5afddc41e8c0425b7933b5b1e966bf0288cf8798a01112088a3bb5d3d6cad744

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7981644a9f3837412fcf979d7aae99c0.exe
Size

584KB
MD5

7981644a9f3837412fcf979d7aae99c0
SHA1

b1c7adc410750818895afcb9cb40dc5422f6c9d2
SHA256

5afddc41e8c0425b7933b5b1e966bf0288cf8798a01112088a3bb5d3d6cad744
SHA512

4578efe49278a730cbd646f9c9ef4aae42260ee9d06697696490243e201c4903f3370835e8882d949f03d1e1ed6a76fc1dc71cb9568c992e4cd4b449e1af53aa
SSDEEP

12288:5BAsu/1OsCzbT7YebtN2rMFpouF0/DD0:eMzEgNPFpoz/0

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	Checking.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe
2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2272-0-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/files/0x000f000000012272-2.dat	upx
behavioral1/files/0x000f000000012272-7.dat	upx
behavioral1/files/0x000f000000012272-4.dat	upx
behavioral1/files/0x000f000000012272-9.dat	upx
behavioral1/memory/2272-11-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/memory/1924-10-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/memory/1924-12-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\installation\Checking.exe	NEAS.7981644a9f3837412fcf979d7aae99c0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe
2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe
2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe
2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe
1924	Checking.exe
1924	Checking.exe
1924	Checking.exe
1924	Checking.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1924	2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe	28
PID 2272 wrote to memory of 1924	2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe	28
PID 2272 wrote to memory of 1924	2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe	28
PID 2272 wrote to memory of 1924	2272	NEAS.7981644a9f3837412fcf979d7aae99c0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.7981644a9f3837412fcf979d7aae99c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7981644a9f3837412fcf979d7aae99c0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files\installation\Checking.exe
  "C:\Program Files\installation\Checking.exe" "33201"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\installation\Checking.exe

Filesize
584KB

MD5
84e8ff87655551fba6fcaeb6f8ce9cd3

SHA1
4751d035c1c1a6bba0b3743a6148d324b57eee09

SHA256
d62f0ac62000c6e18bcf5bbc96f244686a92ba2e841eeb0e815fd853e309f1ca

SHA512
9d78bcf3be86a412f3b0df9f130d60ed71b881b067c1c7b3f41ff851a79dadfc3fa48f3add301813363dbc7679d4be045a1f0d9abf73874228e0b669155c1400

Download Submit
C:\Program Files\installation\Checking.exe

Filesize
584KB

MD5
84e8ff87655551fba6fcaeb6f8ce9cd3

SHA1
4751d035c1c1a6bba0b3743a6148d324b57eee09

SHA256
d62f0ac62000c6e18bcf5bbc96f244686a92ba2e841eeb0e815fd853e309f1ca

SHA512
9d78bcf3be86a412f3b0df9f130d60ed71b881b067c1c7b3f41ff851a79dadfc3fa48f3add301813363dbc7679d4be045a1f0d9abf73874228e0b669155c1400

Download Submit
\Program Files\installation\Checking.exe

Filesize
584KB

MD5
84e8ff87655551fba6fcaeb6f8ce9cd3

SHA1
4751d035c1c1a6bba0b3743a6148d324b57eee09

SHA256
d62f0ac62000c6e18bcf5bbc96f244686a92ba2e841eeb0e815fd853e309f1ca

SHA512
9d78bcf3be86a412f3b0df9f130d60ed71b881b067c1c7b3f41ff851a79dadfc3fa48f3add301813363dbc7679d4be045a1f0d9abf73874228e0b669155c1400

Download Submit
\Program Files\installation\Checking.exe

Filesize
584KB

MD5
84e8ff87655551fba6fcaeb6f8ce9cd3

SHA1
4751d035c1c1a6bba0b3743a6148d324b57eee09

SHA256
d62f0ac62000c6e18bcf5bbc96f244686a92ba2e841eeb0e815fd853e309f1ca

SHA512
9d78bcf3be86a412f3b0df9f130d60ed71b881b067c1c7b3f41ff851a79dadfc3fa48f3add301813363dbc7679d4be045a1f0d9abf73874228e0b669155c1400

Download Submit
memory/1924-10-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1924-12-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2272-0-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2272-8-0x00000000025D0000-0x0000000002751000-memory.dmp

Filesize
1.5MB

Download
memory/2272-11-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download