1da2d8bd688e86ebcecc0a51b179b0abeb14f77f4cc53072c6dee5a875c9b8f8

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
Size

53KB
MD5

834b9095f8e6e343a295fb0e5fe1aeb0
SHA1

4b4bcee12b2b654e0d91013f6dfb331668c35255
SHA256

1da2d8bd688e86ebcecc0a51b179b0abeb14f77f4cc53072c6dee5a875c9b8f8
SHA512

c1f152c511e6990ee0ae6e944b5e0533a83848b7edbd8b6359c84953902c98b430588b4fa57a59ffb7d2b203c8e339d715f7cd86f0a4e56c00b1508d3c478d24
SSDEEP

768:67Blpf/FAK65euBT37CPKK0SjHm0CAbLg++PJHJzIWD+dVdCYgck5sIZFXFOFs:67Zf/FAxTWY1++PJHJXA/OsIZRw2

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (5167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023ba8-2.dat	upx
behavioral2/files/0x0007000000022971-6.dat	upx
behavioral2/memory/1636-1824-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\ms.pak.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe

C:\Users\Admin\AppData\Local\Temp\834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\834b9095f8e6e343a295fb0e5fe1aeb0_NEAS.exe"
1⤵
- Drops file in Program Files directory
PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-17203666-93769886-2545153620-1000\desktop.ini.tmp

Filesize
54KB

MD5
c0289b88dc263b7143d2e68012b2303f

SHA1
26378e457e53fd5eeb21c5aff325b9685987e198

SHA256
cf7cbcbdcdd5bb50cd2456d2e83826ceb3d380d59606f1b2c31dbacf08f29877

SHA512
2bbccb9d8ca36b522b7cb7580a034854287cf8fb8bdaa79ff56158b3edea34108f40f628ac6959443e8aea744993eb5a2ce0b2085df153571b743c38e28c18a9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
9b447b3080b3bfd720305bc4f545309b

SHA1
848ca2940f44b449779d51857dc887db3839181f

SHA256
3c5e681030837b4e5b781ed637a0c372462b1c92f474a93470e44a53b0d3f1da

SHA512
d5fa0132c830d2fcf7f3715f83a2f502b2fc91b3b59ef1dc7b430427c120de51a7a850bd06d9be555beb0e940255eca647844be0ce46a88b9c38e5b5c8150f56

Download Submit
memory/1636-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1636-1824-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads