afa79997cf3a73d44d9ae99b8c7db07e5a58b21b0152370b6e7de2106d19ff55

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58c400a758f7795941840dccc26bd2a4_NEAS.exe
Size

133KB
MD5

58c400a758f7795941840dccc26bd2a4
SHA1

ffcb67cc5b5d2c34b887066474446e38dd01bfab
SHA256

afa79997cf3a73d44d9ae99b8c7db07e5a58b21b0152370b6e7de2106d19ff55
SHA512

30bbfe83f97e47d6dba39d6b90e955f5398c215d4c44a198619d6e0e539ce0053e0f33316e5a263556faa293a6a0fb4826ac8309eea1602ab6287f5b769100ba
SSDEEP

1536:67Zf/FAlsM1++PJHJXFAIuZAIuekc9zBfA1OjBWgOI3uicwa+shcBEN2iqxtdSCI:+nymCAIuZAIuYSMjoqtMHfhf5Sw

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4835) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3120-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x000c000000023b51-2.dat	upx
behavioral2/files/0x0007000000022971-7.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\AssertRegister.vstm.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	58c400a758f7795941840dccc26bd2a4_NEAS.exe

C:\Users\Admin\AppData\Local\Temp\58c400a758f7795941840dccc26bd2a4_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\58c400a758f7795941840dccc26bd2a4_NEAS.exe"
1⤵
- Drops file in Program Files directory
PID:3120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-17203666-93769886-2545153620-1000\desktop.ini.tmp

Filesize
134KB

MD5
ac9d086bd1331cf3d00442d9765b51dd

SHA1
5de3a39521a1e7ecafed9ba8c910717041de0c6e

SHA256
5bdc05be3d43b1f400e03c232249730f312f6ce6eeb864027e6cc553099bc820

SHA512
b6a85071f85a2df8bbb32ee61bc3bffcaf3adfd498091e7b22b75abeab71dc50034ed24742f5c76013945aadf1a7aeb30f688ed35ccd7b67c1ce678c14c3a53c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
232KB

MD5
cacb2a8847695a9d03c7d1f248e71950

SHA1
daafabdf534f0b49ab7eaf51016da7afe2864eec

SHA256
b4bfc910efbc4e9253743b558c5004ec3931a89a484eed74210f35a8f8ab2a04

SHA512
fd86b3fbb4963e72011f7105d29504663078645170fad3b72a6fb3961ae93e5f0b3e66012213424d936be093d371bd704948cc5d1c36d19ece05969ef54efcc5

Download Submit
memory/3120-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads