9c8b789862c9cc47355041d2b6d2bb46ff6a17ab747bd6c01689a5f86c25b745

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
04-11-2023 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fb862045ec393c5e3a255a251eee6630.exe
Size

100KB
MD5

fb862045ec393c5e3a255a251eee6630
SHA1

b20ffba029505c79b6c67f880468cfc0949d2e02
SHA256

9c8b789862c9cc47355041d2b6d2bb46ff6a17ab747bd6c01689a5f86c25b745
SHA512

0c1cd1d3b0f58b58558a4e1b3efc109d72096969b252280b04d86b96f063e6bc39a37b66dd0c06b0b408934387753ae74fb93c0b2be0a5886525e9eff32857ea
SSDEEP

3072:mG+b+HmgaXEayvk12DvVx2lPtfKyQ1uFYuiR:9WHDIx2lJKyQ4F

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2396	WScript.exe
5	2396	WScript.exe
7	2396	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pre-Setting 495cQbk.lnk	dwn_oqVuPb.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	dwn_OJo.exe
2832	dwn_oqVuPb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2608	PING.EXE
2264	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2976	NEAS.fb862045ec393c5e3a255a251eee6630.exe
2256	dwn_OJo.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe
2832	dwn_oqVuPb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	NEAS.fb862045ec393c5e3a255a251eee6630.exe
Token: SeDebugPrivilege	2256	dwn_OJo.exe
Token: SeDebugPrivilege	2832	dwn_oqVuPb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2256	2976	NEAS.fb862045ec393c5e3a255a251eee6630.exe	28
PID 2976 wrote to memory of 2256	2976	NEAS.fb862045ec393c5e3a255a251eee6630.exe	28
PID 2976 wrote to memory of 2256	2976	NEAS.fb862045ec393c5e3a255a251eee6630.exe	28
PID 2256 wrote to memory of 2832	2256	dwn_OJo.exe	29
PID 2256 wrote to memory of 2832	2256	dwn_OJo.exe	29
PID 2256 wrote to memory of 2832	2256	dwn_OJo.exe	29
PID 2832 wrote to memory of 2768	2832	dwn_oqVuPb.exe	30
PID 2832 wrote to memory of 2768	2832	dwn_oqVuPb.exe	30
PID 2832 wrote to memory of 2768	2832	dwn_oqVuPb.exe	30
PID 2768 wrote to memory of 2608	2768	WScript.exe	31
PID 2768 wrote to memory of 2608	2768	WScript.exe	31
PID 2768 wrote to memory of 2608	2768	WScript.exe	31
PID 2832 wrote to memory of 2396	2832	dwn_oqVuPb.exe	33
PID 2832 wrote to memory of 2396	2832	dwn_oqVuPb.exe	33
PID 2832 wrote to memory of 2396	2832	dwn_oqVuPb.exe	33
PID 2396 wrote to memory of 2264	2396	WScript.exe	34
PID 2396 wrote to memory of 2264	2396	WScript.exe	34
PID 2396 wrote to memory of 2264	2396	WScript.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.fb862045ec393c5e3a255a251eee6630.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fb862045ec393c5e3a255a251eee6630.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Recycle.Bin\JVG\dwn_OJo.exe
  "C:\Recycle.Bin\JVG\dwn_OJo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Recycle.Bin\JVG\dwn_oqVuPb.exe
    "C:\Recycle.Bin\JVG\dwn_oqVuPb.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_jة.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 1 www.google.com
        5⤵
        Runs ping.exe
        
        PID:2608
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_XnSыR.vbs"
      4⤵
      Blocklisted process makes network request
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\System32\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 1 www.google.com
        5⤵
        Runs ping.exe
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycle.Bin\JVG\dwn_OJo.exe

Filesize
100KB

MD5
51893624501d49eded0a811961cef0dd

SHA1
e62a092750fcb2ed2dab6f292d23ed824311a1fe

SHA256
1113431cbead6c0df1f72953002bffacb3b924858b946969beaa04bc8d96dd63

SHA512
7876885e39eeeb3a6602cd5e67c840178d3bb8d89d01bb92eeecdaef49be5d70dc953bbb5c2e9d18d3e3a4663f8d730864610d7f37396f31df1055d4ff2c916b

Download Submit
C:\Recycle.Bin\JVG\dwn_OJo.exe

Filesize
100KB

MD5
51893624501d49eded0a811961cef0dd

SHA1
e62a092750fcb2ed2dab6f292d23ed824311a1fe

SHA256
1113431cbead6c0df1f72953002bffacb3b924858b946969beaa04bc8d96dd63

SHA512
7876885e39eeeb3a6602cd5e67c840178d3bb8d89d01bb92eeecdaef49be5d70dc953bbb5c2e9d18d3e3a4663f8d730864610d7f37396f31df1055d4ff2c916b

Download Submit
C:\Recycle.Bin\JVG\dwn_OJo.exe

Filesize
100KB

MD5
51893624501d49eded0a811961cef0dd

SHA1
e62a092750fcb2ed2dab6f292d23ed824311a1fe

SHA256
1113431cbead6c0df1f72953002bffacb3b924858b946969beaa04bc8d96dd63

SHA512
7876885e39eeeb3a6602cd5e67c840178d3bb8d89d01bb92eeecdaef49be5d70dc953bbb5c2e9d18d3e3a4663f8d730864610d7f37396f31df1055d4ff2c916b

Download Submit
C:\Recycle.Bin\JVG\dwn_oqVuPb.exe

Filesize
100KB

MD5
51893624501d49eded0a811961cef0dd

SHA1
e62a092750fcb2ed2dab6f292d23ed824311a1fe

SHA256
1113431cbead6c0df1f72953002bffacb3b924858b946969beaa04bc8d96dd63

SHA512
7876885e39eeeb3a6602cd5e67c840178d3bb8d89d01bb92eeecdaef49be5d70dc953bbb5c2e9d18d3e3a4663f8d730864610d7f37396f31df1055d4ff2c916b

Download Submit
C:\Recycle.Bin\JVG\tik_CHZ.txt

Filesize
4B

MD5
d3accd33402becc720abebee93ebe193

SHA1
7362b81a747f7e757e03d0c4d2e20822d7f52bf5

SHA256
9f2a59a60e65fbcd5a3e1b7248adf92890ce3a32b19e43fb4751c2657196de13

SHA512
4becf1bca4f0375aa0262b27fd05d35c8868d0d79b2ead2d815eb3caff11a913516e7b9461094d9a0b61b33d6995c3947681222f35e93322862d2675bbab1a12

Download Submit
C:\Recycle.Bin\JVG\tik_boqvs.txt

Filesize
7B

MD5
f68946148955b43d4a869d01ff727c29

SHA1
fe86995c44334f4aa307c8505452894bf531b830

SHA256
ce3300d8971843f28201ce6a66af772bd4174c26ba9dfab9f31b1e024cd503a1

SHA512
a58a314f3b6a91dacae4ecd5964996ac9e3f53f6dfcbb9de94076044d5f121177bd1b7bfc5b7e39fd1f7b8ba3053aea3addba216883255641d4817390cd8f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E58.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5EC8.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_XnSыR.vbs

Filesize
1KB

MD5
52d2b24adbb11ffaac94b035c386bc0c

SHA1
eb07cc00628a83cabec5d43111f595373dbfe83c

SHA256
46dc163407d1efdc3a5f3223913528889c39495bee3b82570a60da4a745848fb

SHA512
367d97ff984d4dcb14730700a31b5356f33045a690d926bac2d12102c2da7676b01982ff1ec25f64fb8abc15eda47b816835f40c4799f001f9eb8cd1210e40e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\order_jة.vbs

Filesize
393B

MD5
6bcddfffd4a250d88e82bdd302828b09

SHA1
3a2f942933a9f3ee3acdcc19a4d125fba7b80d10

SHA256
fd1b4f5b5e6d540930c13fa3cacedebe8c675aea646e97c44b2d16ce97f82ef3

SHA512
74c1b7171518f314259bd756dc1de26efe9681d7218e6d1796b52802cb19132bfead2ebc6afb7903ce562305d94b90dbc2851a03da5990f5febaa1a76c2623c9

Download Submit
memory/2256-16-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-17-0x0000000000190000-0x0000000000210000-memory.dmp

Filesize
512KB

Download
memory/2256-25-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-19-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-22-0x0000000000196000-0x00000000001FD000-memory.dmp

Filesize
412KB

Download
memory/2832-21-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-26-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-28-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/2832-23-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/2832-20-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/2832-76-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-24-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2976-0-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-46-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-3-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/2976-2-0x000007FEF58A0000-0x000007FEF623D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-1-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download