Overview

overview

7

Static

static

3

NEAS.c4532...ce.exe

windows7-x64

7

NEAS.c4532...ce.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    192s
  • max time network
    222s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2023 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.c4532bf142e1bc8046b17751125726ce.exe

  • Size

    2.8MB

  • MD5

    c4532bf142e1bc8046b17751125726ce

  • SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

  • SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

  • SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

  • SSDEEP

    49152:z8Y/4O8b8ITDnlcBkJeEXGF+6z8zmqtqCK3RTeyay+hviOZ8afQf2PynO:g6Grw+6zEmqtqCKkT6OWO

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.c4532bf142e1bc8046b17751125726ce.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.c4532bf142e1bc8046b17751125726ce.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2600
    • \??\c:\program files (x86)\microsoft office\office14\convert\microsoftoutlook.exe
      "c:\program files (x86)\microsoft office\office14\convert\microsoftoutlook.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:656
    • \??\c:\program files (x86)\common files\microsoft shared\grphflt\wpgimp32jpegim32.exe
      "c:\program files (x86)\common files\microsoft shared\grphflt\wpgimp32jpegim32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1948
    • \??\c:\program files (x86)\common files\microsoft shared\ink\systemsystem.exe
      "c:\program files (x86)\common files\microsoft shared\ink\systemsystem.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1676
    • \??\c:\program files (x86)\common files\microsoft shared\textconv\msconv97microsoft.exe
      "c:\program files (x86)\common files\microsoft shared\textconv\msconv97microsoft.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\RCX3420.tmp
    Filesize

    2.8MB

    MD5

    5b8460c251fa98234c907688ab9fd20e

    SHA1

    124d2e3a249330df4cbb215680c97bae894336c5

    SHA256

    ea4bdfa43932cf55c26aa07071a40c696a33b2a47bdaf8557ca23dfb6e5e16be

    SHA512

    5cf21fdb2df5ad862d64b81a7df951a96723852f7dddf97fd9be632bdff8236c278e1ae3794bee49d1b566a6711fc28a4b4d7b3431840757af75e5dbebf79dbd

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\wpgimp32jpegim32.exe
    Filesize

    2.8MB

    MD5

    5b8460c251fa98234c907688ab9fd20e

    SHA1

    124d2e3a249330df4cbb215680c97bae894336c5

    SHA256

    ea4bdfa43932cf55c26aa07071a40c696a33b2a47bdaf8557ca23dfb6e5e16be

    SHA512

    5cf21fdb2df5ad862d64b81a7df951a96723852f7dddf97fd9be632bdff8236c278e1ae3794bee49d1b566a6711fc28a4b4d7b3431840757af75e5dbebf79dbd

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\Portal\RCX1029.tmp
    Filesize

    2.8MB

    MD5

    513136757107a3708df9420e012d0723

    SHA1

    13345b4fb38892b224957d6edd8484f132dfd816

    SHA256

    9a55ba5722288eea08f1bedbc5a10348d8768ce338f6965e82de967945281e85

    SHA512

    68ea755f1dffa9a59a71ee281c4dc77d74795be6623f465eb4a1b450acefa7d0856a63978c6ff8efa4c0e97ee773f72a23b617d09dd13c4c1c62853a857c4a66

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\TextConv\msconv97Microsoft.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\ink\SystemSystem.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\MicrosoftOutlook.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\MicrosoftOutlook.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\GRPHFLT\wpgimp32jpegim32.exe
    Filesize

    2.8MB

    MD5

    5b8460c251fa98234c907688ab9fd20e

    SHA1

    124d2e3a249330df4cbb215680c97bae894336c5

    SHA256

    ea4bdfa43932cf55c26aa07071a40c696a33b2a47bdaf8557ca23dfb6e5e16be

    SHA512

    5cf21fdb2df5ad862d64b81a7df951a96723852f7dddf97fd9be632bdff8236c278e1ae3794bee49d1b566a6711fc28a4b4d7b3431840757af75e5dbebf79dbd

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\TextConv\msconv97Microsoft.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit

  • \Program Files (x86)\Common Files\microsoft shared\ink\SystemSystem.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit

  • \Program Files (x86)\Microsoft Office\Office14\CONVERT\MicrosoftOutlook.exe
    Filesize

    2.8MB

    MD5

    c4532bf142e1bc8046b17751125726ce

    SHA1

    e2c3bf31afdc0be305059d01bc9578b2eeb57b74

    SHA256

    371b904415220b914155c46ed1f6d162335f2d0137cb73df6c0145a8cad06687

    SHA512

    1d33d03d91347de1ca3cf189566847c8e5be0911ab71006e1792bce2fc8267764fcdd2140789e25ca8e0379b213c3c1ad7726330d1372fe56f01606acdb30e1b

    Download Submit