996b116ac56b5c1906f7787fb5775165f81cdd08f2863c9e8df99e8b092c75dc

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
Size

335KB
MD5

5fbb49b161ec13a0794c11c3ab86f220
SHA1

34546128879ad9433b21a0fc9bf6e75344422a02
SHA256

996b116ac56b5c1906f7787fb5775165f81cdd08f2863c9e8df99e8b092c75dc
SHA512

87b29beff29ba4206a98612a0bee6ffe2381970b9ad0933bdd5a3dd876fd793b23c8a78ee940716e246b0d8b46b38aeda8c1fbdb1f7e9a0c760de673d6cdabcd
SSDEEP

6144:JiQSo1EZGtKgZGtK/CAIuZAIuzQSo1EZGtKgZGtK/CAIuZAIu2:AQtyZGtKgZGtK/CAIuZAIuzQtyZGtKg7

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4241) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2992-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0006000000022fa8-2.dat	upx
behavioral2/files/0x00080000000229db-6.dat	upx
behavioral2/memory/2992-1416-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\es.pak.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\vulkan-1.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe

C:\Users\Admin\AppData\Local\Temp\5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\5fbb49b161ec13a0794c11c3ab86f220_NEAS.exe"
1⤵
- Drops file in Program Files directory
PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini.tmp

Filesize
335KB

MD5
f41091735f700371aecb897c5ab3eabc

SHA1
daca29f12d49fe8872bf0a8fb3aeae192560eff0

SHA256
51da9c3dd64c36af8cb554ba586575e4c99d288b863b58f4592c7a7aed015876

SHA512
be9dea6fa4547740a87d93832d404c3f951f9bfaec929074d3223172545ff66f344dabe54dbb04aec717e67a8e73b63fa111263e4d7ccb7d6e475fe31ca55ed9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
434KB

MD5
ef441e2f14b78c42cd3070c9d0887d68

SHA1
4858ffb2afee373aa59eae324830575a11483668

SHA256
d146da98b930649f0da5980cf58bff2d06f61b7670ee046af1b6704abe71671a

SHA512
7c34a8b6d5ed8078fc5b2addd71942e3d30501402beb9a3bdacd9df1f82b48b3503152955f134311ec60de1e7fbae044d419dab6b2c748df1790761a6535758a

Download Submit
memory/2992-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2992-1416-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads