af3bc1dec44f209794d43accfd4fbd0f863aed41d8d3615ebb3b3488d69e1b1d

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
Size

74KB
MD5

30e94a8e6514ace92b2bd804a9317d40
SHA1

e7a812a08fd49deb366c7c2213f9f6d86bdef11e
SHA256

af3bc1dec44f209794d43accfd4fbd0f863aed41d8d3615ebb3b3488d69e1b1d
SHA512

59511146cb3eea2e3bd2831437dde9c168670073ee1d48db507af0babbf2e897294ee198cdddbb7c9c8db160dff2fee9414fb952b362cb5d322026e4f5e0a968
SSDEEP

1536:W7Z9pApQESOHepOHe8G+6E65TGAzEWzVNOx0ypIzIu73mYdE9aC3s9XL7EWzVNOD:69WpQEJAzEWzVNOx0ypIzIu73mYdE9d7

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	30e94a8e6514ace92b2bd804a9317d40_NEAS.exe

C:\Users\Admin\AppData\Local\Temp\30e94a8e6514ace92b2bd804a9317d40_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\30e94a8e6514ace92b2bd804a9317d40_NEAS.exe"
1⤵
- Drops file in Program Files directory
PID:4364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp

Filesize
75KB

MD5
44fc29ae5940d22f57789a2e255b6230

SHA1
b76fce2986afa783929d23feba82fab30ec003e8

SHA256
ba7ccf97d6e752d444f14baeffd14d04e6ba84c95ef83a6d32adc66292a39068

SHA512
da65258fe3dc058839820c34f5e3a7e3c43b7a2e1153dfb86b60284c1352e801d12e351ab4f8f810afad377864b06b2e8d530b9fb6f1c57db2cb714426a192cb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
850b68d38e5e65f1a82cbeec9113574e

SHA1
c27f01c8f64f5a40f24d4da3a9e0ab0eab83c006

SHA256
8fe5acc3b7a0759ad22857b0246214ded6e8c57d5d68a83c63be11ace52d4ed7

SHA512
f42224736d7406f756964d0deedcd816968103e2767aba5c4361d202e1f2d0c5e53e859d9d667ea75f7c02fa2b03e8630d8a88e6f29ffb9153550c2e53af925b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads