fd8c7f6472957210b44c70b18cce1a8f4060093af30e581efe50b2022133eee3

General

Target

NEAS.f74949842d19ec2996e7a1910b969d60.exe
Size

1.4MB
MD5

f74949842d19ec2996e7a1910b969d60
SHA1

0adf231ca0f6f12c4760939c724648919e5e8d64
SHA256

fd8c7f6472957210b44c70b18cce1a8f4060093af30e581efe50b2022133eee3
SHA512

0beb3cd144700da973fa70428365253e78540f340235c04812eea936ee74a329599f2fae1132ef1bfe1d72881562c9f0fd4c6c9553488720ada0d29beb176f44
SSDEEP

24576:5oyAKhNR+6umN9/aCLYvQpp4CdDSwlX0+Aydqhz5LDgFd1i/GPUgP:5vBhf+OnsapxdOwlX0z3zDgFdvs

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000016c1b-13.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2820	NJRATA~1.EXE
2744	NJRATA~1.EXE

Loads dropped DLL 1 IoCs

pid	Process
2640	NEAS.f74949842d19ec2996e7a1910b969d60.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.f74949842d19ec2996e7a1910b969d60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NJRATA~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	NJRATA~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2820	2640	NEAS.f74949842d19ec2996e7a1910b969d60.exe	29
PID 2640 wrote to memory of 2820	2640	NEAS.f74949842d19ec2996e7a1910b969d60.exe	29
PID 2640 wrote to memory of 2820	2640	NEAS.f74949842d19ec2996e7a1910b969d60.exe	29
PID 2820 wrote to memory of 2744	2820	NJRATA~1.EXE	30
PID 2820 wrote to memory of 2744	2820	NJRATA~1.EXE	30
PID 2820 wrote to memory of 2744	2820	NJRATA~1.EXE	30
PID 2820 wrote to memory of 2744	2820	NJRATA~1.EXE	30

C:\Users\Admin\AppData\Local\Temp\NEAS.f74949842d19ec2996e7a1910b969d60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f74949842d19ec2996e7a1910b969d60.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NJRATA~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NJRATA~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NJRATA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NJRATA~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NJRATA~1.EXE

Filesize
1005KB

MD5
1ce598edb7623472dc5e7a82b7fdf9c7

SHA1
5b6907a934493620946bbf64994031a02649c794

SHA256
1300706dfc49ee32184c0263762d16a76b4f94de9266889915a117d3e5ab5f0c

SHA512
47a1deac70f6e68943874bb3b3f3f50115911730daff375cccbe6b135c6380f830bac0882b6dadd1d5c808c8c672a373f02ea7da8670afe709e5106900af3e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NJRATA~1.EXE

Filesize
516KB

MD5
a315898fc19c7603fd806b1b64093efa

SHA1
5beae6cb754b01fee612fa2cb92aa8b435d02d8a

SHA256
a78f87ec1b15335c94ed7c85ba959fe083092f0d781c95ca20b456ec6a8f2151

SHA512
5d2f77895a6ce118c7db73fc49f11d3344ae578ffab12ff3d55b08efeaa6b708fce62cc1b9bce5b71a96d717876718f4b8f01a5f010f9c713b9cece486b407d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\NJRATA~1.EXE

Filesize
1005KB

MD5
1ce598edb7623472dc5e7a82b7fdf9c7

SHA1
5b6907a934493620946bbf64994031a02649c794

SHA256
1300706dfc49ee32184c0263762d16a76b4f94de9266889915a117d3e5ab5f0c

SHA512
47a1deac70f6e68943874bb3b3f3f50115911730daff375cccbe6b135c6380f830bac0882b6dadd1d5c808c8c672a373f02ea7da8670afe709e5106900af3e08

Download Submit
memory/2744-14-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-17-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-16-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-18-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2744-20-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2744-24-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2744-33-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads