4856b04d5c3d34f7003de041a91fc68bac6fddd2790b8a87c15daad71372c28d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

768106df29c5fca7a1df9657b01b3280_NEAS.exe
Size

3.5MB
MD5

768106df29c5fca7a1df9657b01b3280
SHA1

3420c9b300a7106804fdbec5742e5e169c25c512
SHA256

4856b04d5c3d34f7003de041a91fc68bac6fddd2790b8a87c15daad71372c28d
SHA512

a95861db0487a22a129c80f026ff9c507608627ebec2b38aea9d433c2991e9d88d8265d0e5c31353b59e089acf175facab85e9253863eee65fa935256eecc323
SSDEEP

49152:/7vqDX/P1B1/YPAlT16OGRgl//YP5AbT1X9IL1EzstjprUUIuwZm5pQzv7DnebMp:LqDf2zOG6l/goT1XqizshqUIXupQzT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	Logo1_.exe
2580	768106df29c5fca7a1df9657b01b3280_NEAS.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	768106df29c5fca7a1df9657b01b3280_NEAS.exe
File created	C:\Windows\Logo1_.exe	768106df29c5fca7a1df9657b01b3280_NEAS.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2356	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	28
PID 2192 wrote to memory of 2356	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	28
PID 2192 wrote to memory of 2356	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	28
PID 2192 wrote to memory of 2356	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	28
PID 2192 wrote to memory of 2288	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	29
PID 2192 wrote to memory of 2288	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	29
PID 2192 wrote to memory of 2288	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	29
PID 2192 wrote to memory of 2288	2192	768106df29c5fca7a1df9657b01b3280_NEAS.exe	29
PID 2356 wrote to memory of 2580	2356	cmd.exe	32
PID 2356 wrote to memory of 2580	2356	cmd.exe	32
PID 2356 wrote to memory of 2580	2356	cmd.exe	32
PID 2356 wrote to memory of 2580	2356	cmd.exe	32
PID 2288 wrote to memory of 2392	2288	Logo1_.exe	31
PID 2288 wrote to memory of 2392	2288	Logo1_.exe	31
PID 2288 wrote to memory of 2392	2288	Logo1_.exe	31
PID 2288 wrote to memory of 2392	2288	Logo1_.exe	31
PID 2392 wrote to memory of 2588	2392	net.exe	34
PID 2392 wrote to memory of 2588	2392	net.exe	34
PID 2392 wrote to memory of 2588	2392	net.exe	34
PID 2392 wrote to memory of 2588	2392	net.exe	34
PID 2288 wrote to memory of 1196	2288	Logo1_.exe	21
PID 2288 wrote to memory of 1196	2288	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\768106df29c5fca7a1df9657b01b3280_NEAS.exe
  "C:\Users\Admin\AppData\Local\Temp\768106df29c5fca7a1df9657b01b3280_NEAS.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC40.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\768106df29c5fca7a1df9657b01b3280_NEAS.exe
      "C:\Users\Admin\AppData\Local\Temp\768106df29c5fca7a1df9657b01b3280_NEAS.exe"
      4⤵
      Executes dropped EXE
      PID:2580
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
e0d8672271328873f30090041080cc19

SHA1
2484bdad2875e6305cd993d57c666565b0dfd193

SHA256
521cc53accd342680d81b6d3c53827741b3975ee22589d0bc5b8e293d722b799

SHA512
e82cfedc1583055c7156a7d27ebeefb8bb47d4c80912fb7340c6895e7c4c36fdafdc766b0aabdfa5588c85a3708c9e40e8efa17a10d7e214b613e3548ca34793

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC40.bat

Filesize
559B

MD5
9579c88d31cd8a15ad5f24f652dc2ef0

SHA1
4cbe9f76a59d29cf041903255944de58c26e5235

SHA256
a41b1112561a3315abd07ba5772ee252493ec19882107bbe51d214de46af9518

SHA512
587436a8d85749d7b76e1da4827930bac1d85e071ec00de7714d6debe9c900374f0c7ad49dc5143ada2ca20bb8f4518f4fd4a4f6fb014b1c8fc9593830607e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\768106df29c5fca7a1df9657b01b3280_NEAS.exe.exe

Filesize
3.4MB

MD5
814106ba3874f836c45954696af97962

SHA1
e22dc70efe5e09cd80cf796bdeb95ed8083985e2

SHA256
15f98d5037e363d1304d266af85866be213862285d3fb3f0aa400a4c625fbb7e

SHA512
12340f6978ba78d778fba83d38b21e42428aa9d31eee78ce1b9a19cd51c765148fea63a0e5e8ae730a08bf2ab8550fdbeda3bf6a88510df5935c22398b45effe

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
f141fdb25b30a85be9d04127b4a9d6f1

SHA1
177e0cf8614179bb12ac6fd5d3beb94dbcafa0b3

SHA256
728ca9ca860cf5bb59b1dda2e341f8dfbf5e6ef68ef932e368d41e5bcd098b98

SHA512
eabda2847c89ed52aaae96dee9d4d01e949c42f6e5874ce1ff864ccefe21d9ff8bb57d785fc90f9140f4c9751813201ebc2e4821f14ceae20aa9982f5492165c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
8B

MD5
4e8103aaf92b5d6abdcdd5fcfdd0ee98

SHA1
5e112ca3ca7335ca96c8635a5edc1e488dc0334e

SHA256
c22c9cdc7022f1a37fa581dd2f270bfdef9c020ecb64ab36f9f82edabee9e5be

SHA512
61099b199e29064b5aad505311746081b9b5ee5b76487ddff1eaf9dfbddb8461677dca70dc04cfc8beadfbafc8a7af4d06d905d0fceb0d8793ace0358d226aea

Download Submit
memory/1196-29-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2192-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-1851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-2161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-3311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download