Analysis
-
max time kernel
26s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 21:08
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe
Resource
win10v2004-20230915-en
Errors
General
-
Target
NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe
-
Size
937KB
-
MD5
a1807f6a73d1ff766096c4ecc2110576
-
SHA1
0ee66413982bce51184292b48a2a8b70719a4fc6
-
SHA256
236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778
-
SHA512
c2ce5d239e03bff38eab8bacb7fad701641a970b38554565275f947591d9e17174d6985b0222bfdb0aa90df67c3531b7481c4d543c0fe8f14330113016f0dd61
-
SSDEEP
24576:dy6ePyPHA9rvt87AHlm3HsL9Kv1Yh+f6K7fz0zU1:467g9TmcHk3+AWK7fz+U
Malware Config
Extracted
amadey
3.87
http://77.91.68.18/nice/index.php
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a8854327.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8854327.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8854327.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8854327.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8854327.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8854327.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation b8566669.exe -
Executes dropped EXE 6 IoCs
pid Process 3752 v5602754.exe 4504 v5290923.exe 2296 v2425070.exe 2776 v7122780.exe 4440 a8854327.exe 4464 b8566669.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a8854327.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a8854327.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5602754.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5290923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v2425070.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" v7122780.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "229" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4440 a8854327.exe 4440 a8854327.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4440 a8854327.exe Token: SeShutdownPrivilege 2724 shutdown.exe Token: SeRemoteShutdownPrivilege 2724 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1904 LogonUI.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4116 wrote to memory of 3752 4116 NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe 86 PID 4116 wrote to memory of 3752 4116 NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe 86 PID 4116 wrote to memory of 3752 4116 NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe 86 PID 3752 wrote to memory of 4504 3752 v5602754.exe 87 PID 3752 wrote to memory of 4504 3752 v5602754.exe 87 PID 3752 wrote to memory of 4504 3752 v5602754.exe 87 PID 4504 wrote to memory of 2296 4504 v5290923.exe 88 PID 4504 wrote to memory of 2296 4504 v5290923.exe 88 PID 4504 wrote to memory of 2296 4504 v5290923.exe 88 PID 2296 wrote to memory of 2776 2296 v2425070.exe 89 PID 2296 wrote to memory of 2776 2296 v2425070.exe 89 PID 2296 wrote to memory of 2776 2296 v2425070.exe 89 PID 2776 wrote to memory of 4440 2776 v7122780.exe 90 PID 2776 wrote to memory of 4440 2776 v7122780.exe 90 PID 2776 wrote to memory of 4440 2776 v7122780.exe 90 PID 2776 wrote to memory of 4464 2776 v7122780.exe 97 PID 2776 wrote to memory of 4464 2776 v7122780.exe 97 PID 2776 wrote to memory of 4464 2776 v7122780.exe 97 PID 4464 wrote to memory of 364 4464 b8566669.exe 98 PID 4464 wrote to memory of 364 4464 b8566669.exe 98 PID 4464 wrote to memory of 364 4464 b8566669.exe 98 PID 364 wrote to memory of 2724 364 cmd.exe 100 PID 364 wrote to memory of 2724 364 cmd.exe 100 PID 364 wrote to memory of 2724 364 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.236bd002777679b76a23909ad751fe13322cee61d5cd6f2988b5ad73b1367778_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5602754.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5290923.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2425070.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7122780.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8854327.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8566669.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k shutdown -s -t 07⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 08⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa398b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1904
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
831KB
MD51f365f79e792d3d21c05d16ba4a303a8
SHA1cdd54394267616a3ce108a9d8c8400fedfbca351
SHA2567a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9
-
Filesize
831KB
MD51f365f79e792d3d21c05d16ba4a303a8
SHA1cdd54394267616a3ce108a9d8c8400fedfbca351
SHA2567a49cb10d892e408e58d3fd164f22758c299419fa500108c4f2c5c03dff005f1
SHA512f997a5936dc06031312a29bad4ce8601d9a4685bd384ab2c642757679cc6a5a496396841aa1414a9631b09544997b97545edcfe1bd401b6a95ae8c87bedb41b9
-
Filesize
706KB
MD559cb97509d55179b699afa9c5c407ce3
SHA169dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA5124c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb
-
Filesize
706KB
MD559cb97509d55179b699afa9c5c407ce3
SHA169dd84a073ed2ee6c0842a387f92c2128ccf15cd
SHA256e10d1cc91e3636f42977e217f29c4e5fca159aa69871fa241c06d2f0db686d21
SHA5124c2f449a4b6f6718e68d188a29460d6da2ca2f787740ed06a54ecbdda4e17519ca1b67886b20ba68f26077c2f0e88a9690abbb2cc77e5062ace93d1ca02ed4eb
-
Filesize
551KB
MD5a438ce3d49256bac762f943a8909909a
SHA1f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738
-
Filesize
551KB
MD5a438ce3d49256bac762f943a8909909a
SHA1f7d5c973779c53eb52aebe932a9eb26ac2564d94
SHA256f4e7f3c0c2b391a36cf5c81bb558f997c2df05200e9a38d331892694f6924e12
SHA512af5f05e7b102060c9e5d9c99541bccc00024395365eccc2bfe312fa0ab7ab6017ce462a8acb5f8fff747e6b603d468b728800dcea5e41c50d5e486a4378a5738
-
Filesize
384KB
MD5a517f984f4819aedf64cb779ec409fc5
SHA1309614685ea8747abbe097d9e110edb1aade981d
SHA25617a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA5128b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918
-
Filesize
384KB
MD5a517f984f4819aedf64cb779ec409fc5
SHA1309614685ea8747abbe097d9e110edb1aade981d
SHA25617a8a9702c61059064ef60847bc24c9dcaab061e41e9591b23df3be3ebbfabe4
SHA5128b0b0335ab7ccc2b105c5f64432a64fd4ffaf0ed96be343e33032bfbe3ecdd413222ca1d6744478dbcc4a36c7d4a5ed5e270d9b43f2ecca980a90964930cd918
-
Filesize
184KB
MD586e60d3c6b7a574d5599904da47d3955
SHA1b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA5124af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390
-
Filesize
184KB
MD586e60d3c6b7a574d5599904da47d3955
SHA1b160499b6cd745df984e8dd339cdfe24625ee5fc
SHA256a34c3205391f7311f8137f7e301d4a44456f08f5ffa825ebaf798adfdb1e3034
SHA5124af617d3a42555807c2aadf42d17d061a9ec31799b52e461449651dd95ac8dc0150f39cf3e2ba578d64a3d475987eca79abda1a507dfa0088db61f85869ff390
-
Filesize
333KB
MD592e4486245785e61dec2ee306deb394c
SHA1c42dc7dc08b374d8297b17fef829143824b5535d
SHA25637b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA51258b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4
-
Filesize
333KB
MD592e4486245785e61dec2ee306deb394c
SHA1c42dc7dc08b374d8297b17fef829143824b5535d
SHA25637b0a7541d8d68ba7070c04bf22b29f6166965e0a553584af303b2679cd921ee
SHA51258b1c86938a21440c4f039d060699b986715caaf893f4515c36da77a8bbe793fc13faa4b57c2d7f85854ae577b70d9d1279192d31603cc53f584848b77b1b8f4