8f54df4085929128e6be50d0d9d113f62ba829518f10d0cca968aedcbd89adb3

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe
Size

2.0MB
MD5

1cea2b2f2e4071177f19f5f6d8e3e3f0
SHA1

7fa064a7a55c7f672adae329757f665d23d2c580
SHA256

8f54df4085929128e6be50d0d9d113f62ba829518f10d0cca968aedcbd89adb3
SHA512

26b900be1b0dcf1f325b24dab653aecab70c06eec833f7ba6f92df79c114a9b7041e4af749151e43dcb3aca605a76ae41b9fc06fdd49088a4dd05ca94149cf8e
SSDEEP

49152:B884CWL0/fRZ12+zI9gQ2irbu9qhGjojqcs1LPhsUR:B8VjWJn69hF2RomcoLJ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2652	2304	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	28
PID 2304 wrote to memory of 2652	2304	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	28
PID 2304 wrote to memory of 2652	2304	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	28
PID 2304 wrote to memory of 2652	2304	NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe	28
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2652 wrote to memory of 2596	2652	cmd.exe	30
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2596 wrote to memory of 2584	2596	control.exe	31
PID 2584 wrote to memory of 2556	2584	rundll32.exe	32
PID 2584 wrote to memory of 2556	2584	rundll32.exe	32
PID 2584 wrote to memory of 2556	2584	rundll32.exe	32
PID 2584 wrote to memory of 2556	2584	rundll32.exe	32
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33
PID 2556 wrote to memory of 2576	2556	RunDll32.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1cea2b2f2e4071177f19f5f6d8e3e3f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c .\B.cmD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL",
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL",
        6⤵
        Loads dropped DLL
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS00971D16\B.CmD

Filesize
56B

MD5
02d0caaa980d5deb736e6e609230847c

SHA1
445ba31b1613a0cff52cc8324c610206f73318fd

SHA256
d8fa9cde9a46cdfb3422855c05fc0be8131bd98f8ba1eac8f62041ca6b1f2bf6

SHA512
5555ad4cc7b27ce47602798fca7b7f40fea2cfd4ff32f7ed59f04e3294dc6b43109d3c93c7bad5f2ad1851e9d8b48c0594b48c4704e2ad7dc7d202e48d8636c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS00971D16\B.CmD

Filesize
56B

MD5
02d0caaa980d5deb736e6e609230847c

SHA1
445ba31b1613a0cff52cc8324c610206f73318fd

SHA256
d8fa9cde9a46cdfb3422855c05fc0be8131bd98f8ba1eac8f62041ca6b1f2bf6

SHA512
5555ad4cc7b27ce47602798fca7b7f40fea2cfd4ff32f7ed59f04e3294dc6b43109d3c93c7bad5f2ad1851e9d8b48c0594b48c4704e2ad7dc7d202e48d8636c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS00971D16\mbf.cpL

Filesize
2.0MB

MD5
6c85abc6bd8a06c4d072e0b509ccc8b4

SHA1
fb78e5a18fc7a50b7e84d774c9624a351b5b6c31

SHA256
953a5b0d5a57eb4aa25d9acca6facf01960685f2dccfed545bc73a1b48faece4

SHA512
843f56d83d7648329408da9bdaf3e29c03b109bb2ca4f79cbd12f30dd586fd006f827b0f9362fec927331c5131fdaefde4c6d4b6feddefd4e09093f4a57aa86d

Download Submit
memory/2576-57-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2576-60-0x0000000000D70000-0x0000000000E92000-memory.dmp

Filesize
1.1MB

Download
memory/2576-61-0x0000000002800000-0x0000000002907000-memory.dmp

Filesize
1.0MB

Download
memory/2576-64-0x0000000002800000-0x0000000002907000-memory.dmp

Filesize
1.0MB

Download
memory/2576-65-0x0000000002800000-0x0000000002907000-memory.dmp

Filesize
1.0MB

Download
memory/2584-50-0x0000000002630000-0x0000000002737000-memory.dmp

Filesize
1.0MB

Download
memory/2584-51-0x0000000002630000-0x0000000002737000-memory.dmp

Filesize
1.0MB

Download
memory/2584-47-0x0000000002630000-0x0000000002737000-memory.dmp

Filesize
1.0MB

Download
memory/2584-46-0x00000000022A0000-0x00000000023C2000-memory.dmp

Filesize
1.1MB

Download
memory/2584-43-0x0000000010000000-0x000000001020B000-memory.dmp

Filesize
2.0MB

Download
memory/2584-44-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download