250246426684d8500d7d2bbeda0f8d67f1f0c744297ee9f1bcac953de3a8fba8

Analysis

max time kernel
203s
max time network
248s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a847aba0fce698d7388e7a4c92028540.exe
Size

184KB
MD5

a847aba0fce698d7388e7a4c92028540
SHA1

53748a0c0e67c836c767b6bba4052241c70242dc
SHA256

250246426684d8500d7d2bbeda0f8d67f1f0c744297ee9f1bcac953de3a8fba8
SHA512

9cc7f5273b4f2df8d99ed4e8a50acdc088918161f62e2c3a2f928227e854e5cc5eb5b9d922c4cbb995f505ba8b132094dcc882c8329c96cd5cc884d766ed3588
SSDEEP

3072:gF3A5SxEziOcQf2LCWeceiF/JyJde0N6j7FJbaDuduGu0XEvqhwyE9669tCfE635:gYSMNWetQ8i7uqdw0UU9Ez

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
336	csrss.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-0-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2656	2744	NEAS.a847aba0fce698d7388e7a4c92028540.exe	29

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{fd1db791-99e4-fbee-724d-e33b19f23572}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{fd1db791-99e4-fbee-724d-e33b19f23572}\u = "62"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{fd1db791-99e4-fbee-724d-e33b19f23572}\cid = "6908697210571899450"	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2656	2744	NEAS.a847aba0fce698d7388e7a4c92028540.exe	29
PID 2744 wrote to memory of 2656	2744	NEAS.a847aba0fce698d7388e7a4c92028540.exe	29
PID 2744 wrote to memory of 2656	2744	NEAS.a847aba0fce698d7388e7a4c92028540.exe	29
PID 2744 wrote to memory of 2656	2744	NEAS.a847aba0fce698d7388e7a4c92028540.exe	29
PID 2744 wrote to memory of 2656	2744	NEAS.a847aba0fce698d7388e7a4c92028540.exe	29
PID 2656 wrote to memory of 336	2656	explorer.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.a847aba0fce698d7388e7a4c92028540.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a847aba0fce698d7388e7a4c92028540.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\explorer.exe
  00000058*
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
31KB

MD5
adf1ddd89d424e8d0e275cc42747ec81

SHA1
321105503846b4a5f8fd3ccd6d92253c39b3e1ce

SHA256
5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

SHA512
3afb78bc1e49c224726ae824a4d36923bc9fedbdbc027576427932d900bbb17a3b536f1b384bc52bd1a1892ff23c5a2453065530fbdc0023392a0d17e7cbc184

Download Submit
\Windows\System32\consrv.dll

Filesize
31KB

MD5
adf1ddd89d424e8d0e275cc42747ec81

SHA1
321105503846b4a5f8fd3ccd6d92253c39b3e1ce

SHA256
5611fddc5046fce5bbd4d1c1779df429a217b1f952ec973059f7c67e4dfdd46f

SHA512
3afb78bc1e49c224726ae824a4d36923bc9fedbdbc027576427932d900bbb17a3b536f1b384bc52bd1a1892ff23c5a2453065530fbdc0023392a0d17e7cbc184

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
e55695534cfd4970e0783ea3825572d5

SHA1
c6dc6ad11ba04f1654652f6d6b0d7bddc1129c13

SHA256
a1434ede069e5ff28593262c2b15e6c597cdf7e8027bee8df1102780d65b5c57

SHA512
5c22505b6852caeeae912483427e2784458052331f0b0fc596a0af4beeeff56a8478a36102af840390daec8e4b5f11ca5802d738c0ab3cbf74f3eb841c3f504d

Download Submit
memory/336-21-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/336-20-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2656-10-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2656-15-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2656-5-0x0000000000060000-0x0000000000072000-memory.dmp

Filesize
72KB

Download
memory/2656-4-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2744-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-1-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download