fb39b00a8b477a179f61f3f01de68d3805b45fbf3d83f7d8493812101075231a

Analysis

max time kernel
171s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.35fc16fef268be86459d4be0aef1a340.exe
Size

28KB
MD5

35fc16fef268be86459d4be0aef1a340
SHA1

2286c2d02f5b004c8331aaf6282da276086fce3f
SHA256

fb39b00a8b477a179f61f3f01de68d3805b45fbf3d83f7d8493812101075231a
SHA512

527e24fab6626f36fc712d71b3195273fb1fdb0fd156cd56195cffd353540733d78e75c015035d2d2d2b02f04a2032d2314ff562562bc8a5217b9a8227896d56
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNbHV:Dv8IRRdsxq1DjJcqfW1

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4668-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000230a7-4.dat	upx
behavioral2/memory/2296-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-5-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000230a7-8.dat	upx
behavioral2/memory/4668-14-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2296-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2296-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2296-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2296-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2296-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2296-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-48-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000b0000000230b3-49.dat	upx
behavioral2/memory/2296-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-66-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-70-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-194-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-223-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-388-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-496-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-729-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-795-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-931-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2296-974-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4668-975-0x0000000000500000-0x0000000000510000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.35fc16fef268be86459d4be0aef1a340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.35fc16fef268be86459d4be0aef1a340.exe
File opened for modification	C:\Windows\java.exe	NEAS.35fc16fef268be86459d4be0aef1a340.exe
File created	C:\Windows\java.exe	NEAS.35fc16fef268be86459d4be0aef1a340.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2296	4668	NEAS.35fc16fef268be86459d4be0aef1a340.exe	88
PID 4668 wrote to memory of 2296	4668	NEAS.35fc16fef268be86459d4be0aef1a340.exe	88
PID 4668 wrote to memory of 2296	4668	NEAS.35fc16fef268be86459d4be0aef1a340.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.35fc16fef268be86459d4be0aef1a340.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.35fc16fef268be86459d4be0aef1a340.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A5L91DP\OVWK8262.htm

Filesize
141KB

MD5
5a16cf2ab2f6406b6a25513ff57691d4

SHA1
43f5886646d66d224e37b6400e3f200d3e67975d

SHA256
27486723234b1a623bc3e73661cb17dacb1574c1d5534e994d9647b4934bed58

SHA512
185d11b4934d3e749de5ac9f5b6e2d75762d836c93dbc2c51013d3381b64bcf4359d7d7d00aa7ef69e5720591d6c1ef198be6c0e5e87706c3c9910cd455a5f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A5L91DP\UUGFJLND.htm

Filesize
141KB

MD5
77bbfaf9b53597241d69925ef3e0691c

SHA1
1b1d888b982ef14c4edc658dad930f93353d4664

SHA256
b374ec60a6ad8dff235357ac2d64735eb5c9c5fac4322582564c53d6953e41bd

SHA512
852444f8c56723deb44dda2e0debeac5986ea1b471304aadb65415024320f5445ffb90695d8f9f1d104d17e2c554af6f9b3dcd992529d59b7b5d3b6bb24ad4fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A5L91DP\searchQ6V8NWUJ.htm

Filesize
210KB

MD5
94f40abf74651b98ead6408987bdfcaa

SHA1
c6fb3a43254d0e42e303169b3a48a1d18ac187d5

SHA256
a00d9254eaefd2add3b96fb7e76af67cc8ca7368687a956b25fd8af94ead3108

SHA512
5fb39f43424e69546e3faea7a68d1498e568f8aa54c841c365e25f6743e0bcc43ad05da0c885be81efe6274a73e1746432c37d64ca02d447fb9776f3a7ef2826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A5L91DP\search[7].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EJBSOO5R\IAWZD882.htm

Filesize
141KB

MD5
bb74de84fe58dc491cd6697f6c67cd31

SHA1
5c6c946ab442e5ed52cd24afbd9010ddb935c8f0

SHA256
fa30075479c34a4f887f3a61c8ee99f0e61cee0231489a342d4262b30176fcbc

SHA512
d4e8c6c3b215b022752c336bb67d3d9a2afb0aba6c16af7c7d33f223ab414cf18d14b1286b55ac29f5dc02fa80f09d172e1a0480a4e81b3394c4a02c38cd2650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EJBSOO5R\results[1].htm

Filesize
1KB

MD5
3587117c1296d5f2f1d4f74e516b147b

SHA1
9e5f07bd6916ae9087a44f6ccecbf3698197371b

SHA256
ceb2c4df8e4667372b4079498d71c68b916fe1f1f2bd8953719fc6575912559d

SHA512
e9e74be9242daccce7cd4e83a53a9621a1aaea55a6d1d5b95e9a44731c815c206a925528d71e193254700051825611252061f07dcea912bc42dfbc296938ddcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EJBSOO5R\searchM4MBJR3L.htm

Filesize
178KB

MD5
edacda69add415afe1d20e153483f076

SHA1
1b61636f5a21d94ce88504440093c57ae969ea51

SHA256
6f637ba1b6803b7e7eb6c4fd7fd0e79bc8d00f681d3dfe79a8a59ade46d2222b

SHA512
dfc0cf9cc66f61f10d3810a2d016cde01b6b2536afaf03552693b8d39a3a05012a5bdc46b1b4f5b1d103116355028045778f4dad7da78de1f204cb6767bde51c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OSZCC7QI\1SCW4NEC.htm

Filesize
141KB

MD5
5a6e5da8767830abeb32bcdc691eb4eb

SHA1
442b7c9ac868383ef0f6bf2fe630ab506460c4fa

SHA256
81e48f82115bbfcd7366df2d98aeaf423367396eab5ee6bfebb761f68607ec7c

SHA512
d42375564294ed24511c920700fc9e38a4f1d960e93926932ee7783e2c84d72b0e007166c4d711d23e23a3fdaddd807ef5f559425c353c0ae93798dfdeb1cf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OSZCC7QI\OVUHZB4I.htm

Filesize
141KB

MD5
1e19827077b8541b7c569c263c18b44c

SHA1
b8b431b4ccd0796f7b2aa623b58e512bb266cc7d

SHA256
29c15bb519531aa689b1293498fe098359a17b752aa9f498b61baa8f2bc8f3d6

SHA512
e57f61603695b4556a3ec9a4743b48595aa9eb3b8e4c4a0b5755cfc4eb7403c8ca3132c7eee5ac31107c45682cb4474696f68a60b3eeac0e800ef1328538d7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OSZCC7QI\QXNSUUCN.htm

Filesize
141KB

MD5
013f4b8a96037d39c755123c95070c6c

SHA1
330a7b61ff87e9c6893a5663d6728d5de5c5d057

SHA256
2f98d16cbf69a621a901bf04a7ae0d011e7dd453030bbb133562c20e308ff361

SHA512
0a9a592728f24c04982296e6fb91ea439c801ebafa472b442fe9709f61a4d93ff9c6040d30fbd234d4108d422947313df90de37f2779de04bd00423754f164c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OSZCC7QI\defaultU2ABC6BI.htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OSZCC7QI\results[2].htm

Filesize
1KB

MD5
d66c7f6fd195ebb66412c8db429ecfe0

SHA1
d001516d3d392bceaeb92dcab62212e92b17f5ea

SHA256
990f7d2a1c1c1d44a3cbb87b46d995dbc1fa2ac3e62dc278e09364b3236f4f98

SHA512
ba86e1ae44ae59a374c590922522d09ec6826f3dc7be74c9b21fb9a8ea066950e3a6757f6402fb7618b43916133c86244d35c7bcd13d21dedd549d77b41830bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OSZCC7QI\search[1].htm

Filesize
152KB

MD5
4ad82e5e347a0982cedef880f4adb894

SHA1
cd8d131dbe531bbd96b878127d3241898fb8e18d

SHA256
b42354cc6601ec88eec58bd3d70cd06f4b30f720ad22ba0a87e6528a7f423c58

SHA512
4dec7189f859cf825cf5c71861ea0873f1291e5cfac82edd2b62bf677eb8843c293e3fdd4b142a5c563044a4aeb0270c3c601d97146b7adbe69f2763484134d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YVRU9O6W\CYQVWH2T.htm

Filesize
141KB

MD5
923f1cde739a46022fbf0338be283294

SHA1
831339dda74a96f1f0f5d141000d4f0dcbb816a1

SHA256
dd0e5bcb4eb9789486ae83b768c238f7280c102e8e44d029142f4a5e1602043f

SHA512
c7cc685e8c41c595193c8137ecb2710edd7e26db73454a01201ea9df35a81243685e620a75a7beba57556481bc0ffe3676add114eb82604f5c5f636c805e0035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YVRU9O6W\default[7].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YVRU9O6W\results[10].htm

Filesize
1KB

MD5
1f54bb772898601864114ea6f0b12b25

SHA1
6e7988e843cc302509d64e192d18c83b2c7dec3a

SHA256
31c4da7079c2bd7ca47ff1c5088456fefa48f6ab5a5836950d4b255b4b5e0d0b

SHA512
f05085ba7521d70f35eda262962a3b11ed0d76edec90d3c8eeda27f99a947ef519df5191d964c2e1b9fee1db606ae0dd9d7cbbf924aa50d2e872556127479b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YVRU9O6W\search[2].htm

Filesize
164KB

MD5
ab15dd5e20e0334de5f984bbed52e30c

SHA1
8aeb0ea2ce97af21a8adefd8ed47e27cd5f5257d

SHA256
37973c9a6f313f282af42003af00642b74806450d3d05ab0648b4b0441961975

SHA512
094176949358d16221e30b46319392f4362e753fb0a3cc140529d7934c5942a5e9654212b8ecbb10253da73440c7f9204797d8da99a163994a38d2b7a606892f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YVRU9O6W\search[3].htm

Filesize
210KB

MD5
f7609d9329640cd8cf16b36293cefcc7

SHA1
17f61f61e8070527bed0a05f9cc0394e030aaf8c

SHA256
642505cebf777b44aa7f673360ba1da51536eaba9beef205c3c0770215d35432

SHA512
ea634ee0046bd5acefd24d1f1c2ffaa62c4fc47ee5f4010fadc120372dbb70b9c55178f68c5f206558451f4bb9b4122c4c28e81338b3f246c62ad6e0216cf59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB87B.tmp

Filesize
28KB

MD5
3787280af4ebbb8bf0fd36a6266b3a56

SHA1
d194cd1bab576ee1df0204973dbe8645bb42dc83

SHA256
16f35b06a56e56f798adbc3f8f658a2c83d8be60a4f97b351dd7150369c6a76c

SHA512
ad8ff1f80eda8726ecb5b72b6d562652dda8f62d74d5228e6079413ac907aab88bce4b2c27ce0f9841bb39c979be1a0a3c2725e8fefbc61daf9f7eb06ddbff82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a6b3ee73e4a325eb6d2488dd337be1bf

SHA1
6d88ddb9b42406b46f251377e19dde0ec550e370

SHA256
2c977ce6404be7832f238905df8be2ed48cc32646c5b01acfe87993d03751ae6

SHA512
d4c84fabad84b4d110bf28c2a6368f47d2019e04695b28738e99eb5070c614d5b6f737d5365de5d07208cedc75c5ff96ed9471cef286b8b369a4508413eeb233

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
70535c9585d768407d5902bba41b134f

SHA1
72cc92c6b0c3ffd6ebb69edbe1072147348d292f

SHA256
aa766fcaf6a9a14307137a24aa53c20d56177217884c89c0d74589414a11c568

SHA512
f22cca88c8c6c7167534d67a17b013ad200088272e7ee219ee379c14e2072e76c9b457cea4b457f455df70b8128c1e33be94856cc6c15bdcabe0ce0f5bae50c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
5b6bec3892885305eb301d641418cfc1

SHA1
b5b569579da373e1535fc61b5fc69872b8256860

SHA256
f6d953ee82798999fb1fbbb99f8348ceec8ae0398145b418b16a73285f756f2d

SHA512
4e5838397a468923b73eb1e3e2643fb2853c0aa9f8eb7a2f568bc935802423b8c69cb1032132f9f4751f34c8854bf0d115684219e6e35427982480d26c7dcefe

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2296-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-795-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-974-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-223-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-496-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2296-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4668-5-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-66-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-729-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-70-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-14-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-388-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-48-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-931-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-194-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4668-975-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads