e5ab86d874250d0aa0cad8b57764e506504b63f45ac367f15d7804855227ff85

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67f9609896c1718bb76a8411eca36140_NEAS.exe
Size

147KB
MD5

67f9609896c1718bb76a8411eca36140
SHA1

3c2abc809c6df156e84f5d62c7672b5a6cb8ca8d
SHA256

e5ab86d874250d0aa0cad8b57764e506504b63f45ac367f15d7804855227ff85
SHA512

14a73d78af4f44532bdbdee7a2619a1114afb8fb9bd4d9e22e1a917e608ca4dbcc2ddd67d7e201d4519a1bbe638a98a608be6a73bd9496a1d636cde35023b47c
SSDEEP

1536:CTWn1++PJHJXA/OsIZfzc3/Q1pkMJ+ZGtK1+ZGtKQNMdTajOtGtU1wAIuZAIuJp:KQSo1EZGtKgZGtK/PgtU1wAIuZAIun

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4831) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/696-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/files/0x000b000000023b7f-2.dat	upx
behavioral2/files/0x000800000002295e-6.dat	upx
behavioral2/memory/696-786-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\nl.pak.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	67f9609896c1718bb76a8411eca36140_NEAS.exe

C:\Users\Admin\AppData\Local\Temp\67f9609896c1718bb76a8411eca36140_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\67f9609896c1718bb76a8411eca36140_NEAS.exe"
1⤵
- Drops file in Program Files directory
PID:696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini.tmp

Filesize
148KB

MD5
87a1a3344c67263466e6f0671a4c6f54

SHA1
238e072010e9af1c526b2d7bc630746236f2761e

SHA256
e027e932d50078ff56f7798bf6f98a221caab35cb2a2ca06d34979305eeb19c7

SHA512
c095bc9e01b9ccfd25698356d377e84eb8118433497499763231c60cfbceda63e449a25c618cc3b4bdbd4ba90c6747006b6cf74d35aeda434dd6e5854face08c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
246KB

MD5
de4fccf7ae459c354db83516c84b7f43

SHA1
bf536066670b88b61ea43a675d26125d2d11bd95

SHA256
c2094b9b2da315e81cab7dc4f5cc719959d0baa17aee8768ac9a08e683c6d554

SHA512
c882d56b39a7f75ea4d9701be73ec450d42edacfad2117fcda49ba76d40267c820633fd44b155969189a3c5612e185839f54b14b7fdda4e83ab33d724dba3c8a

Download Submit
memory/696-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/696-786-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads