Overview

overview

7

Static

static

7

NEAS.83076...10.exe

windows7-x64

7

NEAS.83076...10.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2023 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.830769424deb6aa84ef75bc8dcb63e10.exe

  • Size

    487KB

  • MD5

    830769424deb6aa84ef75bc8dcb63e10

  • SHA1

    64c937f287281c65cd13f9c49cd9b98f29641f51

  • SHA256

    9c95af3438367b4cbeaa16cce6ed6ff8e407db48de3ab75021b6982867f7a2c3

  • SHA512

    f9dba984c9dbae2615e970c48de9f8f6ef3a59f57977b6fe2c2e0e236b57ca88801e0f72eb6a8f69c040bfd41e96f4dd0c6793e6a37f0774fe6f8318ca89be4d

  • SSDEEP

    6144:QdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqT:28kxNhOZElO5kkWjhD4AOj5lG

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 3 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.830769424deb6aa84ef75bc8dcb63e10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.830769424deb6aa84ef75bc8dcb63e10.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Program Files\FILV.EXE
      "C:\Program Files\FILV.EXE"
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\FILV.EXE
    Filesize

    487KB

    MD5

    1eb200cc069650ca13f15128b648b0fa

    SHA1

    fcc5891adb26b28f4f3cb0bc887aed1cf7acd830

    SHA256

    bc066f1fd34782edbc94f24cdc2436e7ae3b8193f32eb7ffed2e3e84b89ab370

    SHA512

    1cd7377cf55b574314579eee9c6809568091b7a0d5283c117e80fc8bd3c3f9e15e3affd734ea99569f62a6b5f2dfcf58f3629afb869cf8368ee65529b212d368

    Download Submit

  • C:\Windows\NVRQSOO.EXE
    Filesize

    487KB

    MD5

    6cf09a0bfa53de2f658d9a2ca0ea0334

    SHA1

    471e261314b97bdb5f42f000430cd2b85517c27a

    SHA256

    f0f6ab64ae7806162875ac5a9bb6eaee38d72cbe06e917b96c491d577726ca69

    SHA512

    321200ea46bc930ba8426ded5f4bc8269ddf132205149c3611acecab378a03dde6a01ebd2084afc6724b1b1bd96de3ef4ef87219ff43b7c451a82b122ff514d7

    Download Submit

  • \Program Files\FILV.EXE
    Filesize

    487KB

    MD5

    1eb200cc069650ca13f15128b648b0fa

    SHA1

    fcc5891adb26b28f4f3cb0bc887aed1cf7acd830

    SHA256

    bc066f1fd34782edbc94f24cdc2436e7ae3b8193f32eb7ffed2e3e84b89ab370

    SHA512

    1cd7377cf55b574314579eee9c6809568091b7a0d5283c117e80fc8bd3c3f9e15e3affd734ea99569f62a6b5f2dfcf58f3629afb869cf8368ee65529b212d368

    Download Submit

  • \Program Files\FILV.EXE
    Filesize

    487KB

    MD5

    1eb200cc069650ca13f15128b648b0fa

    SHA1

    fcc5891adb26b28f4f3cb0bc887aed1cf7acd830

    SHA256

    bc066f1fd34782edbc94f24cdc2436e7ae3b8193f32eb7ffed2e3e84b89ab370

    SHA512

    1cd7377cf55b574314579eee9c6809568091b7a0d5283c117e80fc8bd3c3f9e15e3affd734ea99569f62a6b5f2dfcf58f3629afb869cf8368ee65529b212d368

    Download Submit

  • memory/2108-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2108-26-0x0000000002A70000-0x0000000002AE8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2108-28-0x0000000002A70000-0x0000000002AE8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2108-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-30-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2108-32-0x0000000002A70000-0x0000000002AE8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2724-29-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2724-31-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-33-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download