4d1822b8829e41af0f8a363b08d6777468a7b602cbff9999cf15b37d3ce6c016

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 16:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
Size

73KB
MD5

9b1afa6c0c9899d9a6dcd2f2f151d440
SHA1

c1fc0eacfef90e666d30bda1f8190dba093b5a42
SHA256

4d1822b8829e41af0f8a363b08d6777468a7b602cbff9999cf15b37d3ce6c016
SHA512

76fab8a29449d95cc030df5043447988a64b9b865dcd08c989a8c6fd23ed83aa29a9b46a02a0cebe87bfb7ae796063c79714833b0fef09019c744114b200d974
SSDEEP

1536:MgSeGDjtQhnwmmB0yjMqqUM2mr3IdE8mne0Avu5r++yy7CA7GcIaapavdv:MMSjOnrmBbMqqMmr3IdE8we0Avu5r++N

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wqlzauswrjg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe"	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\N:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\O:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\S:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\V:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\I:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\E:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\G:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\J:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\K:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\U:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\B:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\H:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\L:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\Q:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\R:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\T:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\W:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\X:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\A:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\Z:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\Y:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
File opened (read-only)	\??\P:	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3048	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3792	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	89
PID 2340 wrote to memory of 3792	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	89
PID 2340 wrote to memory of 3792	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	89
PID 2340 wrote to memory of 4948	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	91
PID 2340 wrote to memory of 4948	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	91
PID 2340 wrote to memory of 4948	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	91
PID 2340 wrote to memory of 4060	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	102
PID 2340 wrote to memory of 4060	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	102
PID 2340 wrote to memory of 4060	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	102
PID 2340 wrote to memory of 1340	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	105
PID 2340 wrote to memory of 1340	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	105
PID 2340 wrote to memory of 1340	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	105
PID 2340 wrote to memory of 3296	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	107
PID 2340 wrote to memory of 3296	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	107
PID 2340 wrote to memory of 3296	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	107
PID 2340 wrote to memory of 3492	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	111
PID 2340 wrote to memory of 3492	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	111
PID 2340 wrote to memory of 3492	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	111
PID 2340 wrote to memory of 4164	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	115
PID 2340 wrote to memory of 4164	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	115
PID 2340 wrote to memory of 4164	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	115
PID 2340 wrote to memory of 740	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	121
PID 2340 wrote to memory of 740	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	121
PID 2340 wrote to memory of 740	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	121
PID 2340 wrote to memory of 4440	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	123
PID 2340 wrote to memory of 4440	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	123
PID 2340 wrote to memory of 4440	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	123
PID 2340 wrote to memory of 4624	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	126
PID 2340 wrote to memory of 4624	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	126
PID 2340 wrote to memory of 4624	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	126
PID 2340 wrote to memory of 1596	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	128
PID 2340 wrote to memory of 1596	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	128
PID 2340 wrote to memory of 1596	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	128
PID 2340 wrote to memory of 1680	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	130
PID 2340 wrote to memory of 1680	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	130
PID 2340 wrote to memory of 1680	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	130
PID 2340 wrote to memory of 3572	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	137
PID 2340 wrote to memory of 3572	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	137
PID 2340 wrote to memory of 3572	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	137
PID 2340 wrote to memory of 2744	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	140
PID 2340 wrote to memory of 2744	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	140
PID 2340 wrote to memory of 2744	2340	NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe	140

C:\Users\Admin\AppData\Local\Temp\NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9b1afa6c0c9899d9a6dcd2f2f151d440_JC.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3792
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:4948
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4060
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:1340
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:3296
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:3492
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4164
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:740
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:4440
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:4624
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:1596
- C:\Windows\SysWOW64\nslookup.exe
  nslookup gandcrab.bit dns1.soprodns.ru
  2⤵
  PID:1680
- C:\Windows\SysWOW64\nslookup.exe
  nslookup nomoreransom.bit dns1.soprodns.ru
  2⤵
  PID:3572
- C:\Windows\SysWOW64\nslookup.exe
  nslookup emsisoft.bit dns1.soprodns.ru
  2⤵
  PID:2744

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
301cd52fc1fbd996b8e7ac7db4de9100

SHA1
01cd44949b38ee96be9cdd34fbad86b4a06cfbae

SHA256
eea07ea9c13dc3a1eb342162fa920bdc5e1e38f861781780f3e0ba12da17413f

SHA512
9178b3ae3237a83af2f9fda582e8edda035c68fe6c66dd0e7b0eca0ef9803c0772f258d19e9ff009d63466523255db162405b6003940fbff44886a56c708b9be

Download Submit
memory/3048-43-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-45-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-36-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-37-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-38-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-39-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-40-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-41-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-42-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-46-0x000001E27CA70000-0x000001E27CA71000-memory.dmp

Filesize
4KB

Download
memory/3048-35-0x000001E27CE20000-0x000001E27CE21000-memory.dmp

Filesize
4KB

Download
memory/3048-44-0x000001E27CE50000-0x000001E27CE51000-memory.dmp

Filesize
4KB

Download
memory/3048-3-0x000001E278740000-0x000001E278750000-memory.dmp

Filesize
64KB

Download
memory/3048-47-0x000001E27CA60000-0x000001E27CA61000-memory.dmp

Filesize
4KB

Download
memory/3048-49-0x000001E27CA70000-0x000001E27CA71000-memory.dmp

Filesize
4KB

Download
memory/3048-52-0x000001E27CA60000-0x000001E27CA61000-memory.dmp

Filesize
4KB

Download
memory/3048-55-0x000001E27C9A0000-0x000001E27C9A1000-memory.dmp

Filesize
4KB

Download
memory/3048-19-0x000001E278840000-0x000001E278850000-memory.dmp

Filesize
64KB

Download
memory/3048-67-0x000001E27CBA0000-0x000001E27CBA1000-memory.dmp

Filesize
4KB

Download
memory/3048-69-0x000001E27CBB0000-0x000001E27CBB1000-memory.dmp

Filesize
4KB

Download
memory/3048-70-0x000001E27CBB0000-0x000001E27CBB1000-memory.dmp

Filesize
4KB

Download
memory/3048-71-0x000001E27CCC0000-0x000001E27CCC1000-memory.dmp

Filesize
4KB

Download