e9fc1c19564ecd54efd9da0c227c8d8701d62bc8fcac9cc0f907229d0bead24a

General

Target

NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe
Size

1.1MB
MD5

076b9ce2dd85c0fe32cb001ed9d961cf
SHA1

6eb76e398e3974fec497c030e1cdabcd89e7b433
SHA256

e9fc1c19564ecd54efd9da0c227c8d8701d62bc8fcac9cc0f907229d0bead24a
SHA512

bf0d8c90309ed4a21e21a20fcd73d65cc685573ae0f1321867c5c4dfe537264d5ef03982e223e6be083b142cd3f228c6433b2375d6fe182d1b8b593277f27294
SSDEEP

24576:4GUVSgk2FeQIAkYB/S0N7dIunZhziq0ZBUjdHnDGKEIH1XOC:4G0BSsxqqiMGKDH1OC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	search.cmd

Loads dropped DLL 2 IoCs

pid	Process
1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe
1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2996	search.cmd

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2996	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	28
PID 1412 wrote to memory of 2996	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	28
PID 1412 wrote to memory of 2996	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	28
PID 1412 wrote to memory of 2996	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	28
PID 1412 wrote to memory of 2336	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	29
PID 1412 wrote to memory of 2336	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	29
PID 1412 wrote to memory of 2336	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	29
PID 1412 wrote to memory of 2336	1412	NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.076b9ce2dd85c0fe32cb001ed9d961cf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del c:\users\admin\appdata\local\temp\NEAS07~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
076b9ce2dd85c0fe32cb001ed9d961cf

SHA1
6eb76e398e3974fec497c030e1cdabcd89e7b433

SHA256
e9fc1c19564ecd54efd9da0c227c8d8701d62bc8fcac9cc0f907229d0bead24a

SHA512
bf0d8c90309ed4a21e21a20fcd73d65cc685573ae0f1321867c5c4dfe537264d5ef03982e223e6be083b142cd3f228c6433b2375d6fe182d1b8b593277f27294

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
076b9ce2dd85c0fe32cb001ed9d961cf

SHA1
6eb76e398e3974fec497c030e1cdabcd89e7b433

SHA256
e9fc1c19564ecd54efd9da0c227c8d8701d62bc8fcac9cc0f907229d0bead24a

SHA512
bf0d8c90309ed4a21e21a20fcd73d65cc685573ae0f1321867c5c4dfe537264d5ef03982e223e6be083b142cd3f228c6433b2375d6fe182d1b8b593277f27294

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
076b9ce2dd85c0fe32cb001ed9d961cf

SHA1
6eb76e398e3974fec497c030e1cdabcd89e7b433

SHA256
e9fc1c19564ecd54efd9da0c227c8d8701d62bc8fcac9cc0f907229d0bead24a

SHA512
bf0d8c90309ed4a21e21a20fcd73d65cc685573ae0f1321867c5c4dfe537264d5ef03982e223e6be083b142cd3f228c6433b2375d6fe182d1b8b593277f27294

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\search.cmd

Filesize
1.1MB

MD5
076b9ce2dd85c0fe32cb001ed9d961cf

SHA1
6eb76e398e3974fec497c030e1cdabcd89e7b433

SHA256
e9fc1c19564ecd54efd9da0c227c8d8701d62bc8fcac9cc0f907229d0bead24a

SHA512
bf0d8c90309ed4a21e21a20fcd73d65cc685573ae0f1321867c5c4dfe537264d5ef03982e223e6be083b142cd3f228c6433b2375d6fe182d1b8b593277f27294

Download Submit
memory/1412-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1412-10-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-15-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-18-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-13-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-14-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2996-16-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-17-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-12-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-19-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-20-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-21-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-22-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-23-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-24-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2996-25-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing