77df52222468a25b1b124004d5c359c2497d7a2db9abe5792c69bf31b158d209

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe
Size

32KB
MD5

6a63f8d1dbe9240db14fab8f709b3840
SHA1

2d81e467149b3635c2db88290de05e3bf1d493b7
SHA256

77df52222468a25b1b124004d5c359c2497d7a2db9abe5792c69bf31b158d209
SHA512

d5e5c21d9cfdaca8abd80c53d688cb8bd4de26a8b67bb013648be22cda2b2e0933c06159361571040bfc9878fc28ef4827d3d70c20df390adce816e13c162051
SSDEEP

768:xW9+F8BPtElggggggLvggggggggUaocdFgNOO:ekoqeJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	btkba.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2832	1060	NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe	28
PID 1060 wrote to memory of 2832	1060	NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe	28
PID 1060 wrote to memory of 2832	1060	NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe	28
PID 1060 wrote to memory of 2832	1060	NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6a63f8d1dbe9240db14fab8f709b3840_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\btkba.exe
  "C:\Users\Admin\AppData\Local\Temp\btkba.exe"
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\btkba.exe

Filesize
33KB

MD5
1b5624554ff2632fec3f715aa3a192af

SHA1
7b36f5d031b8062887bf2b3736cfd92a33166125

SHA256
c571ed8d7aea3ffa6b5b91b828ad81c3d78d52c41752889067ce231f31e70d0f

SHA512
936607f9a55eb8380b2c8e1d9a4fea9254aa71ceac6c4a0dcd576c49b0b7c19b21428727804890ca10a1f8efcb5495b7bfd0e3721e0740f1ca59f74ab971e147

Download Submit
C:\Users\Admin\AppData\Local\Temp\btkba.exe

Filesize
33KB

MD5
1b5624554ff2632fec3f715aa3a192af

SHA1
7b36f5d031b8062887bf2b3736cfd92a33166125

SHA256
c571ed8d7aea3ffa6b5b91b828ad81c3d78d52c41752889067ce231f31e70d0f

SHA512
936607f9a55eb8380b2c8e1d9a4fea9254aa71ceac6c4a0dcd576c49b0b7c19b21428727804890ca10a1f8efcb5495b7bfd0e3721e0740f1ca59f74ab971e147

Download Submit
\Users\Admin\AppData\Local\Temp\btkba.exe

Filesize
33KB

MD5
1b5624554ff2632fec3f715aa3a192af

SHA1
7b36f5d031b8062887bf2b3736cfd92a33166125

SHA256
c571ed8d7aea3ffa6b5b91b828ad81c3d78d52c41752889067ce231f31e70d0f

SHA512
936607f9a55eb8380b2c8e1d9a4fea9254aa71ceac6c4a0dcd576c49b0b7c19b21428727804890ca10a1f8efcb5495b7bfd0e3721e0740f1ca59f74ab971e147

Download Submit
memory/1060-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1060-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2832-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download