525f29fa9ba3e5416dbca35d0477aaec664d65ce8f910aee9926ddce9292fd6a

General

Target

NEAS.7021ad6a58eadd2d62e39c1e11680320.exe
Size

724KB
MD5

7021ad6a58eadd2d62e39c1e11680320
SHA1

0875f3ddbce480e0ea4982ec1b3c1ec7a3e9f364
SHA256

525f29fa9ba3e5416dbca35d0477aaec664d65ce8f910aee9926ddce9292fd6a
SHA512

b39adb243c32c655d0177d21d3746b3df0656778ab2d598c3d912178504906bd662852cfdb68d092020bddcb4bff79e5db3c33ff9fdcc631a0521d362c50251a
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0Kq8c5VPcK0nrlHhP8SFP5jOMQ8Y8Y83q:71/aGLDCM4D8ayGMUQcK0nr5w/v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2908	tmtsd.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	NEAS.7021ad6a58eadd2d62e39c1e11680320.exe
2656	NEAS.7021ad6a58eadd2d62e39c1e11680320.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\tmtsd.exe"	tmtsd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2908	2656	NEAS.7021ad6a58eadd2d62e39c1e11680320.exe	28
PID 2656 wrote to memory of 2908	2656	NEAS.7021ad6a58eadd2d62e39c1e11680320.exe	28
PID 2656 wrote to memory of 2908	2656	NEAS.7021ad6a58eadd2d62e39c1e11680320.exe	28
PID 2656 wrote to memory of 2908	2656	NEAS.7021ad6a58eadd2d62e39c1e11680320.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.7021ad6a58eadd2d62e39c1e11680320.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7021ad6a58eadd2d62e39c1e11680320.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656
- C:\ProgramData\tmtsd.exe
  "C:\ProgramData\tmtsd.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
724KB

MD5
b04c987f8f3bf3a58be5592b96194ac8

SHA1
0834a48fcbace3cc96ed05a1c0aba7ff6a7395aa

SHA256
f0ec0b34bbac123477a99585968bf07fbb0b681591389966bb5bdf248041aca7

SHA512
2df7af6e8d672ec8bdc4846cb759ad9daae6e6aecc24c2c3b3d7bc5cce9bcc5792c14c14fa74c8e4d1d8b940bb237341804ec43b29b4c64d140da5a10889196a

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\tmtsd.exe

Filesize
454KB

MD5
e8683cece85d590f68c076c22b6562be

SHA1
a5a8aeb010dc4d0723a61400e82a0d9ef3d24cba

SHA256
d601fc5ee297f538759a2a2a27833da2bb00bfcf580730845ce97e24326cf531

SHA512
64cce70d52afdf5096d9f59af52ddc8a25536abafe3f835eb7a5f08f5aeaa8c9ed852b3a4b28594dcee22d97f1485f1d5ce34e87055fe9b3a3585ef98279c0b9

Download Submit
C:\ProgramData\tmtsd.exe

Filesize
454KB

MD5
e8683cece85d590f68c076c22b6562be

SHA1
a5a8aeb010dc4d0723a61400e82a0d9ef3d24cba

SHA256
d601fc5ee297f538759a2a2a27833da2bb00bfcf580730845ce97e24326cf531

SHA512
64cce70d52afdf5096d9f59af52ddc8a25536abafe3f835eb7a5f08f5aeaa8c9ed852b3a4b28594dcee22d97f1485f1d5ce34e87055fe9b3a3585ef98279c0b9

Download Submit
C:\ProgramData\tmtsd.exe

Filesize
454KB

MD5
e8683cece85d590f68c076c22b6562be

SHA1
a5a8aeb010dc4d0723a61400e82a0d9ef3d24cba

SHA256
d601fc5ee297f538759a2a2a27833da2bb00bfcf580730845ce97e24326cf531

SHA512
64cce70d52afdf5096d9f59af52ddc8a25536abafe3f835eb7a5f08f5aeaa8c9ed852b3a4b28594dcee22d97f1485f1d5ce34e87055fe9b3a3585ef98279c0b9

Download Submit
\ProgramData\tmtsd.exe

Filesize
454KB

MD5
e8683cece85d590f68c076c22b6562be

SHA1
a5a8aeb010dc4d0723a61400e82a0d9ef3d24cba

SHA256
d601fc5ee297f538759a2a2a27833da2bb00bfcf580730845ce97e24326cf531

SHA512
64cce70d52afdf5096d9f59af52ddc8a25536abafe3f835eb7a5f08f5aeaa8c9ed852b3a4b28594dcee22d97f1485f1d5ce34e87055fe9b3a3585ef98279c0b9

Download Submit
\ProgramData\tmtsd.exe

Filesize
454KB

MD5
e8683cece85d590f68c076c22b6562be

SHA1
a5a8aeb010dc4d0723a61400e82a0d9ef3d24cba

SHA256
d601fc5ee297f538759a2a2a27833da2bb00bfcf580730845ce97e24326cf531

SHA512
64cce70d52afdf5096d9f59af52ddc8a25536abafe3f835eb7a5f08f5aeaa8c9ed852b3a4b28594dcee22d97f1485f1d5ce34e87055fe9b3a3585ef98279c0b9

Download Submit
memory/2656-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2656-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2908-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2908-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads