105d5804cd0c7af1ae3c3a08f6674f9715efbde7b615e526e72a15e8bf3d878d

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe
Size

732KB
MD5

15bb8e257234f7b06fd5ee8d29f74530
SHA1

af1f57073e93a04c08357b793771bae0d918a441
SHA256

105d5804cd0c7af1ae3c3a08f6674f9715efbde7b615e526e72a15e8bf3d878d
SHA512

eb942419023fd241a9b5090fea39815bd16b21366640490646cfde33e1c8a0bc98f184eb64c71ecfa7dd7c33f9d26bad0ba7fda91b7181591b6cfa420721046c
SSDEEP

12288:EafynBNQXU2DQSLoFt0xOZlRuThY5sp5rVO4X1RxJuNDGBE/9Qw/vyeRZ/cyp:EDNIVlOZbFsphVNXrxmGJw/Eyp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	ZapSpot.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe
1456	NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	ZapSpot.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3044	ZapSpot.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3044	ZapSpot.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3044	1456	NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe	28
PID 1456 wrote to memory of 3044	1456	NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe	28
PID 1456 wrote to memory of 3044	1456	NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe	28
PID 1456 wrote to memory of 3044	1456	NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp\ZapSpot.exe
  ZapSpot.exe "C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp" "C:\Users\Admin\AppData\Local\Temp\NEAS.15bb8e257234f7b06fd5ee8d29f74530_JC.exe" "PehPai.gam"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp\Default.skn

Filesize
6KB

MD5
5d686565ab826601f20ceb977297ba50

SHA1
dfba877a584639d9e8ab889c7a2e79179cc22e32

SHA256
4fb0ce1f760a517d9ffda7416f2cbc2941666469dd092a2868900cb1494868e8

SHA512
74294294bfc4c8cf562d9c8bc107dbf01462365a8f09cdfdd515b0bc9911f53dc22a8fa898afdd86cb740ac3dce070249ac213b3ab26b17d70122963f3836b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp\PehPai.gam

Filesize
188KB

MD5
28286b21ad2c39c9e05d4e262c781bc1

SHA1
8a8330181c040b1d43d5ae87b5b74dad9547dd3e

SHA256
7b10b42aeba234a5dacccdc9f160aba8094d2793c2e46d39f4b8b6dc037b1b3f

SHA512
20bc5f3d263f1d7c63eff4cd9d7ec2bafab8690bd3eecb4969364053f39911db73dba470a1b1f4230f1b0659b25c2dfb8a9dc391871c40dfecd0cac094016c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp\ZapSpot.exe

Filesize
712KB

MD5
cd161b41d95dc4d90f2ce2cb4adf9b0c

SHA1
f600f51fea5afe121c66d214e5feef4e24b90def

SHA256
8dfd24881f29b2e1976b19bc49465f19597d7dbb372d42a34566892d02c89fae

SHA512
05f8d9019afa4a408ed10bf0eeb7980080aaf380deaaa87ee4df72d9b5866a58780327420e4544bbea76cafbb1f4437a53244f629b17f5c3af680d1e9d687e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp\ZapSpot.exe

Filesize
712KB

MD5
cd161b41d95dc4d90f2ce2cb4adf9b0c

SHA1
f600f51fea5afe121c66d214e5feef4e24b90def

SHA256
8dfd24881f29b2e1976b19bc49465f19597d7dbb372d42a34566892d02c89fae

SHA512
05f8d9019afa4a408ed10bf0eeb7980080aaf380deaaa87ee4df72d9b5866a58780327420e4544bbea76cafbb1f4437a53244f629b17f5c3af680d1e9d687e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\~zs620D.tmp\ZapSpot.exe

Filesize
712KB

MD5
cd161b41d95dc4d90f2ce2cb4adf9b0c

SHA1
f600f51fea5afe121c66d214e5feef4e24b90def

SHA256
8dfd24881f29b2e1976b19bc49465f19597d7dbb372d42a34566892d02c89fae

SHA512
05f8d9019afa4a408ed10bf0eeb7980080aaf380deaaa87ee4df72d9b5866a58780327420e4544bbea76cafbb1f4437a53244f629b17f5c3af680d1e9d687e44

Download Submit
\Users\Admin\AppData\Local\Temp\~zs620D.tmp\ZapSpot.exe

Filesize
712KB

MD5
cd161b41d95dc4d90f2ce2cb4adf9b0c

SHA1
f600f51fea5afe121c66d214e5feef4e24b90def

SHA256
8dfd24881f29b2e1976b19bc49465f19597d7dbb372d42a34566892d02c89fae

SHA512
05f8d9019afa4a408ed10bf0eeb7980080aaf380deaaa87ee4df72d9b5866a58780327420e4544bbea76cafbb1f4437a53244f629b17f5c3af680d1e9d687e44

Download Submit
\Users\Admin\AppData\Local\Temp\~zs620D.tmp\ZapSpot.exe

Filesize
712KB

MD5
cd161b41d95dc4d90f2ce2cb4adf9b0c

SHA1
f600f51fea5afe121c66d214e5feef4e24b90def

SHA256
8dfd24881f29b2e1976b19bc49465f19597d7dbb372d42a34566892d02c89fae

SHA512
05f8d9019afa4a408ed10bf0eeb7980080aaf380deaaa87ee4df72d9b5866a58780327420e4544bbea76cafbb1f4437a53244f629b17f5c3af680d1e9d687e44

Download Submit