6d72ecddb2517e47b58cf307c2d82c8419bd5ab4f1a63b3ff73d31db5db92982

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0006c65a0b6d98fb19fb029f6131981d_NEAS.exe
Size

722KB
MD5

0006c65a0b6d98fb19fb029f6131981d
SHA1

34ae1ec676731b3ea9da0ed8254bdb0e12db435f
SHA256

6d72ecddb2517e47b58cf307c2d82c8419bd5ab4f1a63b3ff73d31db5db92982
SHA512

037b3ccf890b137b579ff83accae8396c2236498504521243012c74843afefbaa08074b1f6ce3c1b02c1b58e6a6a1cf6348812a3ba88b14f24df4429617a5670
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0fE8T+1UbXE1gxJ3saefoE:P1/aGLDCM4D8ayGM7En1UbeEAfoE

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2252	alspb.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	0006c65a0b6d98fb19fb029f6131981d_NEAS.exe
1688	0006c65a0b6d98fb19fb029f6131981d_NEAS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\alspb.exe"	alspb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2252	1688	0006c65a0b6d98fb19fb029f6131981d_NEAS.exe	28
PID 1688 wrote to memory of 2252	1688	0006c65a0b6d98fb19fb029f6131981d_NEAS.exe	28
PID 1688 wrote to memory of 2252	1688	0006c65a0b6d98fb19fb029f6131981d_NEAS.exe	28
PID 1688 wrote to memory of 2252	1688	0006c65a0b6d98fb19fb029f6131981d_NEAS.exe	28

C:\Users\Admin\AppData\Local\Temp\0006c65a0b6d98fb19fb029f6131981d_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0006c65a0b6d98fb19fb029f6131981d_NEAS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\ProgramData\alspb.exe
  "C:\ProgramData\alspb.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
722KB

MD5
ae046eb9fe48c4bd5d2900bfc37e9ed9

SHA1
eff15800ab45db4edef9206a9f7d61a7343ae890

SHA256
0f8283f150667321f9a5b768c70535df6a3f38b137603f2cf665f8e4f4a3adee

SHA512
74e8f44325b8b1394b30c4bde7e6498e256b176f4b061bee5159b608c0163820fffa2ef51176fa438c3cdfbb88dbc8436faa7bee2a8c374c0daa511000410293

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
268KB

MD5
15cccb964efeeb58f9cd8ebf5757b3a1

SHA1
cda2c453e19b020166b7a89d4389d33300a7febb

SHA256
4dbb6abdd207bfb4d794a8305d28e352deb8281efe70e4365d05263f80c395a7

SHA512
b933d0a0ca1ea341d0ef24903b68f09115859515b1949be109f05b414a2656e16bba686edac405fc9174ddbbf0942abf8042707b82a7382782ca3b838f8628fa

Download Submit
\ProgramData\alspb.exe

Filesize
454KB

MD5
522ef08c00af94fc33c0793978458e90

SHA1
c87a447e46c11aeb8805386727364b196b7fc0ca

SHA256
c199aa4e0f320ed06738fa54a1661bb7801bb6fc7df7152f246179150a0c908d

SHA512
43486a35cea8f390e5ecd6661020d1433c33a9dd74334016b063fda22f8a6a3feebb57b93c4e225a5f55669e06e1603c329c42bf86d215dbcfa1673ff1ce7df4

Download Submit
memory/1688-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2252-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads