380600a4f4a22ef6dd6a6c70bce5c3892005f3968f6b959e474a5444e4c5316e

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Size

485KB
MD5

7ed6785e76d2f5fd2dc88b463ffc7e00
SHA1

b300a15e154c4bd15cace6f70b9b83bc56788aad
SHA256

380600a4f4a22ef6dd6a6c70bce5c3892005f3968f6b959e474a5444e4c5316e
SHA512

b4d2cf97067644116629bedeb1fd57ba5452aad556616dedf7a40339ad3e1ac44e362e16b59ab549b665e19defe8739f207c631978b413fd6d038e69c1f89679
SSDEEP

6144:2dspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqO:M8kxNhOZElO5kkWjhD4Ay

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
624	HGRXP.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	HGRXP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "F:\\$RECYCLE.BIN\\VBKAYCF.EXE \"%1\" %*"	HGRXP.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4784-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x000100000000002a-10.dat	upx
behavioral2/files/0x0009000000023108-21.dat	upx
behavioral2/files/0x0009000000023108-22.dat	upx
behavioral2/memory/4784-24-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/624-25-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GIHK.EXE = "C:\\Program Files\\GIHK.EXE"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\L:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\I:	HGRXP.EXE
File opened (read-only)	\??\R:	HGRXP.EXE
File opened (read-only)	\??\S:	HGRXP.EXE
File opened (read-only)	\??\I:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\J:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\V:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\K:	HGRXP.EXE
File opened (read-only)	\??\U:	HGRXP.EXE
File opened (read-only)	\??\H:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\P:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\U:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\M:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\R:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\L:	HGRXP.EXE
File opened (read-only)	\??\N:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\J:	HGRXP.EXE
File opened (read-only)	\??\T:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\E:	HGRXP.EXE
File opened (read-only)	\??\G:	HGRXP.EXE
File opened (read-only)	\??\N:	HGRXP.EXE
File opened (read-only)	\??\O:	HGRXP.EXE
File opened (read-only)	\??\G:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\O:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\S:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\P:	HGRXP.EXE
File opened (read-only)	\??\H:	HGRXP.EXE
File opened (read-only)	\??\M:	HGRXP.EXE
File opened (read-only)	\??\T:	HGRXP.EXE
File opened (read-only)	\??\V:	HGRXP.EXE
File opened (read-only)	\??\K:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\Q:	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened (read-only)	\??\Q:	HGRXP.EXE

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\HGRXP.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened for modification	C:\Program Files\HGRXP.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File created	C:\Program Files\OTDAJ.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File created	C:\Program Files\GIHK.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
File opened for modification	C:\Program Files\GIHK.EXE	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "F:\\$RECYCLE.BIN\\VFGKSUX.EXE %1"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "F:\\$RECYCLE.BIN\\VBKAYCF.EXE \"%1\" %*"	HGRXP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\OTDAJ.EXE %1"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "F:\\$RECYCLE.BIN\\VFGKSUX.EXE %1"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	HGRXP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\VFGKSUX.EXE \"%1\""	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\GIHK.EXE \"%1\" %*"	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
624	HGRXP.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 624	4784	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	86
PID 4784 wrote to memory of 624	4784	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	86
PID 4784 wrote to memory of 624	4784	NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7ed6785e76d2f5fd2dc88b463ffc7e00.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Program Files\HGRXP.EXE
  "C:\Program Files\HGRXP.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HGRXP.EXE

Filesize
485KB

MD5
3eca012a3631c3413bca5ebd2c19fc18

SHA1
cc6e29e9bafdb04750ae976db7f21f21022b0955

SHA256
d7a17af83f61a6267590b4233d348347bcf6c0a0bd5e3a19bc84295267a77d12

SHA512
e35dc38f778ec3caf51ff9ff7084ea8770776b6be6041753944477298dd2768ad19e390184486d236dbe4afa86e23abfb04f0e6384d3d33728f1d294b07471ae

Download Submit
C:\Program Files\HGRXP.EXE

Filesize
485KB

MD5
3eca012a3631c3413bca5ebd2c19fc18

SHA1
cc6e29e9bafdb04750ae976db7f21f21022b0955

SHA256
d7a17af83f61a6267590b4233d348347bcf6c0a0bd5e3a19bc84295267a77d12

SHA512
e35dc38f778ec3caf51ff9ff7084ea8770776b6be6041753944477298dd2768ad19e390184486d236dbe4afa86e23abfb04f0e6384d3d33728f1d294b07471ae

Download Submit
F:\$RECYCLE.BIN\VFGKSUX.EXE

Filesize
486KB

MD5
02a20e50d1f61e41f66de6c9da4913f0

SHA1
08c066b92a8b8b51fcc90dd382c4cbc39cc5e2e0

SHA256
a86bae063914ffd983e6f4ad7beb97dda2cbaa3c77d4336a08eda6afca569cec

SHA512
a3488ed8e579d6459f79729d33cc947829cfbfad72bc88fac8984e1bf5470a1af93e52daa7e3202677e24cc45afb1734801f95c675253384dc9e0b30f1dd4351

Download Submit
\??\c:\filedebug

Filesize
283B

MD5
578c6b5d2b296fbdb11dbc89c0b9cb47

SHA1
fa8bc3c42970f6f6f6c59b2f62127fe5c21476d1

SHA256
7d62c35925aba74fa025472d653fb877eb77900ab5ad55529022a7b7d6be356a

SHA512
fc2e0f0b50fe68b88d764b3f2204c24c942ff82c5fc19d4e7e44d32be4e7164594b4cc1df71ca97b117610d356bc351a34ecb329787c20a6ec21731afa312531

Download Submit
memory/624-23-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/624-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4784-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4784-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4784-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads