b719917f7913fb88bc684b02f7a1c4e3dc7c40e08a2b1a4ef15a448500ad3a18

General

Target

NEAS.93563d69322b21f0532e3007c6f523c0.exe
Size

4.2MB
MD5

93563d69322b21f0532e3007c6f523c0
SHA1

0929dc0962031fe893235c03f70ea020c6cd56ab
SHA256

b719917f7913fb88bc684b02f7a1c4e3dc7c40e08a2b1a4ef15a448500ad3a18
SHA512

d8802c68a94d381ceabf3df72f32de47bbc19f6cd73c95a974be378c270cd37024054edb21bcf86fb0d24b56ce3da0d9af62fd91130e289e17e471cf84f3bda8
SSDEEP

98304:oXB4uluJRmMg6QWlIpgi0rHqsih/mCqJ4B4uluB:ovsJR0TW6yiIKRhzqOsB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2328	O2UZM.exe

Executes dropped EXE 1 IoCs

pid	Process
2328	O2UZM.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	NEAS.93563d69322b21f0532e3007c6f523c0.exe
2328	O2UZM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2328	O2UZM.exe
2328	O2UZM.exe
2328	O2UZM.exe
2328	O2UZM.exe
2328	O2UZM.exe
2328	O2UZM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	NEAS.93563d69322b21f0532e3007c6f523c0.exe
Token: 0	2300	NEAS.93563d69322b21f0532e3007c6f523c0.exe
Token: SeDebugPrivilege	2328	O2UZM.exe
Token: 0	2328	O2UZM.exe
Token: SeShutdownPrivilege	2328	O2UZM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2328	2300	NEAS.93563d69322b21f0532e3007c6f523c0.exe	28
PID 2300 wrote to memory of 2328	2300	NEAS.93563d69322b21f0532e3007c6f523c0.exe	28
PID 2300 wrote to memory of 2328	2300	NEAS.93563d69322b21f0532e3007c6f523c0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.93563d69322b21f0532e3007c6f523c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.93563d69322b21f0532e3007c6f523c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\O2UZM.exe
  "C:\Users\Admin\AppData\Local\Temp\O2UZM.exe" -Continue|"C:\Users\Admin\AppData\Local\Temp\NEAS.93563d69322b21f0532e3007c6f523c0.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DIH\VAC.zip

Filesize
13KB

MD5
5a8e8dedf1d910c79defff5638978d07

SHA1
bfab518af8a53f02c4f98fc321aa0984a208686c

SHA256
d5bf8619a6f47e74aceb629da039f25493b0b8fb2f892bda2b32bd68c0cf8893

SHA512
7acfc4d0bde75a518f394319c8cd6743d36eb7ebcdcd26eeae2fb59ead70bb8b4d2fb29be93c89b529775f8a407a9bcd6e4d2a2955c03b15f2880ff9aa61a519

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2UZM.exe

Filesize
4.2MB

MD5
9144696ef705e37e79e977feb4d86e65

SHA1
ab3163996d39af80395ed5553f898e97378b8c52

SHA256
5925e95b0c97ba884b096fa9b966050b994e0779072229fc3984d13a82c848b4

SHA512
de580344ba9717efa86251348352d2cf6d5d17bcda8f433e429b96d6bbe647eeb35ade47fc61c309cba9f778fd598bc9cb8b398e2f113fd9e23595904317151b

Download Submit
C:\Users\Admin\AppData\Local\Temp\O2UZM.exe

Filesize
4.2MB

MD5
9144696ef705e37e79e977feb4d86e65

SHA1
ab3163996d39af80395ed5553f898e97378b8c52

SHA256
5925e95b0c97ba884b096fa9b966050b994e0779072229fc3984d13a82c848b4

SHA512
de580344ba9717efa86251348352d2cf6d5d17bcda8f433e429b96d6bbe647eeb35ade47fc61c309cba9f778fd598bc9cb8b398e2f113fd9e23595904317151b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x64\SciLexer.dll

Filesize
1.3MB

MD5
a70486cf41bf065ff8e76e8619745361

SHA1
e06e75380b17fec737fbdfeaa4a09b83e54d4838

SHA256
1563fc1966e779f0fcb71753f15e73ec770e169a0ad6e3c5af736764d9bd5858

SHA512
02f1c909fcbf7c0f5604ccb4e807640d80a2236c3cac6975e2e849bda318419e7188bb6a48184940eb381e2af375c83d7539e58951edf5e49ec11dd0cff66cc0

Download Submit
memory/2300-27-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-3-0x000000001C080000-0x000000001C160000-memory.dmp

Filesize
896KB

Download
memory/2300-10-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2300-11-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2300-5-0x000000001C250000-0x000000001C3A4000-memory.dmp

Filesize
1.3MB

Download
memory/2300-4-0x0000000002320000-0x0000000002362000-memory.dmp

Filesize
264KB

Download
memory/2300-6-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2300-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-0-0x0000000000850000-0x0000000000C86000-memory.dmp

Filesize
4.2MB

Download
memory/2300-2-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2328-24-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-35-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-28-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2328-26-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-32-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-33-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-25-0x0000000000B60000-0x0000000000F96000-memory.dmp

Filesize
4.2MB

Download
memory/2328-29-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-36-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-37-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-38-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-39-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-40-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2328-41-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing