40f192c9e76c3c86c120ea90a5d32738798415e33983892de208c86315c15280

Analysis

max time kernel
173s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 10:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.02413b0420984c884e3ec099a2ff48a0_JC.exe
Size

932KB
MD5

02413b0420984c884e3ec099a2ff48a0
SHA1

46e52ec46050544fda230e747814156ae2ad2fec
SHA256

40f192c9e76c3c86c120ea90a5d32738798415e33983892de208c86315c15280
SHA512

91a756bc9f530e6a80501e31cc158f4e21355318b5854b0aa14fec249f5a12b7dc94b3e8239967f356b793d292ba94ef716161b6f2e53b546c6db8323c678600
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSdEjf7NQlqVPa:P1/aGLDCM4D8ayGMZo8/sTNdW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	rvjyas.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\rvjyas.exe"	rvjyas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 860	2148	NEAS.02413b0420984c884e3ec099a2ff48a0_JC.exe	88
PID 2148 wrote to memory of 860	2148	NEAS.02413b0420984c884e3ec099a2ff48a0_JC.exe	88
PID 2148 wrote to memory of 860	2148	NEAS.02413b0420984c884e3ec099a2ff48a0_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.02413b0420984c884e3ec099a2ff48a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.02413b0420984c884e3ec099a2ff48a0_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\ProgramData\rvjyas.exe
  "C:\ProgramData\rvjyas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
932KB

MD5
c4dc1e86033e2bee030f826075d71fb9

SHA1
628337933c4d0759f496a5687c51b322749e8c01

SHA256
98037ef8bdbac3d49b97425125e446cc6cdfaf0a391ed66bae345cff8d97225a

SHA512
3122a41a7aa6158d10307b05e0548d6667359441bfc5d2636086c0229cfd2a92e0308304bbd52be02bc13825aebc0ab9ac6000add87ccddcf0dddd7d2aa60361

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
70d6cb7dd01ebd5a21af02945d2ae12f

SHA1
05260b3e17a221e66b58d1e5ed1d0f518392159a

SHA256
136fb79a4b868976a011043345fbef2cb088dd799757ec3970480eb99d9f2e92

SHA512
b2c4c5b6bc5519ebb8e701c37eb298f6bdbb89b09bbf93a4f5c7a0e5b809b7bb3a6355087797e5064c1cc67a1555cbdab782fcba2f8a9d0f18d4f53337a34ea9

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
70d6cb7dd01ebd5a21af02945d2ae12f

SHA1
05260b3e17a221e66b58d1e5ed1d0f518392159a

SHA256
136fb79a4b868976a011043345fbef2cb088dd799757ec3970480eb99d9f2e92

SHA512
b2c4c5b6bc5519ebb8e701c37eb298f6bdbb89b09bbf93a4f5c7a0e5b809b7bb3a6355087797e5064c1cc67a1555cbdab782fcba2f8a9d0f18d4f53337a34ea9

Download Submit
C:\ProgramData\rvjyas.exe

Filesize
454KB

MD5
c127ec6d8ef0c32ba9369eb2aaaa8515

SHA1
3cd42cfd2159ff8d39cd2c6ec06a1aa263d72f34

SHA256
17129d5c1333a8f62532a4ddf8892161605cf920fab7f5f3c9b2e1c797607431

SHA512
f70f4040eb8bca7a0587baccbaad43e537c11be93ba88f1223c9790feb02f5de8a74953740252cfc67bcb0f92960258aed7cfc70a8b73af64038ae38a2709283

Download Submit
C:\ProgramData\rvjyas.exe

Filesize
454KB

MD5
c127ec6d8ef0c32ba9369eb2aaaa8515

SHA1
3cd42cfd2159ff8d39cd2c6ec06a1aa263d72f34

SHA256
17129d5c1333a8f62532a4ddf8892161605cf920fab7f5f3c9b2e1c797607431

SHA512
f70f4040eb8bca7a0587baccbaad43e537c11be93ba88f1223c9790feb02f5de8a74953740252cfc67bcb0f92960258aed7cfc70a8b73af64038ae38a2709283

Download Submit
memory/860-100-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/860-1192-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2148-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads