Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 00:08
Behavioral task
behavioral1
Sample
38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe
Resource
win7-20240221-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe
-
Size
116KB
-
MD5
38564b8f0d27bf9fc9f58923b9e9e270
-
SHA1
0b23affb30695a77ea6466d663eae3013e93dc6a
-
SHA256
dc57b70472a60ec7947b25cb73025ca43368f21ba8f94c691a601943477c7847
-
SHA512
0fc397ac3918aef63528b67ef1651731da92c78acee90c33f89c34cb827b06088e02690ba39d6b8c0225d2ca032c24c2c6bbca17329352b0d8b2f5cb055b6137
-
SSDEEP
1536:Isz1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCow8hfli4:hfAIuZAIuYSMjoqtMHfhflixim0SyJ
Score
9/10
Malware Config
Signatures
-
Renames multiple (4864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/512-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/files/0x000600000002327c-2.dat upx behavioral2/files/0x000800000002295a-6.dat upx behavioral2/memory/512-1006-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\en-GB.pak.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ta.pak.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\7-Zip\Lang\hr.txt.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\hi.pak.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp 38564b8f0d27bf9fc9f58923b9e9e270_NEAS.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5d7b5aa69a95b7489ab6da20dbeac8f6d
SHA16053ded109eee464dab5c72dd7953a8b5c51dc82
SHA256c29c08f19d426c16cd960d706e84ec5ae7f2eb33d37beffa82f0fca747bbf332
SHA51243828288a57c1de36778097310515465d2bd5f538bdf6658d523c2617e6baf3df4e87661e607a67d6863fc30890988274bf158655ee0bff5db1d116735fcfa8c
-
Filesize
215KB
MD557dfe0e97a83e51e905f0ad34ded9914
SHA110dd9e8ece44c7f8a0f45aea3683be0c51aef6ca
SHA2568be5d4ff1e168a4c367e3a11a2b20cac9bd3084093def086e3a42010f56a22ad
SHA5123832028126e4c2600b6f17d4cf8de822f1ff515989a564b677c816ff0d1ad25e5dd0142ccc91cedeea61466060b9396d92fe85dcc3c5cb18fe63e34a49e67836