8657c5b2f37a96af838f18a20758bd6f426073563b079e795f6b1cfc5e416049

Analysis

max time kernel
122s
max time network
151s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6b119021085626d8806eee94342df8cf.exe
Size

1.5MB
MD5

6b119021085626d8806eee94342df8cf
SHA1

807aacf3dba9713fa0e0b5f0bcde33b73a15c190
SHA256

8657c5b2f37a96af838f18a20758bd6f426073563b079e795f6b1cfc5e416049
SHA512

c5da84c5d41ae82b903eb87f9e18e1ea6e284443033aed324e62a245d9202b916eb09dfb9591213ddb8e15bda1a8e50a05696008019dfdb364d7bf71bc101039
SSDEEP

3072:HZUWlN3tGXRvjxCb5NgXDY7uSK4aqTBa9pOA:5FAlKgzeYqTCOA

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\L:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\M:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\O:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\E:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\G:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\H:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\I:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\J:	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened (read-only)	\??\N:	NEAS.6b119021085626d8806eee94342df8cf.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\RCX2B2A.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX2B6A.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DD0.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DCE.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\7-Zip\7zFM.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DE1.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DF6.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX2B6B.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2C5F.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2C70.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\7-Zip\7z.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX2BA0.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2C71.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\readme.1xt	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\RCX2AC8.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX2B9E.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX2B9F.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2C81.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DE3.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DF4.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DCF.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DE2.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DF5.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\7-Zip\7z.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DBC.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2C5E.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\RCX2B28.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File created	C:\Program Files\7-Zip\7zFM.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DE0.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\RCX2AC9.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\RCX2B29.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2DCD.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\7-Zip\RCX2B2B.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX2B9D.tmp	NEAS.6b119021085626d8806eee94342df8cf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	2116	WerFault.exe	15

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29
PID 2116 wrote to memory of 1632	2116	NEAS.6b119021085626d8806eee94342df8cf.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.6b119021085626d8806eee94342df8cf.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6b119021085626d8806eee94342df8cf.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 816
  2⤵
  - Program crash
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
6bba1fb9a7046a255c98e48ec601cebb

SHA1
78df4e0f230ec15f403b32f9581ff69e1f5b6077

SHA256
3729d5717ae29ac519eb8a5fe25c976ae429a4cdd4d228a720b90894a887504c

SHA512
25c0c2dd5b279fb7ee9968f111f582dfd8e2add6a72df622c65cf064198914098b201c3023122537f9dc9f550df22ace70adf23187ea7c644e394cbe2af0bb1e

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab

Filesize
188KB

MD5
f03cd3c73a4d56421c60e6f2a40a9ef2

SHA1
3e7b8c15ba83c23333740af3aa4c4b3066fe5173

SHA256
44fc47dc280a196cc49849cfb770030f1525758ba266330b6232ee60fb4fe642

SHA512
ba57d32ffe4d0ecca137aed733c1471b4663dcba07a4c4fffcffc008a051de86fd8561bdd93d5fff545bf1865c8b5ac71eae31d20228727f5c1a46f2f9a6390e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab

Filesize
906KB

MD5
84ff6c209447a056e22a29806bfa2c96

SHA1
21190928955094c44ad996f26c801b46437809cc

SHA256
d2072ffe011341ec2a3c4af9f93b06deffa92fa05120c45dbb3ad5635f3e57b1

SHA512
6493dfbe43887e6a588ef067960ddb9e9798e07bb14fd73abf99acc5ee63250858c86d70a926f009f466bf6fedb7ca43bbecf7fc2433e47704527c2d0b6b01d9

Download Submit
C:\Program Files\DVD Maker\DVDMaker.cab

Filesize
2.2MB

MD5
e83d2495d5867e224fbf42ef40d8856c

SHA1
fec908e0e7bc469875ab8f68d936225c635a6ac2

SHA256
2c806d9b932f24c4bc84e86ced7962a75c0161ff732f77eb1827a3a14976b2c1

SHA512
e22f36cb40fff2672e9e49aa991656a0cc1188c7ba2583efae2d238a4e864bd5f8bdc532a5c35285ca2b4b105097454eb06d5860c41e618c44bab6e300408b8d

Download Submit
C:\Program Files\DVD Maker\RCX2C71.tmp

Filesize
2.2MB

MD5
f56161efdeee267a188bb1800c725c04

SHA1
9f5cf40f112be8cc27fd10186bfa9b58191e36c2

SHA256
dc3fcaf700b8105152f362d6b32ad161289753f8a55039eeea81cfcbd6ddff4d

SHA512
27f3928be8380909c4b83578d2adf1b0fa3677f494a83585ad2db5a41ee1319bc205bd97f2180253ca30503200934284471043d7eebd86acf3bbc27219e92398

Download Submit
C:\Program Files\Google\Chrome\Application\RCX2DBC.tmp

Filesize
228KB

MD5
51f3035b62d61be815527e22ef9677da

SHA1
2d0b7e7802189331a6e4d292e13ad69eea1c415a

SHA256
f3108197f3db1ec6a28723118ac8669d542b7dfe4f4718b4f9c430cae0521b13

SHA512
825442c43cdd07ef4ac450158c103d75f5533e0c4d13859eb9dc25e72621d7cfd815fd0040f4be4639af808bd88e228c013acb255b4368c71941c3fee3792c39

Download Submit
C:\Program Files\Google\Chrome\Application\RCX2DD0.tmp

Filesize
228KB

MD5
76ff1beb9b59795906f2822ab5caeb19

SHA1
315d6f9174c71506ccc98f834a07920adb996cd0

SHA256
6ae991771d7c2387ab00a0e17b99c65e5f47ce3557146362d60102a83816ce87

SHA512
590eecd19ebba4e0072b384e4d17c264339f6da3a7914a4a27107442bfb134363ac48294d5bd85490d41eef224f0f68780fe2723dce89ad819d905c0178caa0c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit