA1
121fd6e133d86414ce701c952de39295c51cd21d

SHA256
ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7

SHA512
8aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113

Download Submit
C:\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
da3494c3243b75033b2dd3b4007d4fbf

SHA1
121fd6e133d86414ce701c952de39295c51cd21d

SHA256
ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7

SHA512
8aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113

Download Submit
\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
34KB

MD5
da3494c3243b75033b2dd3b4007d4fbf

SHA1
121fd6e133d86414ce701c952de39295c51cd21d

SHA256
ef7b5ef2e87effe579689336406fba281eb5cbbaed822e371a3415025bb468c7

SHA512
8aa9dd23c58bd7cd9275bf9cbd6e0b5df06c754389775952f9d7e8a2e9fd7a2caa22782ab9a3f0ebedaca6e63b81bc3d465690b558062924a374fde7a232e113

Download Submit
memory/844-16-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1316-0-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/1316-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1316-1-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download