5ec5b9801bdf2f1b5d6b8e06d2356e8e161fbfd44caabdc83abb0a5b24a8d565

Analysis

max time kernel
120s
max time network
137s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12-11-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
Size

1.5MB
MD5

460d8ec6e3ebe92513320b5a86a838b0
SHA1

e60c3c85d9bdf61577aab1c6330f240ea72b5e84
SHA256

5ec5b9801bdf2f1b5d6b8e06d2356e8e161fbfd44caabdc83abb0a5b24a8d565
SHA512

d1b26e3d6945b5a71ee6d2ca397bc9afa7dcc99ca78f4baa01a638fa5a52892c10d2dbe71b920a34fe1ad43635d91c753c0c1a4369bc885079ff95227549204f
SSDEEP

3072:AZUWlN3tGXRvjxCb5NgXDY7uSlkJcUa7kYQTcqW2NdQQGH/UDhSCUc4aqTBRwdp/:YFAlKgzelZNQSBQGH/CSpWqTXO

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\E:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\G:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\J:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\K:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\O:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\H:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\I:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\L:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened (read-only)	\??\M:	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zFM.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\7-Zip\7zFM.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\7-Zip\7z.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8F90.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8FC7.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\7-Zip\RCX8E2F.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX8F0E.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8F91.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\7-Zip\7z.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX8FF8.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX8EED.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8F7E.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8F92.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8FA6.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX8FF9.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\7-Zip\RCX8E2C.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8F7F.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX901A.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX901B.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\7-Zip\RCX8E2D.tmp	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	2148	WerFault.exe	13

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2860	2148	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe	27
PID 2148 wrote to memory of 2860	2148	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe	27
PID 2148 wrote to memory of 2860	2148	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe	27
PID 2148 wrote to memory of 2860	2148	NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.460d8ec6e3ebe92513320b5a86a838b0.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 744
  2⤵
  - Program crash
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
6b661a579272150bbd35a748e70e2af0

SHA1
2b87c43b2f291aea90a81f310020be46901805eb

SHA256
2af7e21ba11557fdda5e5381d650ee6de8874719b5f2f4f7350325ea1fbd0c33

SHA512
7edcce635a62e3a7156d6edc6271910cb18a1d9ba0e16fea5326eb44308f3105d1e0182bd2f674affcaf31083c3757b996667705873fe1c54b139e9ef58a7246

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
297KB

MD5
c328959d0022d3b008090b681f97212c

SHA1
f68520ad3c3112e65de8dc1a538da8089cc5b761

SHA256
8d9836e6567be51f6c2c99ef25718e8e922db4b16f6acdb5e1bd7dd95c6fd3d5

SHA512
57036f9e3552b88c8b824ac0c54e86c4baab789c074b62f2cd8d65cadacf9c94eb55eb30403245241c462347860aeffd6a159cb66027155137cca31eaa780e80

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

Filesize
332KB

MD5
3a966a975ad61d2aa5b73f5820b50bcd

SHA1
d7b0c04ad9353bd9876285334c37ed55c311dce3

SHA256
39f5a39e88e1f841e28db3cdc9429302bcc6e4b6ca02a4023f1792b5d036134f

SHA512
18c68d18b695c5f70c95510a1fc6e4c2c91ea554a0c35aeb0bde309ee6a2264a223b83ad8ff42bf680e19bd54ec44192615212e0e23391fcb6b2d9481fc63ef7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX8EED.tmp

Filesize
228KB

MD5
32ff019bb3692a7bb86aa378a4d67d62

SHA1
edb573c441e62f50efe0cfd92cfd19f02ac42137

SHA256
0c9fca061061e8765d71ca0741df73f1ec3edd314339f6c755c2b406b9dcb1b0

SHA512
63bfdd9ea2785c2a0ac4b2652375b995818ef0aeb49a6e66624070dd162b55351ddb26ba889012dd9afe93ead768242127d4b9d265fecdc0b2778ee3a8c6b572

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

Filesize
1.6MB

MD5
527e039ba9add8a7fac3a6bc30a6d476

SHA1
729a329265eda72cada039c1941e7c672addfc19

SHA256
4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94

SHA512
9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.5MB

MD5
44286671ee879713248e599ac84921de

SHA1
d1537a3a8b0ec736eca438b996d9d323ba935206

SHA256
528bed9beeca82df426749bba1bc557f4412515d667887f7399d2acfbee29cd7

SHA512
24bbc3108a48c7ab31458ce26991f667a344092d992fac1b72bd001a0458c60c620bb08ecf7d095b62f029f62c6e4d25016f651b67e5c4e17bfd64f3cf6bab1d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.cab

Filesize
1.6MB

MD5
ec6386b63c3a5ffe0577905e94262c3a

SHA1
8f8c428d0e7f32c9d733ca28384ded413a060588

SHA256
302c968ab3e1227d54df4e72f39088d7483d25eeb3037f0b16bc39cef2728fa4

SHA512
ddbefb759858493de1f9d7addc6ff4488c8be3164374e0a88c3cbe97751510005dfe6d91c5499fcbdc35aa33a8eda2d45591a66e54ab9462277dc833faef77c3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
1.5MB

MD5
51233513ce70bc554689a98366e4ae88

SHA1
0f134dbf349ba03753ee38cfebd4fa53228e7da1

SHA256
064e89c813c3411ce3daf5e15e390816b4289d50f633508cc3f9ffaecdfe3025

SHA512
5fb77f1e8b19ebca46ad85c2d86e739982b218d04b6cce278c08d062cee39a8f03f5a06c228be6c62babd72ac699a2397a34a4d2f270b3719c3d1ad791dd72f0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

Filesize
1020KB

MD5
b65d7344b0a7faa207d2e1a7adaafb60

SHA1
755ad15b1745b0e730d658d4a92e2b754425b7db

SHA256
f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92

SHA512
f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

Download Submit