12ff27f417353a3804356b46555fa96be2069adaa34a7f9bf5b70fb32af95657

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 04:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe
Size

124KB
MD5

00083bbca63649ad41b5d8b5fcf99f40
SHA1

0bffbf61131b232982f161b044ee113d341b10fc
SHA256

12ff27f417353a3804356b46555fa96be2069adaa34a7f9bf5b70fb32af95657
SHA512

957d415ee2fe61310a80d63db66ac1b91da1173ec0a78afdb3fbad8d262915a769c47d1a326a7d2b663f668e76a5cda4fdcd3baa0c72452c3eccf2d7b79d2df5
SSDEEP

3072:0q8f/oic1i9uTAlPQSDwEyWefHEvGdxETCpPJZ:r8f/U1iF/sUGdxETI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3008	NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2248	3008	NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe	17
PID 3008 wrote to memory of 2248	3008	NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe	17
PID 3008 wrote to memory of 2248	3008	NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe	17
PID 3008 wrote to memory of 2248	3008	NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe	17
PID 2248 wrote to memory of 2268	2248	cmd.exe	19
PID 2248 wrote to memory of 2268	2248	cmd.exe	19
PID 2248 wrote to memory of 2268	2248	cmd.exe	19
PID 2248 wrote to memory of 2268	2248	cmd.exe	19

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\lov93F3.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\NEAS.00083bbca63649ad41b5d8b5fcf99f40.exe"
    3⤵
    - Views/modifies file attributes
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lov93F3.tmp.bat

Filesize
57B

MD5
e7f566dcb7a1bde041972c546b094ab0

SHA1
e633ce2720f05420455f621cd31baea6bf43a21c

SHA256
49583a18654a953da1dfe7bdc686e3690eadd9a6e2e3d63ca728d3cdf78c02dd

SHA512
78e735041b259c2974c53b256cc2898e4c4999a89749a08afc8701c6a8f600bffe4a7c4adfbaaaf19294febe5337ac7c47915743b8ee9d66757833edecc66c78

Download Submit
C:\Users\Admin\lov93F3.tmp.bat

Filesize
57B

MD5
e7f566dcb7a1bde041972c546b094ab0

SHA1
e633ce2720f05420455f621cd31baea6bf43a21c

SHA256
49583a18654a953da1dfe7bdc686e3690eadd9a6e2e3d63ca728d3cdf78c02dd

SHA512
78e735041b259c2974c53b256cc2898e4c4999a89749a08afc8701c6a8f600bffe4a7c4adfbaaaf19294febe5337ac7c47915743b8ee9d66757833edecc66c78

Download Submit
memory/3008-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3008-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download