1d1c2182bbe3fce5d2eaf2a0777316ce367eb576e7e6fec6474628ae05ea5fc2

Analysis

max time kernel
160s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe
Size

153KB
MD5

2fa0ada55fc6ca8518b4cd1f15497550
SHA1

0ddaf5a9b85bc130c91bd7ed45f66efbb4f25d73
SHA256

1d1c2182bbe3fce5d2eaf2a0777316ce367eb576e7e6fec6474628ae05ea5fc2
SHA512

938f8a89b0e497b65daba444f3d69a126ab63ccbf464d6914fae7c71afdd71479ce9403cd88a3944edf2f66e6b52639237c3ae4433ba0a5ed10a437044763334
SSDEEP

3072:r9qjlpVNyo6En33QC5XbdktNMsBMpgWG34TVDOJ:r9qjVN1jnHQydk49qYDOJ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
848	Hkamea.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1732-6870-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-26352-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-26354-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1732-36070-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41241-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41243-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41244-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41245-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41247-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41248-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41249-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41250-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41251-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41252-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41253-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/848-41254-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEK9EMDHI9 = "C:\\Windows\\Hkamea.exe"	Hkamea.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Hkamea.exe	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe
File opened for modification	C:\Windows\Hkamea.exe	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\International	Hkamea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe
848	Hkamea.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
848	Hkamea.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 848	1732	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe	27
PID 1732 wrote to memory of 848	1732	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe	27
PID 1732 wrote to memory of 848	1732	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe	27
PID 1732 wrote to memory of 848	1732	NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2fa0ada55fc6ca8518b4cd1f15497550.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\Hkamea.exe
  C:\Windows\Hkamea.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Hkamea.exe

Filesize
153KB

MD5
2fa0ada55fc6ca8518b4cd1f15497550

SHA1
0ddaf5a9b85bc130c91bd7ed45f66efbb4f25d73

SHA256
1d1c2182bbe3fce5d2eaf2a0777316ce367eb576e7e6fec6474628ae05ea5fc2

SHA512
938f8a89b0e497b65daba444f3d69a126ab63ccbf464d6914fae7c71afdd71479ce9403cd88a3944edf2f66e6b52639237c3ae4433ba0a5ed10a437044763334

Download Submit
C:\Windows\Hkamea.exe

Filesize
153KB

MD5
2fa0ada55fc6ca8518b4cd1f15497550

SHA1
0ddaf5a9b85bc130c91bd7ed45f66efbb4f25d73

SHA256
1d1c2182bbe3fce5d2eaf2a0777316ce367eb576e7e6fec6474628ae05ea5fc2

SHA512
938f8a89b0e497b65daba444f3d69a126ab63ccbf464d6914fae7c71afdd71479ce9403cd88a3944edf2f66e6b52639237c3ae4433ba0a5ed10a437044763334

Download Submit
C:\Windows\Hkamea.exe

Filesize
153KB

MD5
2fa0ada55fc6ca8518b4cd1f15497550

SHA1
0ddaf5a9b85bc130c91bd7ed45f66efbb4f25d73

SHA256
1d1c2182bbe3fce5d2eaf2a0777316ce367eb576e7e6fec6474628ae05ea5fc2

SHA512
938f8a89b0e497b65daba444f3d69a126ab63ccbf464d6914fae7c71afdd71479ce9403cd88a3944edf2f66e6b52639237c3ae4433ba0a5ed10a437044763334

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
354B

MD5
2acc6079067da59c13f965b89ae776fa

SHA1
3d991c5ea45dca188dbdf233ac869a3923d75325

SHA256
d7f97cd693ab0eaf692314533f918bc47b1dab84660c3878a5c241ffbe17d382

SHA512
ab5e593c02e88eccfb4acdf5e2df7381b616ca73b2783cb8b08132e1f557f401074ea05928cd6b098855eade028f1c4a83888a6596e043d5f95fee7ebf020a0e

Download Submit
memory/848-41241-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41249-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41254-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-26352-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-26354-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41253-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41252-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41251-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41244-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41245-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41247-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41248-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/848-41250-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-0-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1732-36070-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1732-6870-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download