Overview

overview

7

Static

static

7

NEAS.0076f...JC.exe

windows7-x64

7

NEAS.0076f...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    167s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2023 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.0076f6d2274efcdbb5b9f057a90be010_JC.exe

  • Size

    219KB

  • MD5

    0076f6d2274efcdbb5b9f057a90be010

  • SHA1

    ac67cadf8b3cb202da35a7c93444642b600bcbf5

  • SHA256

    08f0c7e52112d0154b1263b435f62dd95236763504d2b6fa8614578535750509

  • SHA512

    7427e0cb1cb700c4ea0a40a4dfe138727e1ba5965acc3e9b00e722c59b1ecbef2eee639f6d18865bc9a0a4ade733eba6da34312e592e66056bca61276b933b63

  • SSDEEP

    6144:MdbC+2kYpjDXkXz+S/dlLe87tjC+rbhjf1:xd0BHr

Score
7/10
spywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0076f6d2274efcdbb5b9f057a90be010_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0076f6d2274efcdbb5b9f057a90be010_JC.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3168
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:3724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    567KB

    MD5

    767e8b6864e12387f09581cf1139bb18

    SHA1

    88a2e7d2df4b44270788438c2d5bdc8a8d2d2342

    SHA256

    a983ffb6c458089c76253312de513e930f1d628664c9da0f3e90eca813acf0c6

    SHA512

    56ab41f663a44cf8017a2c2307448c95f1a7dd18a92f4c485dc6b5b2ed362ec1b6f109b99f384d393caa763b8ee61c9c7990e1850de8ee0927f423f0b7252cf3

    Download Submit

  • C:\Windows\SysWOW64\msiexec.vir
    Filesize

    202KB

    MD5

    7718a23f894448c1b99201e6885843c6

    SHA1

    c8e0e527913c24670a4bef5151360f20685e769b

    SHA256

    9c9f3990a5b9b609cd3849a2d1ca642a5af7a0ed0910e9e2fbfb02ba6eb657cc

    SHA512

    63a65e232bc85c648690493b639483628989c61375218dd225b3be13d1d797f3d450aaddb1cbde8383fd57cf9c33139aa632cd040d16e09f08c61e1076692f6f

    Download Submit

  • C:\Windows\servicing\TrustedInstaller.exe
    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    Download Submit

  • memory/3168-0-0x0000000001000000-0x0000000001074000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3168-26-0x0000000001000000-0x0000000001074000-memory.dmp

    Filesize

    464KB

    Download