Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12/11/2023, 17:13
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.065eade139f12d88f1f979cfea542049.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.065eade139f12d88f1f979cfea542049.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.065eade139f12d88f1f979cfea542049.exe
-
Size
56KB
-
MD5
065eade139f12d88f1f979cfea542049
-
SHA1
daf353138afd9bab504e843077c4b4453f56291b
-
SHA256
5c5c73ae249ed96120d48e5ef2dbb7edf54b2e0f92eecc7745f6174b03074aaf
-
SHA512
988a2ab1d0cb0d57cc2f7f02a604254504fdb4400bfd3f2aeab0b6c4158074c2c20d1fb1e01aeecc045b51c3f2ca0b0903dc490f7a5fb2db5252d8fd3416518f
-
SSDEEP
768:D00UHf57LnWykdBdusOAL/2DH9owR97k9/l4ElXYWFoHiPI6zDw1T6cBJhFd/B5+:D00URPnKfZrT2DawRR8JfP3gZB355B/s
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2084 odbc32.exe -
Loads dropped DLL 1 IoCs
pid Process 3064 NEAS.065eade139f12d88f1f979cfea542049.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Network Services = "\"C:\\Windows\\SysWOW64\\odbc32.exe\" /O0" odbc32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\odbc32.exe NEAS.065eade139f12d88f1f979cfea542049.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2084 3064 NEAS.065eade139f12d88f1f979cfea542049.exe 28 PID 3064 wrote to memory of 2084 3064 NEAS.065eade139f12d88f1f979cfea542049.exe 28 PID 3064 wrote to memory of 2084 3064 NEAS.065eade139f12d88f1f979cfea542049.exe 28 PID 3064 wrote to memory of 2084 3064 NEAS.065eade139f12d88f1f979cfea542049.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.065eade139f12d88f1f979cfea542049.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.065eade139f12d88f1f979cfea542049.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\odbc32.exe"C:\Windows\system32\odbc32.exe" /O02⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5ac2bd13cdb57d94a5c90365379b8c988
SHA1f79b0d37a371ceb5d3519b7520c06be94e04364c
SHA256f3653bd0389b822c841f321916b17174feb1eae4a44e9843d518cc0af16d2b9b
SHA512e164d78fa05337a3f8566af64d1030d4b7b8dc208b3e7e7fa99936712bb479c80476c9deb1b618c31c39da4eac6b470417349e07f0fb7fb3840a95708131393d
-
Filesize
56KB
MD5ac2bd13cdb57d94a5c90365379b8c988
SHA1f79b0d37a371ceb5d3519b7520c06be94e04364c
SHA256f3653bd0389b822c841f321916b17174feb1eae4a44e9843d518cc0af16d2b9b
SHA512e164d78fa05337a3f8566af64d1030d4b7b8dc208b3e7e7fa99936712bb479c80476c9deb1b618c31c39da4eac6b470417349e07f0fb7fb3840a95708131393d