cbc97c82ea12518215510a3cb3982880eedda1232d52c1f204f23c98bd7998fc

General

Target

NEAS.213cfd32e2da38286425cc9d36e9389f.exe
Size

208KB
MD5

213cfd32e2da38286425cc9d36e9389f
SHA1

faa3ea563aa19c5897c6116805db42a272e1adf2
SHA256

cbc97c82ea12518215510a3cb3982880eedda1232d52c1f204f23c98bd7998fc
SHA512

77313ccec5cd367ef3da45a48f9d4a431ef1c223ef0cfa2bbbdf247543c9ee06b123f97e881979915f1a4b5a1da17648e83ef241819a16e1a1118dc02be24d57
SSDEEP

3072:z4D0ZbTVnmUU8UYBGFLivSaWMEVm7LxX4NLthEjQT6j:zFVVnG8HGFLivSQ1QEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	FWJH.exe

Loads dropped DLL 2 IoCs

pid	Process
2612	cmd.exe
2612	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\FWJH.exe	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
File opened for modification	C:\windows\SysWOW64\FWJH.exe	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
File created	C:\windows\SysWOW64\FWJH.exe.bat	NEAS.213cfd32e2da38286425cc9d36e9389f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
2772	FWJH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe
2772	FWJH.exe
2772	FWJH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2612	1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	28
PID 1736 wrote to memory of 2612	1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	28
PID 1736 wrote to memory of 2612	1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	28
PID 1736 wrote to memory of 2612	1736	NEAS.213cfd32e2da38286425cc9d36e9389f.exe	28
PID 2612 wrote to memory of 2772	2612	cmd.exe	30
PID 2612 wrote to memory of 2772	2612	cmd.exe	30
PID 2612 wrote to memory of 2772	2612	cmd.exe	30
PID 2612 wrote to memory of 2772	2612	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.213cfd32e2da38286425cc9d36e9389f.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.213cfd32e2da38286425cc9d36e9389f.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\FWJH.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\windows\SysWOW64\FWJH.exe
    C:\windows\system32\FWJH.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FWJH.exe

Filesize
208KB

MD5
0a8fcbd24e0328e0ec01d75b9e79bbf2

SHA1
967ff4b3ecb719de4532d7165e8ea9914a9fef55

SHA256
a0db64231b1ba57209895792c7a450867dbb36b0750821082e51999c7ed903c0

SHA512
d1dd9681b5a83154dcce186e0d85922821999f9f900f7bae25b5dc848b341f174756036a91a51b600ebafdacd647ae4bc2018c462d8b669c996c7b2436476e58

Download Submit
C:\Windows\SysWOW64\FWJH.exe.bat

Filesize
72B

MD5
38f7b64a9ff9f26d8f33f70852b52d2c

SHA1
ce7c3e27247c7f3e77fb384ebea83a71e6f770f0

SHA256
42353b10f9dedccbe7d2d79269ebebfb40f32ce41832b637aeaa0fef46a1b5d5

SHA512
89cbe20be2aa02521e46d85c112bcecef5e5020bdb9000946941967729f096315c9aacee9d57ffce2f6239f68e29118f2226a5c6d6666dfb7ca12773a102e99d

Download Submit
C:\windows\SysWOW64\FWJH.exe

Filesize
208KB

MD5
0a8fcbd24e0328e0ec01d75b9e79bbf2

SHA1
967ff4b3ecb719de4532d7165e8ea9914a9fef55

SHA256
a0db64231b1ba57209895792c7a450867dbb36b0750821082e51999c7ed903c0

SHA512
d1dd9681b5a83154dcce186e0d85922821999f9f900f7bae25b5dc848b341f174756036a91a51b600ebafdacd647ae4bc2018c462d8b669c996c7b2436476e58

Download Submit
C:\windows\SysWOW64\FWJH.exe.bat

Filesize
72B

MD5
38f7b64a9ff9f26d8f33f70852b52d2c

SHA1
ce7c3e27247c7f3e77fb384ebea83a71e6f770f0

SHA256
42353b10f9dedccbe7d2d79269ebebfb40f32ce41832b637aeaa0fef46a1b5d5

SHA512
89cbe20be2aa02521e46d85c112bcecef5e5020bdb9000946941967729f096315c9aacee9d57ffce2f6239f68e29118f2226a5c6d6666dfb7ca12773a102e99d

Download Submit
\Windows\SysWOW64\FWJH.exe

Filesize
208KB

MD5
0a8fcbd24e0328e0ec01d75b9e79bbf2

SHA1
967ff4b3ecb719de4532d7165e8ea9914a9fef55

SHA256
a0db64231b1ba57209895792c7a450867dbb36b0750821082e51999c7ed903c0

SHA512
d1dd9681b5a83154dcce186e0d85922821999f9f900f7bae25b5dc848b341f174756036a91a51b600ebafdacd647ae4bc2018c462d8b669c996c7b2436476e58

Download Submit
\Windows\SysWOW64\FWJH.exe

Filesize
208KB

MD5
0a8fcbd24e0328e0ec01d75b9e79bbf2

SHA1
967ff4b3ecb719de4532d7165e8ea9914a9fef55

SHA256
a0db64231b1ba57209895792c7a450867dbb36b0750821082e51999c7ed903c0

SHA512
d1dd9681b5a83154dcce186e0d85922821999f9f900f7bae25b5dc848b341f174756036a91a51b600ebafdacd647ae4bc2018c462d8b669c996c7b2436476e58

Download Submit
memory/1736-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1736-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2612-16-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2612-18-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2772-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing