b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe
Size

145KB
MD5

f4f0428f5d1c49b75c7c3456c6b7db60
SHA1

585cac14ab56ccbecd25dba698f91ff937ee8bec
SHA256

b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3
SHA512

d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874
SSDEEP

3072:06G5HOoWBx3xrBx41z8QcMrgD56G5H26G5HOoWBx3xrBx4OFggF6G5HOoWB:FGpV1z8QXjGp/GpVOKGp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	raserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\v2.0_2.0.0.0__457deedb7d6bb909\raserver.exe:Zone.Identifier	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2628	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe
2500	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2876	2448	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	29
PID 2448 wrote to memory of 2876	2448	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	29
PID 2448 wrote to memory of 2876	2448	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	29
PID 2448 wrote to memory of 2876	2448	NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe	29
PID 2876 wrote to memory of 2628	2876	cmd.exe	31
PID 2876 wrote to memory of 2628	2876	cmd.exe	31
PID 2876 wrote to memory of 2628	2876	cmd.exe	31
PID 2876 wrote to memory of 2628	2876	cmd.exe	31
PID 2876 wrote to memory of 2508	2876	cmd.exe	32
PID 2876 wrote to memory of 2508	2876	cmd.exe	32
PID 2876 wrote to memory of 2508	2876	cmd.exe	32
PID 2876 wrote to memory of 2508	2876	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c ping -n 2 127.0.0.1 > NUL & fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe" & del "C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe" > NUL & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2628
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setzerodata offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\NEAS.f4f0428f5d1c49b75c7c3456c6b7db60_JC.exe"
    3⤵
    PID:2508

C:\ProgramData\Microsoft\v2.0_2.0.0.0__457deedb7d6bb909\raserver.exe
C:\ProgramData\Microsoft\v2.0_2.0.0.0__457deedb7d6bb909\raserver.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\v2.0_2.0.0.0__457deedb7d6bb909\raserver.exe

Filesize
145KB

MD5
f4f0428f5d1c49b75c7c3456c6b7db60

SHA1
585cac14ab56ccbecd25dba698f91ff937ee8bec

SHA256
b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

SHA512
d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874

Download Submit
C:\ProgramData\Microsoft\v2.0_2.0.0.0__457deedb7d6bb909\raserver.exe

Filesize
145KB

MD5
f4f0428f5d1c49b75c7c3456c6b7db60

SHA1
585cac14ab56ccbecd25dba698f91ff937ee8bec

SHA256
b15079a7c820f6dbd06bab844043ae9030cdaca13901666a85705a4cbc4d61f3

SHA512
d2a6a0dfcd9930084273c495b13a7ff48bafccfe230b31f839ab0792f3e5375d00a90036e20a0bcb0e01bb8fc1643ec553249b6bc85b8e1c342d0de158da7874

Download Submit