25154e1b2156bd82fefbf9593f9bf46e8f3b9b19a1a77f7df562448cdbcb0e17

Analysis

max time kernel
160s
max time network
151s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 20:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
Size

486KB
MD5

81858674b466c4db46a55cb3b8ad3a30
SHA1

88a7f227816bd44623e25f1759512b5ba60b9452
SHA256

25154e1b2156bd82fefbf9593f9bf46e8f3b9b19a1a77f7df562448cdbcb0e17
SHA512

735f0bc332b23f2128926a395bbc66d9422f40b6dbfe073efd3c56c48f94bbd62a0b0fd3a8e14398153fc7e52b57cf52f4f40a5e2418328aa84d117085495ddc
SSDEEP

6144:ztvBPnU1b7e9SQii1EkoNlhlrQ2ZrM2xWmE/qv/OYZzJFMgFknYpPTEGpZUA:Zv1nWdQP1EDhZPxWb8/OMJFM9Mn

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2620	Isass.exe
2748	SZ_NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe

Loads dropped DLL 7 IoCs

pid	Process
2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
2548	Process not Found
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	2620	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
2620	Isass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2620	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	29
PID 2760 wrote to memory of 2620	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	29
PID 2760 wrote to memory of 2620	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	29
PID 2760 wrote to memory of 2620	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	29
PID 2760 wrote to memory of 2748	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	30
PID 2760 wrote to memory of 2748	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	30
PID 2760 wrote to memory of 2748	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	30
PID 2760 wrote to memory of 2748	2760	NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe	30
PID 2620 wrote to memory of 2948	2620	Isass.exe	32
PID 2620 wrote to memory of 2948	2620	Isass.exe	32
PID 2620 wrote to memory of 2948	2620	Isass.exe	32
PID 2620 wrote to memory of 2948	2620	Isass.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 364
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\SZ_NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\SZ_NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe"
  2⤵
  - Executes dropped EXE
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZ_NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe

Filesize
261KB

MD5
9dce6a120d094e5c925b967c4bb36277

SHA1
1ab60840e8d8ed14619fab2d1559f989f01f01a9

SHA256
3052784f3683c2bbe95f59560eb311e75f1eac7aa5476a91bbd9fe4d2aef880a

SHA512
20a7a4b8ecb1262ed730c8299ad0ada2ad93327f0886e5fdefc89564ff7510595ec53ac5aa88747e0548315c3037125d83756e3ae4d9a813cc553c12991c94df

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
6256a7b2c0e6d0565ce4bacddfd7a1f5

SHA1
80f54c575f6daa51faccb9a6966feb5118fe5c60

SHA256
e8734631ded6f43a0ad1048fb9344008dfb65ed3389fbc5ad6230892d5a338e3

SHA512
c45152de8e8344d38b31febd180e83e63160c1d333cc178e6b1d5b2d1ef719335de4157b5ac683b4be9719057f4a2caa709f6e565ea7f89beb7b7b31619e783c

Download Submit
\Users\Admin\AppData\Local\Temp\SZ_NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe

Filesize
261KB

MD5
9dce6a120d094e5c925b967c4bb36277

SHA1
1ab60840e8d8ed14619fab2d1559f989f01f01a9

SHA256
3052784f3683c2bbe95f59560eb311e75f1eac7aa5476a91bbd9fe4d2aef880a

SHA512
20a7a4b8ecb1262ed730c8299ad0ada2ad93327f0886e5fdefc89564ff7510595ec53ac5aa88747e0548315c3037125d83756e3ae4d9a813cc553c12991c94df

Download Submit
\Users\Admin\AppData\Local\Temp\SZ_NEAS.81858674b466c4db46a55cb3b8ad3a30_JC.exe

Filesize
261KB

MD5
9dce6a120d094e5c925b967c4bb36277

SHA1
1ab60840e8d8ed14619fab2d1559f989f01f01a9

SHA256
3052784f3683c2bbe95f59560eb311e75f1eac7aa5476a91bbd9fe4d2aef880a

SHA512
20a7a4b8ecb1262ed730c8299ad0ada2ad93327f0886e5fdefc89564ff7510595ec53ac5aa88747e0548315c3037125d83756e3ae4d9a813cc553c12991c94df

Download Submit
memory/2620-23-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-37-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-62-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-12-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-56-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-24-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-25-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-26-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-27-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-30-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2620-38-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-47-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-48-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2620-49-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2760-0-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2760-19-0x0000000003EB0000-0x0000000005157000-memory.dmp

Filesize
18.7MB

Download
memory/2760-10-0x0000000003EB0000-0x0000000005157000-memory.dmp

Filesize
18.7MB

Download
memory/2760-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2760-17-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download