fb39b00a8b477a179f61f3f01de68d3805b45fbf3d83f7d8493812101075231a

Analysis

max time kernel
163s
max time network
187s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.35fc16fef268be86459d4be0aef1a340.exe
Size

28KB
MD5

35fc16fef268be86459d4be0aef1a340
SHA1

2286c2d02f5b004c8331aaf6282da276086fce3f
SHA256

fb39b00a8b477a179f61f3f01de68d3805b45fbf3d83f7d8493812101075231a
SHA512

527e24fab6626f36fc712d71b3195273fb1fdb0fd156cd56195cffd353540733d78e75c015035d2d2d2b02f04a2032d2314ff562562bc8a5217b9a8227896d56
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNbHV:Dv8IRRdsxq1DjJcqfW1

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1824-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1824-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000e000000015614-9.dat	upx
behavioral1/files/0x000e000000015614-7.dat	upx
behavioral1/memory/1824-10-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2652-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2652-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2652-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2652-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2652-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x003f00000000f609-40.dat	upx
behavioral1/memory/1824-42-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-62-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-130-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-173-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-607-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-608-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-1320-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-1321-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-2023-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-2084-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1824-2710-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2652-2792-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2652-3170-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.35fc16fef268be86459d4be0aef1a340.exe
File opened for modification	C:\Windows\java.exe	NEAS.35fc16fef268be86459d4be0aef1a340.exe
File created	C:\Windows\java.exe	NEAS.35fc16fef268be86459d4be0aef1a340.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.35fc16fef268be86459d4be0aef1a340.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2652	1824	NEAS.35fc16fef268be86459d4be0aef1a340.exe	28
PID 1824 wrote to memory of 2652	1824	NEAS.35fc16fef268be86459d4be0aef1a340.exe	28
PID 1824 wrote to memory of 2652	1824	NEAS.35fc16fef268be86459d4be0aef1a340.exe	28
PID 1824 wrote to memory of 2652	1824	NEAS.35fc16fef268be86459d4be0aef1a340.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.35fc16fef268be86459d4be0aef1a340.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.35fc16fef268be86459d4be0aef1a340.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4b83ca22c4c4dae95f3b1a2f0e0f8cc

SHA1
a7e65af2133fef987db5674e5e614277fe53b5b2

SHA256
15b8b61174ae332979a5c81b663027c5502cb999019cd366b0093dffa0d07288

SHA512
c9bd9a658659f2a1c29594b6edabca0fa8e752ac7008fe682b66bc03528ef80cde8e49e9c8ece7536b5cf875fc7dcaa2bd4afff4ece909663adef518e02688c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccb4b86a32c2391ce08c7bafa23deb50

SHA1
588058255dd3480c7b22995e9e7eeb410f88a12b

SHA256
5712dcebe773f98905acbf3fe32a38c45a52f27dc1dc3e9d46017c277ba0243c

SHA512
ad52ce886fc57647d8cf49ea0fcaa62f70cd27264567d39714c9d4b470aae474f2b2b2385b82d8a8460500bf39eafba3a51a483566a1bd665f4e01063483d78b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e650e00ad967fb10cab84c0b5f93402e

SHA1
f0f82ac538361e7e29ad21ff2351355d3ab8145e

SHA256
60bed6c8ccbb7328e83c3d65c0b3808aecf1a8056fd9538d969f9fb1ee7eba4c

SHA512
59f278bf3cc72f5734fdee8c5cba1827257ef0f6e6ff090dd12e6352dcd46023ef0221aff45b7247f6b832b94af2434530a28cd8376dffd5ea56c0ac52ab58e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4125a068750450d6f0e805ba74ceabf9

SHA1
d6b733cfeeddd3b91af0db6b2ef971cccd7cd6a5

SHA256
50143c330b3af7600cb224dafef158f42403a8b28e8b7108970b494f88c2653d

SHA512
38414087170a735b6f467e0838db1d4c899b9f55f8a446cb0ce152bc067389a5ddb138727bf22eee3520e3ac599035634408ec4692789533dff8fd09f9eb5a9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ff210561d119571e72e71a53d898f7d

SHA1
a4b9c4ca0cad06c0132fad846287aac48e8eb635

SHA256
f42d742ac4817534b42facd36b5ebf02f057f19ed4985da68417736fc1b4fb83

SHA512
46182a66bcb4a2db17bdba16ff3be7a53b791e4efe5dfca5905ed4a3ce380cbcb26b3ed32c2d25b28520d2c64324e364edead5faff077e287c318831b733ab80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d711f9bce7ea3c96157af80080a31ba

SHA1
60350680c0da9c37ada2dc8e7a78c08bb406bdeb

SHA256
16e3c1da1538f1d43f7c83e3bbc596ba350360ec8fb7d7a07427dca11f4368a4

SHA512
01b10f7556bcfdd8f49915c340cb09157850577f19bf98ceff2d5dd6b54b6e7964c2800caf9ea5d3eb7735b512ff594437ee1ce70ed9088f0aa54b8ac608459b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
986c9b4d74cd538c8889d5bdbf3a6a3b

SHA1
f910562e906511ce267c77c7b8de80081a10f13d

SHA256
9cb107a1b641fc25a9d47e1ed64522e225ae9fe00c644ba9ff760b37126db328

SHA512
f2995ea89e0242f8b811623a798e5b96fcc4df33348635ae5a503d7e5911ff6af84dff168f08b7778d7eb4d41bec1696055c5e0437ecc39ce520f0694a44c6ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f43444725120df723a6473abf6aec626

SHA1
27c2aded8791c616944ed0090b882d8b7a4b28cd

SHA256
80181767ce2e4701298fa62c0ea63865110925658189d60375ff88bf2affb49b

SHA512
6af7e4ab0da64d278ef85691abd666317ffc9d943f2e7a9e69ea47da7dd24aed782a0136505f2ce8b55497219db86064638344c63fc365467e0458eb2d8b0024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UYVU6FI\GQ7E5JW4.htm

Filesize
141KB

MD5
611bafe3d46a7221e96c1486cb222cc5

SHA1
7bbcae34bf31c2c68af526c5d86fb43c7b4ca9ef

SHA256
0e36a948fe7e0bbcfc2f860fe6f2b2568068b7c738256d57518719d4431f4429

SHA512
cf8a9c72a84e31433ab131a383528ad5e3d6835609f930fa3f314f704afd4f2ed6e5269685e78638ca4c393a2af12cf109ffd3905ac00fdf01665ab56d1f4fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UYVU6FI\results[2].htm

Filesize
1KB

MD5
d66c7f6fd195ebb66412c8db429ecfe0

SHA1
d001516d3d392bceaeb92dcab62212e92b17f5ea

SHA256
990f7d2a1c1c1d44a3cbb87b46d995dbc1fa2ac3e62dc278e09364b3236f4f98

SHA512
ba86e1ae44ae59a374c590922522d09ec6826f3dc7be74c9b21fb9a8ea066950e3a6757f6402fb7618b43916133c86244d35c7bcd13d21dedd549d77b41830bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3UYVU6FI\search2U8KX0GQ.htm

Filesize
164KB

MD5
b624a8d13ed7ba9c250099503e11fb1a

SHA1
cd136590582d4d44098c6a93de05673453ceef9a

SHA256
1f28ad73cc31e06431f5c639de5283cdf90709f2e7473e31fca5c347448b74c7

SHA512
04b80744a0dd382b45f8069b09a9992eba6aa894ad63d2f47d183bead4817015593dc8cd74bff17b58f98c6520ddad49937dbfb1c00729086c181b9a02b90c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5GBW0V4\M423PUDO.htm

Filesize
141KB

MD5
0b83da8d33a63321d9d99b45da66f8b5

SHA1
e1ef53daef66ad71b420e0bda960afe861d5b185

SHA256
c9c45fa4da5593eb7043c6308793489f6a592460742968c6bdb75a8647a25998

SHA512
53157dfd7360ed0c00c998af1a66e07ed9dd461db7b6cd4ac8aa0019445878e0efde45f63c136a86730559d278adb021d0c6e8070727747c80966e68e544c861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5GBW0V4\default[1].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5GBW0V4\default[2].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E5GBW0V4\results[1].htm

Filesize
1KB

MD5
1f54bb772898601864114ea6f0b12b25

SHA1
6e7988e843cc302509d64e192d18c83b2c7dec3a

SHA256
31c4da7079c2bd7ca47ff1c5088456fefa48f6ab5a5836950d4b255b4b5e0d0b

SHA512
f05085ba7521d70f35eda262962a3b11ed0d76edec90d3c8eeda27f99a947ef519df5191d964c2e1b9fee1db606ae0dd9d7cbbf924aa50d2e872556127479b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\default[2].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\searchV2W1I1Z5.htm

Filesize
152KB

MD5
300fb3239469e22f13f4c5b1a2673f6e

SHA1
c559a3fe9801b19f5876e1bd4478b3bdebb95f66

SHA256
2a9cf2b999ce89e41dcfabc97d65fe1d4d4c131d4fcabbf0d7c2164058555f4f

SHA512
55e7916e9cb43d0a9fa917f9973eab9d9a6f79ee08104698694b0d5065db2eaf9c8d04486dac3f81e1cd251c2e9eb361dda7550b6d9f205cf6090266135c1cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JXO65VIN\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O3E62B0W\AW210XJ2.htm

Filesize
141KB

MD5
ab2a4bce85f841052ac1c849be552dd9

SHA1
6b3fd2190b985c613873045656a70f38d8ad7daf

SHA256
b8b9bbb9e2e3113f63ae6aa869358df07927ceb00388e23d51fb92258ec13d0e

SHA512
95c4c02b6ddd29a257dc0749545710441e1441644850932410b79c92d745ebf574a9e9221b11483366c8177aecc20111e10c19d5aab0b939127401a2aa4942c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O3E62B0W\default[3].htm

Filesize
302B

MD5
51b86971925c7d24d895ff89fdebc8f5

SHA1
d037148e50a77f0de8421e0ef81f87f9f73570da

SHA256
3b50a39db6499f5cb2d3b6cec01daa5c33fcf80c0722707c6014e23ed1577280

SHA512
1bc88174ee963971ca43e106828d9e74473cf1aa664f6d4fa43ec9631610ab4c1dc9a0c84f5c89dd2b627eaf64f57dee99eca84b88eb14c36bf7285cb9d7f0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O3E62B0W\search[3].htm

Filesize
210KB

MD5
de06874573ea8f4bbaf2ed532eb2bc77

SHA1
6d28e4d7d0f76a088a3c103a2a20c3d09d132994

SHA256
32f0f06cde3c3422f692a1fb8ac02f9a1208c2e32919d46561936515a33c6106

SHA512
9c0e0a7c66e45e8f49be57d4eb86bddd595282b2f09ff336c3f220305ca813c97e2f926bdddd9448e8a6e712476facaa1a0581963166a474c526b0688809e095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab793C.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar795F.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE273.tmp

Filesize
28KB

MD5
fe602fffe0e400fa3e9935f91acbf4e2

SHA1
ebd7f14bcb6ec4f3ac9f95de08a0f64c858122fa

SHA256
7b57f6d16f798fe64dffc1757ecf5c404bd5757c63ec52d47401a698e752b56a

SHA512
9893228b4de61f75be2a11de6b9dbbcf189235ec9c2db166247bcd94881ecfd1362f830c2ccd852ccf8095ba16472e4fee001581b3de0d14e52fd7b73a11780a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
1b6b065a41e8f01d637c635686796113

SHA1
f762a4895e5e12df19d7115e43accebb80208f75

SHA256
0042ecb70900135db12bbffb83409acc0afa3d7584ba1fd416150f5640caf033

SHA512
dfe6d8c60d0852d060c94c9a9b7d5d97c7c961b70ee7543d5a94f694a7af4cb98787a1b62001c0da076b169ee9648812d1b011e95d48286965e49e03de4034ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a9c11138fa6ce595ec8e5077b1911fcf

SHA1
dee4786bd2db4d11df61d014944c9eb355924b83

SHA256
437125b2351fc2a4f596a447a1cecf0c615b4bd9e9163f1c61c87d7b8f089429

SHA512
4a5c110fa861e4854c984e4db80823194e5dc79275c751aa56a45c0d8f7e192416b64122ac7b8f239e02c1f18673d8e345656ce356985547a13fc18201ffdccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
273ec665e681f33bb4d906ffbb50f73c

SHA1
fa124522251b0d2bd34aa04c465a45bc8dfa2b3c

SHA256
1f8f378a9d4c5dda968bc812d4ac69b3987be41aaf3bb78b5f602d9fea57380a

SHA512
404240a109997155bc5c91c75c867485160326e868e90be2ac26a0d2017906a1de470034c7f998e171fa687ad9135babf5719c7a340188a73375e3604dcaeba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f55bca3e0acfaf19dfd17785b977ec51

SHA1
eb538455e0a834532207f769e8e1908592840b8e

SHA256
42caf6e1bb09def04668bf634077eae77d49204903f925af480bd7e7ed518d1a

SHA512
d06731c296388184dc9bfac514bf7ac73ff4a605f4a8536908f1c2ae97cb1bc38f1d295038fe008bcec84488f2199bccb43d9a501d62cb58b9c5b8683ad5cdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b6f271edb1cd874924e7706104862276

SHA1
6ab8ad94cac27bfea04eca7cccfd4c551a6b2768

SHA256
ec6cef0bcf06916dfd58de424e7a2777f2d167b5608e110e06318972158b84b2

SHA512
38101cd7b5856c4447d8570cc361f8b75e6a97a243cff7d0bf87d0eb42dbc58432ba90064c32151d4a81f4fd51aee23fa245b24054d0330df32c014506266e9e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1824-2710-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-607-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-42-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-10-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1824-130-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-173-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-1320-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-62-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-2023-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1824-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2652-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-2084-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-1321-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-608-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-2792-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-3170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2652-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads