Overview

overview

7

Static

static

3

NEAS.f8c43...JC.exe

windows7-x64

7

NEAS.f8c43...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    180s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe

  • Size

    257KB

  • MD5

    f8c431385b26359e8a88ae72b0812650

  • SHA1

    a6a2aae10c4c5dc8572b2657bfa167c158f927f0

  • SHA256

    8ae56fd12244d0c8403a76405f898afc276e0e4ebcbc3bfce7e9994f2bbcc2ff

  • SHA512

    eff6fda763f2adad93329cddd92ca01222f195f10f73d09f5fd3459655646372219580ee266b5d8b790ea25ab8a5dd9045ef619cff36d9b3c600b5942e6c61fe

  • SSDEEP

    6144:Lottw6sbF2RaA1B+BwXj+G0ZRGP1dJiGNmOdT2GusIKpvVAOv/5T3Eoj7FAqibO/:cRsbFaL1BDpZj

Score
7/10
persistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2172
    • C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMYJI.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe" /f
          4⤵
          • Adds Run key to start application
          PID:4992
      • C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
        "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2604
        • C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
          "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
    Filesize

    257KB

    MD5

    f8c431385b26359e8a88ae72b0812650

    SHA1

    a6a2aae10c4c5dc8572b2657bfa167c158f927f0

    SHA256

    8ae56fd12244d0c8403a76405f898afc276e0e4ebcbc3bfce7e9994f2bbcc2ff

    SHA512

    eff6fda763f2adad93329cddd92ca01222f195f10f73d09f5fd3459655646372219580ee266b5d8b790ea25ab8a5dd9045ef619cff36d9b3c600b5942e6c61fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\YMYJI.bat
    Filesize

    148B

    MD5

    cad4294c9f78a2359f70ea09f0f56325

    SHA1

    1d02ee76821a5b6fe45aa4f12bac8f86b0043691

    SHA256

    48eb38071c5a2a5c40b3110fcbcb52f6ad0849c3ec20b1cf1be5fa223ac0aaf4

    SHA512

    cd62dd9423a3224d2c4d27853554e0574212cf48a824d562ab3e17231bb839f1dadb12067a7ca39c0cf8ddd5b0e3e8c1dbf601f9822567957e7c29e51fe1693d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\YMYJI.txt
    Filesize

    148B

    MD5

    cad4294c9f78a2359f70ea09f0f56325

    SHA1

    1d02ee76821a5b6fe45aa4f12bac8f86b0043691

    SHA256

    48eb38071c5a2a5c40b3110fcbcb52f6ad0849c3ec20b1cf1be5fa223ac0aaf4

    SHA512

    cd62dd9423a3224d2c4d27853554e0574212cf48a824d562ab3e17231bb839f1dadb12067a7ca39c0cf8ddd5b0e3e8c1dbf601f9822567957e7c29e51fe1693d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
    Filesize

    257KB

    MD5

    3a2b281236b945a82ec56894266a5c2d

    SHA1

    7d34c52920010a35752be85c27d3793a3c8af5cb

    SHA256

    a62728b2332b6234954067950754235b6dd5df50e36fa67693f67850a7dd8573

    SHA512

    84d14046083409fa56e78ac6609d3edf09b8e768c32622dc7b6924f7af799731d27e062b595c73c6f3a5c0270308ebcc17236a531751a075430b05f11bf9b105

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
    Filesize

    257KB

    MD5

    3a2b281236b945a82ec56894266a5c2d

    SHA1

    7d34c52920010a35752be85c27d3793a3c8af5cb

    SHA256

    a62728b2332b6234954067950754235b6dd5df50e36fa67693f67850a7dd8573

    SHA512

    84d14046083409fa56e78ac6609d3edf09b8e768c32622dc7b6924f7af799731d27e062b595c73c6f3a5c0270308ebcc17236a531751a075430b05f11bf9b105

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
    Filesize

    257KB

    MD5

    3a2b281236b945a82ec56894266a5c2d

    SHA1

    7d34c52920010a35752be85c27d3793a3c8af5cb

    SHA256

    a62728b2332b6234954067950754235b6dd5df50e36fa67693f67850a7dd8573

    SHA512

    84d14046083409fa56e78ac6609d3edf09b8e768c32622dc7b6924f7af799731d27e062b595c73c6f3a5c0270308ebcc17236a531751a075430b05f11bf9b105

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
    Filesize

    257KB

    MD5

    3a2b281236b945a82ec56894266a5c2d

    SHA1

    7d34c52920010a35752be85c27d3793a3c8af5cb

    SHA256

    a62728b2332b6234954067950754235b6dd5df50e36fa67693f67850a7dd8573

    SHA512

    84d14046083409fa56e78ac6609d3edf09b8e768c32622dc7b6924f7af799731d27e062b595c73c6f3a5c0270308ebcc17236a531751a075430b05f11bf9b105

    Download Submit

  • memory/768-50-0x0000000002A50000-0x0000000002A51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/768-57-0x0000000002B70000-0x0000000002B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/768-53-0x0000000002A90000-0x0000000002A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/768-48-0x00000000029D0000-0x00000000029D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/768-47-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1780-14-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1780-65-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1780-43-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1780-12-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1780-7-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2172-6-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2172-11-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2172-44-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2172-15-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2604-49-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2604-56-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2604-68-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2708-67-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4596-3-0x0000000002A10000-0x0000000002A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4596-2-0x0000000002120000-0x0000000002121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4596-4-0x0000000002A90000-0x0000000002A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4596-5-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

    Download