Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 07:55

General

  • Target

    98d5b874580ebdd8e6070777907e8180_NEAS.exe

  • Size

    267KB

  • MD5

    98d5b874580ebdd8e6070777907e8180

  • SHA1

    f57e2093d456940bcca09bc43504367aee51e666

  • SHA256

    8b781d9b719b80b977421d3f319ad0a926fbb07c110b326402a9ff6c831effc2

  • SHA512

    f9ddbfe8fc2d3e9d7e4659e0f5c0a0e3f17a8c53a877955f3ffc8400b222b36c4bbee5152de15b68f5b0097e07e5e1c378ffd25c8827fca7c477a5d703801cb4

  • SSDEEP

    6144:JmCAIuZAIuDMVtM/1H0WH0t9UpK7ShcHUaZH:7AIuZAIuOQH0WH07vUax

Score
9/10

Malware Config

Signatures

  • Renames multiple (4880) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98d5b874580ebdd8e6070777907e8180_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\98d5b874580ebdd8e6070777907e8180_NEAS.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2860750803-256193626-1801997576-1000\desktop.ini.tmp

    Filesize

    124KB

    MD5

    8bda1fe3a764ccdf2b35fa999c3c97dc

    SHA1

    9ad4ea165e34cc724dfbdf535d8aad8e360bee1a

    SHA256

    c62b41dc3cb2180bbfbd80292ab1a03682dcdf86f2075511abf6c2051bfeadef

    SHA512

    5cd1e3028b3180996601ea5eb455db79da20d87e85e2999eed822da70a17a5d21aab59e1e0933209463b79e12a42dfc0e6ff21e5a8ef164aad981aa8f4c016fd

  • C:\Windows\SysWOW64\Zombie.exe

    Filesize

    123KB

    MD5

    2b49026c8f3ab3643306c29494dd1c97

    SHA1

    61f40bcf06f928fe41a6df626585e2ab0b1f503c

    SHA256

    7e290397a053c8f15e76851427b840a1766eb8c7541e3c33de82afbd58fd1c98

    SHA512

    82770b8547ec8670758a5216ee6fb4b4c509d54ea1c4702b218fd9b1af38bae4d47f1b4da8f1576b24c6890667d0b9770f2d19d58f8bd4042d6694325e724d1b

  • memory/2812-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2812-12-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB