857909b7cbefc6c71c68f6e36f435d4460c777d480c4b50cb3d287b0b48b6352

General

Target

NEAS.620b03c011705033214ddbad3d6b4b80.exe
Size

227KB
MD5

620b03c011705033214ddbad3d6b4b80
SHA1

eb7108ed5b632675970e54d2f32fc7dc6bf89da8
SHA256

857909b7cbefc6c71c68f6e36f435d4460c777d480c4b50cb3d287b0b48b6352
SHA512

e0bca11e2d606552a18ecede33892a25f43b5171faea173c6b66c969dcfe236899adc472eff39ec262479aadd7da200202a9cde2e023867bb0b490eec2a7db0b
SSDEEP

6144:NbKif9ZjWcmUUa2jn2FLjzbcwfSZ4sXUzQI6F:lhFZMhjnWjzwwXEI6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4324	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
648	NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00090000000231f0-3.dat	upx
behavioral2/files/0x00090000000231f0-7.dat	upx
behavioral2/memory/4324-9-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00070000000231fe-17.dat	upx
behavioral2/memory/648-18-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/5104-16-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00070000000231fe-19.dat	upx
behavioral2/files/0x00090000000231f0-8.dat	upx
behavioral2/memory/648-20-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4324-21-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe\""	NEAS.620b03c011705033214ddbad3d6b4b80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe\""	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4472	648	WerFault.exe	89

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	NEAS.620b03c011705033214ddbad3d6b4b80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85e985621d5b4e01	NEAS.620b03c011705033214ddbad3d6b4b80.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85e985621d5b4e01	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4324	5104	NEAS.620b03c011705033214ddbad3d6b4b80.exe	88
PID 5104 wrote to memory of 4324	5104	NEAS.620b03c011705033214ddbad3d6b4b80.exe	88
PID 5104 wrote to memory of 4324	5104	NEAS.620b03c011705033214ddbad3d6b4b80.exe	88
PID 4324 wrote to memory of 648	4324	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	89
PID 4324 wrote to memory of 648	4324	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	89
PID 4324 wrote to memory of 648	4324	NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe
    3⤵
    - Executes dropped EXE
    PID:648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 408
      4⤵
      Program crash
      PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 648 -ip 648
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
5a56ee1424fda0c338da31f52dc62afe

SHA1
d1c80cfec96e898064dadf77fd37629a00c71b9f

SHA256
d6e11c9eca50288293760910e0c8b168b2fc77db2aeec67c94aa96607b3bd564

SHA512
95313e860dc1e223e79fdbdd79c2e782c6fc78269d2e7a133bc7ebc4d111f722db1ba98d580d8e90faf1299220ddcd6d04fa5ae73633cdd15fa850a8a4b82bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
5a56ee1424fda0c338da31f52dc62afe

SHA1
d1c80cfec96e898064dadf77fd37629a00c71b9f

SHA256
d6e11c9eca50288293760910e0c8b168b2fc77db2aeec67c94aa96607b3bd564

SHA512
95313e860dc1e223e79fdbdd79c2e782c6fc78269d2e7a133bc7ebc4d111f722db1ba98d580d8e90faf1299220ddcd6d04fa5ae73633cdd15fa850a8a4b82bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202.exe

Filesize
227KB

MD5
5a56ee1424fda0c338da31f52dc62afe

SHA1
d1c80cfec96e898064dadf77fd37629a00c71b9f

SHA256
d6e11c9eca50288293760910e0c8b168b2fc77db2aeec67c94aa96607b3bd564

SHA512
95313e860dc1e223e79fdbdd79c2e782c6fc78269d2e7a133bc7ebc4d111f722db1ba98d580d8e90faf1299220ddcd6d04fa5ae73633cdd15fa850a8a4b82bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
ff9f9b1e376bffbdf7c1f1c041dffcac

SHA1
ac0180ea0e4c456812e192b314c05b50ece05134

SHA256
053c3feb24844d2916d7e00d0c1d45c7d315e5ef973e87f9001084b7e2f3593d

SHA512
03f24908032873d5513cc23528f301a6b7a28ed3892fee8a578ea4ca20a45ddaab486238e6e0532f15779029f27ca703c960a7223259797a74464218cc4f901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.620b03c011705033214ddbad3d6b4b80_3202a.exe

Filesize
227KB

MD5
ff9f9b1e376bffbdf7c1f1c041dffcac

SHA1
ac0180ea0e4c456812e192b314c05b50ece05134

SHA256
053c3feb24844d2916d7e00d0c1d45c7d315e5ef973e87f9001084b7e2f3593d

SHA512
03f24908032873d5513cc23528f301a6b7a28ed3892fee8a578ea4ca20a45ddaab486238e6e0532f15779029f27ca703c960a7223259797a74464218cc4f901e

Download Submit
memory/648-18-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/648-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4324-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4324-21-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5104-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5104-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads