7783b815a3f39238d192c9be567cf7da26803804eb847a5dd6fc761886c21e9c

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 23:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe
Size

245KB
MD5

6725e4c9694b4d363df47509ec4e59c0
SHA1

08da153e1779544ff43a480eb3e9cf826bf04a28
SHA256

7783b815a3f39238d192c9be567cf7da26803804eb847a5dd6fc761886c21e9c
SHA512

6ee521a44086f302b7e534258c2d2c51dc675f5385188523b5c67e9751be809356de8285b6f652429d2be58bb74a285eaea022e878354499940829322805618f
SSDEEP

6144:LMooVQnnOBccnskYPmTpUxrr1XRA7WHxWoN+J0EafCUSYibN6WGF:8QnO/s1mTpG5bUo4bafVibvE

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-1-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx
behavioral1/memory/2452-2-0x0000000000400000-0x0000000001C5B000-memory.dmp	upx

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2768	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2588	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2624	2452	NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe	3
PID 2452 wrote to memory of 2624	2452	NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe	3
PID 2452 wrote to memory of 2624	2452	NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe	3
PID 2452 wrote to memory of 2624	2452	NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe	3
PID 2624 wrote to memory of 2768	2624	cmd.exe	1
PID 2624 wrote to memory of 2768	2624	cmd.exe	1
PID 2624 wrote to memory of 2768	2624	cmd.exe	1
PID 2624 wrote to memory of 2768	2624	cmd.exe	1
PID 2624 wrote to memory of 2588	2624	cmd.exe	33
PID 2624 wrote to memory of 2588	2624	cmd.exe	33
PID 2624 wrote to memory of 2588	2624	cmd.exe	33
PID 2624 wrote to memory of 2588	2624	cmd.exe	33

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
1⤵
- Gathers system information
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c systeminfo>>C:\Windows\temp\setup_gitlog.txt&ping 8.8.8.8>>C:\Windows\temp\setup_gitlog.txt
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\PING.EXE
  ping 8.8.8.8
  2⤵
  - Runs ping.exe
  PID:2588

C:\Users\Admin\AppData\Local\Temp\NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6725e4c9694b4d363df47509ec4e59c0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\setup_gitlog.txt

Filesize
33B

MD5
346bbdef8e66561ce4c33013160d7c75

SHA1
023e40d5eb04b2d7e8346ea0c9a62b05d372abec

SHA256
ce357dc9d96cbb6933f7895d5fee9052b72733c2db9fc32b1555761b1bd0c277

SHA512
f2fd0412846455ee0f47f9e88192ea4c6ee60c3118be40a44c9b626566652ed46b1c3a0708a7ec6feba7a9cafc61091a2a1c6cb864a99a081bb842625040594f

Download Submit
memory/2452-1-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download
memory/2452-2-0x0000000000400000-0x0000000001C5B000-memory.dmp

Filesize
24.4MB

Download