380600a4f4a22ef6dd6a6c70bce5c3892005f3968f6b959e474a5444e4c5316e

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Size

485KB
MD5

7ed6785e76d2f5fd2dc88b463ffc7e00
SHA1

b300a15e154c4bd15cace6f70b9b83bc56788aad
SHA256

380600a4f4a22ef6dd6a6c70bce5c3892005f3968f6b959e474a5444e4c5316e
SHA512

b4d2cf97067644116629bedeb1fd57ba5452aad556616dedf7a40339ad3e1ac44e362e16b59ab549b665e19defe8739f207c631978b413fd6d038e69c1f89679
SSDEEP

6144:2dspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqO:M8kxNhOZElO5kkWjhD4Ay

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	EOPR.EXE

Loads dropped DLL 2 IoCs

pid	Process
1264	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
1264	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	EOPR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\RVRFXVL.EXE \"%1\" %*"	EOPR.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1264-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/files/0x0031000000014bf2-10.dat	upx
behavioral1/files/0x000b00000001201c-20.dat	upx
behavioral1/files/0x000b00000001201c-27.dat	upx
behavioral1/files/0x000b00000001201c-22.dat	upx
behavioral1/memory/1264-28-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2656-30-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/files/0x000b00000001201c-31.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCVKDT.EXE = "C:\\Users\\TCVKDT.EXE"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	EOPR.EXE
File opened (read-only)	\??\E:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\H:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\R:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\G:	EOPR.EXE
File opened (read-only)	\??\I:	EOPR.EXE
File opened (read-only)	\??\L:	EOPR.EXE
File opened (read-only)	\??\M:	EOPR.EXE
File opened (read-only)	\??\P:	EOPR.EXE
File opened (read-only)	\??\G:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\O:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\T:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\Q:	EOPR.EXE
File opened (read-only)	\??\S:	EOPR.EXE
File opened (read-only)	\??\K:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\Q:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\K:	EOPR.EXE
File opened (read-only)	\??\R:	EOPR.EXE
File opened (read-only)	\??\T:	EOPR.EXE
File opened (read-only)	\??\U:	EOPR.EXE
File opened (read-only)	\??\V:	EOPR.EXE
File opened (read-only)	\??\S:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\V:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\E:	EOPR.EXE
File opened (read-only)	\??\I:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\L:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\M:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\H:	EOPR.EXE
File opened (read-only)	\??\N:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\P:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\U:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\J:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\J:	EOPR.EXE
File opened (read-only)	\??\O:	EOPR.EXE

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\HZTK.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened for modification	C:\Program Files\HZTK.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File created	C:\Program Files\EOPR.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened for modification	C:\Program Files\EOPR.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RVRFXVL.EXE	EOPR.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\ANQBBQ.EXE %1"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\RVRFXVL.EXE \"%1\" %*"	EOPR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Program Files\\HZTK.EXE %1"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	EOPR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\HZTK.EXE \"%1\""	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\TCVKDT.EXE %1"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Users\\TCVKDT.EXE \"%1\" %*"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	EOPR.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2656	1264	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	28
PID 1264 wrote to memory of 2656	1264	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	28
PID 1264 wrote to memory of 2656	1264	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	28
PID 1264 wrote to memory of 2656	1264	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files\EOPR.EXE
  "C:\Program Files\EOPR.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EOPR.EXE

Filesize
485KB

MD5
9ce38af46efe02e2807f0427ce4791ce

SHA1
3c6cf5a83e57af4e2e49f55a10436f2559109e8e

SHA256
7dc038ab85b8610a3128e5b6d3d9e76457343f66edda769c63073ef71443b4e5

SHA512
f75a7ddc1d8612029888375afa56612a12f891e8728e15a7b9ee9c514b9cb1dc2ccea3065e512be694de70d56a4aa82dd645e889db0c2135feb77add20165a3f

Download Submit
C:\Program Files\EOPR.EXE

Filesize
485KB

MD5
9ce38af46efe02e2807f0427ce4791ce

SHA1
3c6cf5a83e57af4e2e49f55a10436f2559109e8e

SHA256
7dc038ab85b8610a3128e5b6d3d9e76457343f66edda769c63073ef71443b4e5

SHA512
f75a7ddc1d8612029888375afa56612a12f891e8728e15a7b9ee9c514b9cb1dc2ccea3065e512be694de70d56a4aa82dd645e889db0c2135feb77add20165a3f

Download Submit
C:\Program Files\HZTK.EXE

Filesize
485KB

MD5
f426cfb7e902e8b870fd8b96fc2624a4

SHA1
e1d74ae3fc70e3a67807b970eb52f0a9c359190d

SHA256
de3b1975ae1513c3349ea1f7d94d294483615c9c89d0c4cf51949a05348290cd

SHA512
6b0bc63ddb67ba051ea6a8734b58eb1b9e31b310edf7586d4a5ed54659804e69d39a23bec49584a66ec74fc6aab6f72d162784b4f4f1795cdc6b20f871f5805e

Download Submit
C:\filedebug

Filesize
219B

MD5
4873521d1bb96507037c52118fc88425

SHA1
a688d82fc6424bd42fc6d7992f1c280a454fbe5c

SHA256
5f4c6f7da525e4c7fab3884061b93a96c26e2dd7d4d3e1dee04d096a0463625e

SHA512
b964834f796346247268e01789f6dc9ca495282dc719a664ba893d474d8ebd5694d379c15da12a7a54d4b8e07ba1b978c6f9aaae9758e54a6792d6522bca6cd0

Download Submit
\??\c:\filedebug

Filesize
243B

MD5
d3d952aad01089d1cf968b108348748f

SHA1
0ab7664e14b00b02596bc575200b0a9b8a301428

SHA256
fccd19390955d4a43f68c8a59a1e03dee467a5db511ae4021cd1c6e487be85b2

SHA512
e15637e8dbcec5a9b09de416a27c82e72932ccd238ffbaed97a3b08754881c700260833d59ee73ba0a65b3d5c849e2ae6fa781d25732447009fbaae34f154049

Download Submit
\Program Files\EOPR.EXE

Filesize
485KB

MD5
9ce38af46efe02e2807f0427ce4791ce

SHA1
3c6cf5a83e57af4e2e49f55a10436f2559109e8e

SHA256
7dc038ab85b8610a3128e5b6d3d9e76457343f66edda769c63073ef71443b4e5

SHA512
f75a7ddc1d8612029888375afa56612a12f891e8728e15a7b9ee9c514b9cb1dc2ccea3065e512be694de70d56a4aa82dd645e889db0c2135feb77add20165a3f

Download Submit
\Program Files\EOPR.EXE

Filesize
485KB

MD5
9ce38af46efe02e2807f0427ce4791ce

SHA1
3c6cf5a83e57af4e2e49f55a10436f2559109e8e

SHA256
7dc038ab85b8610a3128e5b6d3d9e76457343f66edda769c63073ef71443b4e5

SHA512
f75a7ddc1d8612029888375afa56612a12f891e8728e15a7b9ee9c514b9cb1dc2ccea3065e512be694de70d56a4aa82dd645e889db0c2135feb77add20165a3f

Download Submit
memory/1264-26-0x0000000001F40000-0x0000000001FB0000-memory.dmp

Filesize
448KB

Download
memory/1264-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1264-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1264-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2656-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2656-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads