857909b7cbefc6c71c68f6e36f435d4460c777d480c4b50cb3d287b0b48b6352

Analysis

max time kernel
120s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.620b03c011705033214ddbad3d6b4b80.exe
Size

227KB
MD5

620b03c011705033214ddbad3d6b4b80
SHA1

eb7108ed5b632675970e54d2f32fc7dc6bf89da8
SHA256

857909b7cbefc6c71c68f6e36f435d4460c777d480c4b50cb3d287b0b48b6352
SHA512

e0bca11e2d606552a18ecede33892a25f43b5171faea173c6b66c969dcfe236899adc472eff39ec262479aadd7da200202a9cde2e023867bb0b490eec2a7db0b
SSDEEP

6144:NbKif9ZjWcmUUa2jn2FLjzbcwfSZ4sXUzQI6F:lhFZMhjnWjzwwXEI6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
2172	NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Loads dropped DLL 9 IoCs

pid	Process
1616	NEAS.620b03c011705033214ddbad3d6b4b80.exe
1616	NEAS.620b03c011705033214ddbad3d6b4b80.exe
2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1616-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000c000000012269-5.dat	upx
behavioral1/files/0x000c000000012269-6.dat	upx
behavioral1/memory/1616-13-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2604-21-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000c000000012269-15.dat	upx
behavioral1/memory/1616-12-0x00000000004C0000-0x00000000004FB000-memory.dmp	upx
behavioral1/files/0x000c000000012269-14.dat	upx
behavioral1/memory/2604-28-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x001c000000018b6f-29.dat	upx
behavioral1/files/0x001c000000018b6f-24.dat	upx
behavioral1/files/0x001c000000018b6f-22.dat	upx
behavioral1/files/0x000c000000012269-8.dat	upx
behavioral1/memory/2172-30-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x001c000000018b6f-31.dat	upx
behavioral1/files/0x001c000000018b6f-32.dat	upx
behavioral1/files/0x001c000000018b6f-34.dat	upx
behavioral1/files/0x001c000000018b6f-33.dat	upx
behavioral1/files/0x001c000000018b6f-35.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe\""	NEAS.620b03c011705033214ddbad3d6b4b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe\""	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Program crash 1 IoCs

pid	pid_target	Process
2592	2172	WerFault.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	NEAS.620b03c011705033214ddbad3d6b4b80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c39357661f0842fd	NEAS.620b03c011705033214ddbad3d6b4b80.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c39357661f0842fd	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2604	1616	NEAS.620b03c011705033214ddbad3d6b4b80.exe	29
PID 1616 wrote to memory of 2604	1616	NEAS.620b03c011705033214ddbad3d6b4b80.exe	29
PID 1616 wrote to memory of 2604	1616	NEAS.620b03c011705033214ddbad3d6b4b80.exe	29
PID 1616 wrote to memory of 2604	1616	NEAS.620b03c011705033214ddbad3d6b4b80.exe	29
PID 2604 wrote to memory of 2172	2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	31
PID 2604 wrote to memory of 2172	2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	31
PID 2604 wrote to memory of 2172	2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	31
PID 2604 wrote to memory of 2172	2604	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	31
PID 2172 wrote to memory of 2592	2172	NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe	30
PID 2172 wrote to memory of 2592	2172	NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe	30
PID 2172 wrote to memory of 2592	2172	NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe	30
PID 2172 wrote to memory of 2592	2172	NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 124
1⤵
- Loads dropped DLL
- Program crash
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
bfc1acf7085f664d8007c7ae2fb75df3

SHA1
3a6b42dfa2f77551743695f68e504527e542dcd3

SHA256
06712208ee3bdef468978ce28ddc91d3cd55525a10c5fb66551cd8fd9872478a

SHA512
a2ba4acf82e182f06895ef5f3351d3becd9dd667bb00209b97e105b31d621c8e4e3f5e329ef92afe6f3a1fe6add46f7683bd7b8feeb05b98b3de0fb2e70e5187

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
bfc1acf7085f664d8007c7ae2fb75df3

SHA1
3a6b42dfa2f77551743695f68e504527e542dcd3

SHA256
06712208ee3bdef468978ce28ddc91d3cd55525a10c5fb66551cd8fd9872478a

SHA512
a2ba4acf82e182f06895ef5f3351d3becd9dd667bb00209b97e105b31d621c8e4e3f5e329ef92afe6f3a1fe6add46f7683bd7b8feeb05b98b3de0fb2e70e5187

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
bfc1acf7085f664d8007c7ae2fb75df3

SHA1
3a6b42dfa2f77551743695f68e504527e542dcd3

SHA256
06712208ee3bdef468978ce28ddc91d3cd55525a10c5fb66551cd8fd9872478a

SHA512
a2ba4acf82e182f06895ef5f3351d3becd9dd667bb00209b97e105b31d621c8e4e3f5e329ef92afe6f3a1fe6add46f7683bd7b8feeb05b98b3de0fb2e70e5187

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
bfc1acf7085f664d8007c7ae2fb75df3

SHA1
3a6b42dfa2f77551743695f68e504527e542dcd3

SHA256
06712208ee3bdef468978ce28ddc91d3cd55525a10c5fb66551cd8fd9872478a

SHA512
a2ba4acf82e182f06895ef5f3351d3becd9dd667bb00209b97e105b31d621c8e4e3f5e329ef92afe6f3a1fe6add46f7683bd7b8feeb05b98b3de0fb2e70e5187

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
bfc1acf7085f664d8007c7ae2fb75df3

SHA1
3a6b42dfa2f77551743695f68e504527e542dcd3

SHA256
06712208ee3bdef468978ce28ddc91d3cd55525a10c5fb66551cd8fd9872478a

SHA512
a2ba4acf82e182f06895ef5f3351d3becd9dd667bb00209b97e105b31d621c8e4e3f5e329ef92afe6f3a1fe6add46f7683bd7b8feeb05b98b3de0fb2e70e5187

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
5f3b7cd9e665500226649c68821243f1

SHA1
dd5441368a68f40dedbad8d9d1ff20c1dd37cb61

SHA256
d5206dc29c77fd2a679bff3e6cb07641c23273f03f4b68f5eb4ef46da227a23f

SHA512
e075cb069bcb9ca84dcd2ef5c721521d2392f71f168dbbcc1f4397b682c9e5a440482b5dc7b35842bba7a0aff9d7bc8da47980044a5390b192e19c92beaf7ee2

Download Submit
memory/1616-12-0x00000000004C0000-0x00000000004FB000-memory.dmp

Filesize
236KB

Download
memory/1616-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1616-13-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1616-36-0x00000000004C0000-0x00000000004FB000-memory.dmp

Filesize
236KB

Download
memory/2172-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2604-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2604-21-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads