7a557df3a39000a06dabdfa4886ca0ec058cd2573ad48430f2d24f46dc0ae1fa

General

Target

NEAS.9682b43f5b92ccdadea15162274742b0.exe
Size

271KB
MD5

9682b43f5b92ccdadea15162274742b0
SHA1

6ebe015bd76e3fdff46d8c546ef8f6f8c5c2228b
SHA256

7a557df3a39000a06dabdfa4886ca0ec058cd2573ad48430f2d24f46dc0ae1fa
SHA512

21267ec361cec5657d62fbca76f029c45187c30cc0d2a58d58d06a22632517561d1e111c80e23a4d5365d055ff14bed8438f55cef8cd98a98131cd3051acc405
SSDEEP

1536:SAqVEcpwlT7hgaZWgWhGv7B1hXW4iLW8fk6M50dGWEUZr97qw90r26A/9nHGjCjj:e8RhgAWIY3Lab00WLZr97TeKgCjjn

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000015612-16.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2704	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe
2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-7-0x00000000003A0000-0x00000000003BF000-memory.dmp	upx
behavioral1/files/0x000b000000015612-16.dat	upx
behavioral1/memory/2704-17-0x00000000002A0000-0x00000000002BF000-memory.dmp	upx

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\Q:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\R:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\U:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\O:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\L:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\M:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\N:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\K:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\G:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\H:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\I:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\J:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\S:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\E:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\V:	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened (read-only)	\??\T:	NEAS.9682b43f5b92ccdadea15162274742b0.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\svchost.exe	NEAS.9682b43f5b92ccdadea15162274742b0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCEMGXJ.dll	NEAS.9682b43f5b92ccdadea15162274742b0.exe
File opened for modification	C:\Windows\PCEMGXJ.dll	NEAS.9682b43f5b92ccdadea15162274742b0.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID\ = "PCEMGXJ.ShellExecuteHook1007"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007\ = "Maihook1007"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ = "Maihook1007"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ = "Maihook1007"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007\Clsid\ = "{78E611A2-E484-4A0D-811E-C40100A3F452}"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\EFile = "051032066052045075087207048044101114004066043180197202226014179060079076176114100241096090108095230044035051218142030225091196195239027184040"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ = "C:\\Windows\\PCEMGXJ.dll"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ThreadingModel = "Apartment"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV\DFile = "052045078052044070108181049036108011155066191069171124133183154105031066009093016170092146203147103202009"	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BFWorkFile1007PV	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ = "C:\\Windows\\PCEMGXJ.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007\ = "Maihook1007"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007\Clsid	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007\Clsid\ = "{78E611A2-E484-4A0D-811E-C40100A3F452}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78E611A2-E484-4A0D-811E-C40100A3F452}\ProgID\ = "PCEMGXJ.ShellExecuteHook1007"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007\Clsid	NEAS.9682b43f5b92ccdadea15162274742b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCEMGXJ.ShellExecuteHook1007	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2704	2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe	27
PID 2320 wrote to memory of 2704	2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe	27
PID 2320 wrote to memory of 2704	2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe	27
PID 2320 wrote to memory of 2704	2320	NEAS.9682b43f5b92ccdadea15162274742b0.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.9682b43f5b92ccdadea15162274742b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9682b43f5b92ccdadea15162274742b0.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files (x86)\svchost.exe
  "C:\Program Files (x86)\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svchost.exe

Filesize
272KB

MD5
5f7beadac283520daee4129156d2845e

SHA1
abf68ffd2b432c4dcf019b2cd69e145edde423d9

SHA256
da5ee0429de6e0b121dd39be0a671e15f5d98be3133bfd37d93d323cb8c2ee03

SHA512
f97778fac928821a0c0c0d6ef70474cb8a62e893d5c64572d5b9a86097dc2dfed9892c6d46aee22dd52a415a6b55fa8236580ad5a52ce3cdca9e2e7b76e53694

Download Submit
C:\Program Files (x86)\svchost.exe

Filesize
272KB

MD5
5f7beadac283520daee4129156d2845e

SHA1
abf68ffd2b432c4dcf019b2cd69e145edde423d9

SHA256
da5ee0429de6e0b121dd39be0a671e15f5d98be3133bfd37d93d323cb8c2ee03

SHA512
f97778fac928821a0c0c0d6ef70474cb8a62e893d5c64572d5b9a86097dc2dfed9892c6d46aee22dd52a415a6b55fa8236580ad5a52ce3cdca9e2e7b76e53694

Download Submit
C:\Program Files (x86)\svchost.exe

Filesize
272KB

MD5
5f7beadac283520daee4129156d2845e

SHA1
abf68ffd2b432c4dcf019b2cd69e145edde423d9

SHA256
da5ee0429de6e0b121dd39be0a671e15f5d98be3133bfd37d93d323cb8c2ee03

SHA512
f97778fac928821a0c0c0d6ef70474cb8a62e893d5c64572d5b9a86097dc2dfed9892c6d46aee22dd52a415a6b55fa8236580ad5a52ce3cdca9e2e7b76e53694

Download Submit
C:\Windows\PCEMGXJ.dll

Filesize
315KB

MD5
85d2abcd8fad1d771d4493bf14f11381

SHA1
3e55889f6d7172217643ac61ad29ca11a2c71517

SHA256
964b58adfd089d82ea6d64b35274b3bb8b39dcf0b9779acc731bd2502ddf390d

SHA512
ede80c32b40cc7d515096d5864fc31a7477a23f781fb6e1d1f7f770e20ddc66754775619aa20d555f7e27c6a5f2879a9726b595ac9494c19a73cc0aa23dfac41

Download Submit
\Program Files (x86)\svchost.exe

Filesize
272KB

MD5
5f7beadac283520daee4129156d2845e

SHA1
abf68ffd2b432c4dcf019b2cd69e145edde423d9

SHA256
da5ee0429de6e0b121dd39be0a671e15f5d98be3133bfd37d93d323cb8c2ee03

SHA512
f97778fac928821a0c0c0d6ef70474cb8a62e893d5c64572d5b9a86097dc2dfed9892c6d46aee22dd52a415a6b55fa8236580ad5a52ce3cdca9e2e7b76e53694

Download Submit
\Program Files (x86)\svchost.exe

Filesize
272KB

MD5
5f7beadac283520daee4129156d2845e

SHA1
abf68ffd2b432c4dcf019b2cd69e145edde423d9

SHA256
da5ee0429de6e0b121dd39be0a671e15f5d98be3133bfd37d93d323cb8c2ee03

SHA512
f97778fac928821a0c0c0d6ef70474cb8a62e893d5c64572d5b9a86097dc2dfed9892c6d46aee22dd52a415a6b55fa8236580ad5a52ce3cdca9e2e7b76e53694

Download Submit
memory/2320-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2320-7-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2320-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2320-19-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2320-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2704-17-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2704-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2704-23-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2704-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing