b9d9e438f3c230b493c4e04523859bcecdfc829e9e894814315ca46ee18d58aa

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe
Size

124KB
MD5

9ff1887b7c6c4449bf5136491c46ee01
SHA1

c151aa4b54f52969874477cae95e700b91182c15
SHA256

b9d9e438f3c230b493c4e04523859bcecdfc829e9e894814315ca46ee18d58aa
SHA512

0a21158d7bc950cb9332edadb03f4c182161ffb5c2e55fedb3520cea27020da42ce6a2147fa0dc96abf1f70f0a9e85e1efe6bc12841d90eb1518556aa2b5415e
SSDEEP

3072:2q8f/oic1i9uTAlPQSDwEyWefHEvGdxETCpPJ:18f/U1iF/sUGdxET

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1424	2108	NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe	28
PID 2108 wrote to memory of 1424	2108	NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe	28
PID 2108 wrote to memory of 1424	2108	NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe	28
PID 2108 wrote to memory of 1424	2108	NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe	28
PID 1424 wrote to memory of 2184	1424	cmd.exe	30
PID 1424 wrote to memory of 2184	1424	cmd.exe	30
PID 1424 wrote to memory of 2184	1424	cmd.exe	30
PID 1424 wrote to memory of 2184	1424	cmd.exe	30

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\luo2372.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\NEAS.9ff1887b7c6c4449bf5136491c46ee01_JC.exe"
    3⤵
    - Views/modifies file attributes
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\luo2372.tmp.bat

Filesize
56B

MD5
723217be08ca590865accb36fcdc77d6

SHA1
904efed464a8b812ef60ac2e06ca20fbc5fceba8

SHA256
6ebd1b1f45c24f5c2fb081520b150fd1209c6fdbc174ab8ad8b328f20842e853

SHA512
0079e71fa563a49632b5da3753941ec92d62adbf8947994400e7d9ce8dd788bc05950f26acd6d648ad42e4e48de2b4c5d20d277cd94bed0031e364ed940de997

Download Submit
C:\Users\Admin\AppData\Local\luo2372.tmp.bat

Filesize
56B

MD5
723217be08ca590865accb36fcdc77d6

SHA1
904efed464a8b812ef60ac2e06ca20fbc5fceba8

SHA256
6ebd1b1f45c24f5c2fb081520b150fd1209c6fdbc174ab8ad8b328f20842e853

SHA512
0079e71fa563a49632b5da3753941ec92d62adbf8947994400e7d9ce8dd788bc05950f26acd6d648ad42e4e48de2b4c5d20d277cd94bed0031e364ed940de997

Download Submit
memory/2108-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download