Overview

overview

10

Static

static

3

NEAS.01b94...JC.exe

windows7-x64

10

NEAS.01b94...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2023 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe

  • Size

    216KB

  • MD5

    01b94eaa99f2e998d7cb882ce673f620

  • SHA1

    5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

  • SHA256

    8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

  • SHA512

    69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

  • SSDEEP

    6144:pDn0J/fNQ4bc3wT994Th6rC2dzT/Y7BNandXg:hefN3o3wT994Th6rC2dI7radQ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.01b94eaa99f2e998d7cb882ce673f620_JC.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2924
      • C:\Windows\SysWOW64\at.exe
        "C:\Windows\System32\at.exe" /delete /yes
        3⤵
          PID:2692
        • C:\Windows\SysWOW64\at.exe
          "C:\Windows\System32\at.exe" 20:30 /every:M,T,W,TH,F,S,SU C:\Windows\Web\OfficeUpdate.exe
          3⤵
            PID:2604
          • C:\Windows\SysWOW64\at.exe
            "C:\Windows\System32\at.exe" 11:30 /every:M,T,W,TH,F,S,SU C:\Windows\Web\OfficeUpdate.exe
            3⤵
              PID:1240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          216KB

          MD5

          01b94eaa99f2e998d7cb882ce673f620

          SHA1

          5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

          SHA256

          8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

          SHA512

          69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          216KB

          MD5

          01b94eaa99f2e998d7cb882ce673f620

          SHA1

          5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

          SHA256

          8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

          SHA512

          69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          216KB

          MD5

          01b94eaa99f2e998d7cb882ce673f620

          SHA1

          5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

          SHA256

          8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

          SHA512

          69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          216KB

          MD5

          01b94eaa99f2e998d7cb882ce673f620

          SHA1

          5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

          SHA256

          8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

          SHA512

          69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          216KB

          MD5

          01b94eaa99f2e998d7cb882ce673f620

          SHA1

          5e3a8514ae4ac4232c48f5ce24891cdd96a3133d

          SHA256

          8c407c42ab90e8ccffd55b917c9b7bae3210de515519ded70f1d7df3fe6784db

          SHA512

          69f1457a6919a7496c95fdee93b5061e2fb85a1a5f730041bf51a04f6db00409381230a86ee0cbfc1c36352717e50198ae8aa994970f2857b5f9f16f756f132d

          Download Submit

        • memory/1916-0-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1916-11-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1916-10-0x0000000002680000-0x00000000026AB000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1916-34-0x0000000002680000-0x00000000026AB000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2924-13-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2924-35-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

          Download