Analysis
-
max time kernel
129s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 08:23
General
-
Target
NEAS.f4fc49115ead3aa25e2f9e110abadc70.exe
-
Size
404KB
-
MD5
f4fc49115ead3aa25e2f9e110abadc70
-
SHA1
86c7974565228f0c5e21ab810ad0c798b023b794
-
SHA256
820fa177dd4863b89ebe41154e2e604efd62202cdb22d336944ae01167555a35
-
SHA512
9a80849b953da895665a311d0cb6f9783005d6fa5ab43d828704e9446b70d0188a2f6e108e9dc88edd263a0ed99d16f3faf25168f38adfd520952eaa82da40aa
-
SSDEEP
12288:2FlMWWKewcMpV6yYP4rbpV6yYPg058KS:ymWXewcMW4XWleKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f4fc49115ead3aa25e2f9e110abadc70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f4fc49115ead3aa25e2f9e110abadc70.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kiajck32.exeC:\Windows\system32\Kiajck32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mmfaafej.exeC:\Windows\system32\Mmfaafej.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ncbfcp32.exeC:\Windows\system32\Ncbfcp32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Npnqcpmc.exeC:\Windows\system32\Npnqcpmc.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Oiphbd32.exeC:\Windows\system32\Oiphbd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pidamcgd.exeC:\Windows\system32\Pidamcgd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pkigbfja.exeC:\Windows\system32\Pkigbfja.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Agikne32.exeC:\Windows\system32\Agikne32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bjcfeola.exeC:\Windows\system32\Bjcfeola.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ckqoapgd.exeC:\Windows\system32\Ckqoapgd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Djhiglji.exeC:\Windows\system32\Djhiglji.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Egjebn32.exeC:\Windows\system32\Egjebn32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fnbjpf32.exeC:\Windows\system32\Fnbjpf32.exe25⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Gjkgkg32.exeC:\Windows\system32\Gjkgkg32.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gmlplbib.exeC:\Windows\system32\Gmlplbib.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gmqjga32.exeC:\Windows\system32\Gmqjga32.exe28⤵
-
C:\Windows\SysWOW64\Hmecba32.exeC:\Windows\system32\Hmecba32.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe30⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hlkmlhea.exeC:\Windows\system32\Hlkmlhea.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ilbclg32.exeC:\Windows\system32\Ilbclg32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ihicah32.exeC:\Windows\system32\Ihicah32.exe33⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Kloljf32.exeC:\Windows\system32\Kloljf32.exe17⤵
-
C:\Windows\SysWOW64\Kchdfpen.exeC:\Windows\system32\Kchdfpen.exe18⤵
-
C:\Windows\SysWOW64\Knnhdied.exeC:\Windows\system32\Knnhdied.exe19⤵
-
C:\Windows\SysWOW64\Kgflmo32.exeC:\Windows\system32\Kgflmo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Knpeii32.exeC:\Windows\system32\Knpeii32.exe21⤵
-
C:\Windows\SysWOW64\Kcmmap32.exeC:\Windows\system32\Kcmmap32.exe22⤵
-
C:\Windows\SysWOW64\Knbaoh32.exeC:\Windows\system32\Knbaoh32.exe23⤵
-
C:\Windows\SysWOW64\Kcpjgo32.exeC:\Windows\system32\Kcpjgo32.exe24⤵
-
C:\Windows\SysWOW64\Ljibdifc.exeC:\Windows\system32\Ljibdifc.exe25⤵
-
C:\Windows\SysWOW64\Lofklp32.exeC:\Windows\system32\Lofklp32.exe26⤵
-
C:\Windows\SysWOW64\Ljloii32.exeC:\Windows\system32\Ljloii32.exe27⤵
-
C:\Windows\SysWOW64\Lqfgfclm.exeC:\Windows\system32\Lqfgfclm.exe28⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Lokdgpqe.exeC:\Windows\system32\Lokdgpqe.exe29⤵
-
C:\Windows\SysWOW64\Ljqhdhpk.exeC:\Windows\system32\Ljqhdhpk.exe30⤵
-
C:\Windows\SysWOW64\Lomqmoob.exeC:\Windows\system32\Lomqmoob.exe31⤵
-
C:\Windows\SysWOW64\Lckicnei.exeC:\Windows\system32\Lckicnei.exe32⤵
-
C:\Windows\SysWOW64\Mqojlbcb.exeC:\Windows\system32\Mqojlbcb.exe33⤵
-
C:\Windows\SysWOW64\Mflbdibj.exeC:\Windows\system32\Mflbdibj.exe34⤵
-
C:\Windows\SysWOW64\Modgnn32.exeC:\Windows\system32\Modgnn32.exe35⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mjjkkghp.exeC:\Windows\system32\Mjjkkghp.exe36⤵
-
C:\Windows\SysWOW64\Mogccnfg.exeC:\Windows\system32\Mogccnfg.exe37⤵
-
C:\Windows\SysWOW64\Mjlhpgfn.exeC:\Windows\system32\Mjlhpgfn.exe38⤵
-
C:\Windows\SysWOW64\Moiphnde.exeC:\Windows\system32\Moiphnde.exe39⤵
-
C:\Windows\SysWOW64\Mfchehla.exeC:\Windows\system32\Mfchehla.exe40⤵
-
C:\Windows\SysWOW64\Mokmnm32.exeC:\Windows\system32\Mokmnm32.exe41⤵
-
C:\Windows\SysWOW64\Nnmmleja.exeC:\Windows\system32\Nnmmleja.exe42⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ngeaej32.exeC:\Windows\system32\Ngeaej32.exe43⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Nmajmaoi.exeC:\Windows\system32\Nmajmaoi.exe44⤵
-
C:\Windows\SysWOW64\Nfjofg32.exeC:\Windows\system32\Nfjofg32.exe45⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ncnook32.exeC:\Windows\system32\Ncnook32.exe46⤵
-
C:\Windows\SysWOW64\Npepdl32.exeC:\Windows\system32\Npepdl32.exe47⤵
-
C:\Windows\SysWOW64\Nfohafad.exeC:\Windows\system32\Nfohafad.exe48⤵
-
C:\Windows\SysWOW64\Nmipnp32.exeC:\Windows\system32\Nmipnp32.exe49⤵
-
C:\Windows\SysWOW64\Ogndki32.exeC:\Windows\system32\Ogndki32.exe50⤵
-
C:\Windows\SysWOW64\Oafido32.exeC:\Windows\system32\Oafido32.exe51⤵
-
C:\Windows\SysWOW64\Oceepj32.exeC:\Windows\system32\Oceepj32.exe52⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Onkimc32.exeC:\Windows\system32\Onkimc32.exe53⤵
-
C:\Windows\SysWOW64\Ocgbej32.exeC:\Windows\system32\Ocgbej32.exe54⤵
-
C:\Windows\SysWOW64\Onmfcb32.exeC:\Windows\system32\Onmfcb32.exe55⤵
-
C:\Windows\SysWOW64\Opnbjk32.exeC:\Windows\system32\Opnbjk32.exe56⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ombcdo32.exeC:\Windows\system32\Ombcdo32.exe57⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ofjgmdgg.exeC:\Windows\system32\Ofjgmdgg.exe58⤵
-
C:\Windows\SysWOW64\Omdpio32.exeC:\Windows\system32\Omdpio32.exe59⤵
-
C:\Windows\SysWOW64\Phjdggoj.exeC:\Windows\system32\Phjdggoj.exe60⤵
-
C:\Windows\SysWOW64\Pndlca32.exeC:\Windows\system32\Pndlca32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Phlqlgmg.exeC:\Windows\system32\Phlqlgmg.exe62⤵
-
C:\Windows\SysWOW64\Padeem32.exeC:\Windows\system32\Padeem32.exe63⤵
-
C:\Windows\SysWOW64\Pmkfjn32.exeC:\Windows\system32\Pmkfjn32.exe64⤵
-
C:\Windows\SysWOW64\Phajgf32.exeC:\Windows\system32\Phajgf32.exe65⤵
-
C:\Windows\SysWOW64\Pmnbpm32.exeC:\Windows\system32\Pmnbpm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Phcgmffo.exeC:\Windows\system32\Phcgmffo.exe67⤵
-
C:\Windows\SysWOW64\Qdjgbg32.exeC:\Windows\system32\Qdjgbg32.exe68⤵
-
C:\Windows\SysWOW64\Qanhkk32.exeC:\Windows\system32\Qanhkk32.exe69⤵
-
C:\Windows\SysWOW64\Qfkqcb32.exeC:\Windows\system32\Qfkqcb32.exe70⤵
-
C:\Windows\SysWOW64\Apcemh32.exeC:\Windows\system32\Apcemh32.exe71⤵
-
C:\Windows\SysWOW64\Aodejohd.exeC:\Windows\system32\Aodejohd.exe72⤵
-
C:\Windows\SysWOW64\Apeabg32.exeC:\Windows\system32\Apeabg32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Aogbpo32.exeC:\Windows\system32\Aogbpo32.exe74⤵
-
C:\Windows\SysWOW64\Agbgda32.exeC:\Windows\system32\Agbgda32.exe75⤵
-
C:\Windows\SysWOW64\Apjkmgjm.exeC:\Windows\system32\Apjkmgjm.exe76⤵
-
C:\Windows\SysWOW64\Adhdcepc.exeC:\Windows\system32\Adhdcepc.exe77⤵
-
C:\Windows\SysWOW64\Bonhqnpi.exeC:\Windows\system32\Bonhqnpi.exe78⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Bpodhf32.exeC:\Windows\system32\Bpodhf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bopefnnf.exeC:\Windows\system32\Bopefnnf.exe80⤵
-
C:\Windows\SysWOW64\Bdmmnd32.exeC:\Windows\system32\Bdmmnd32.exe81⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Baanhi32.exeC:\Windows\system32\Baanhi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bgnfpp32.exeC:\Windows\system32\Bgnfpp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bacjmh32.exeC:\Windows\system32\Bacjmh32.exe84⤵
-
C:\Windows\SysWOW64\Bogkgmho.exeC:\Windows\system32\Bogkgmho.exe85⤵
-
C:\Windows\SysWOW64\Bddcocff.exeC:\Windows\system32\Bddcocff.exe86⤵
-
C:\Windows\SysWOW64\Cknlln32.exeC:\Windows\system32\Cknlln32.exe87⤵
-
C:\Windows\SysWOW64\Cahdhhep.exeC:\Windows\system32\Cahdhhep.exe88⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cgdlqo32.exeC:\Windows\system32\Cgdlqo32.exe89⤵
-
C:\Windows\SysWOW64\Cponodge.exeC:\Windows\system32\Cponodge.exe90⤵
-
C:\Windows\SysWOW64\Ckealm32.exeC:\Windows\system32\Ckealm32.exe91⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cpajdc32.exeC:\Windows\system32\Cpajdc32.exe92⤵
-
C:\Windows\SysWOW64\Ckgnbl32.exeC:\Windows\system32\Ckgnbl32.exe93⤵
-
C:\Windows\SysWOW64\Cpdgjc32.exeC:\Windows\system32\Cpdgjc32.exe94⤵
-
C:\Windows\SysWOW64\Cgnogmkl.exeC:\Windows\system32\Cgnogmkl.exe95⤵
-
C:\Windows\SysWOW64\Dpfcpcam.exeC:\Windows\system32\Dpfcpcam.exe96⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Dgpllm32.exeC:\Windows\system32\Dgpllm32.exe97⤵
-
C:\Windows\SysWOW64\Dafpjf32.exeC:\Windows\system32\Dafpjf32.exe98⤵
-
C:\Windows\SysWOW64\Dgbhbm32.exeC:\Windows\system32\Dgbhbm32.exe99⤵
-
C:\Windows\SysWOW64\Dahmoefm.exeC:\Windows\system32\Dahmoefm.exe100⤵
-
C:\Windows\SysWOW64\Dkqahk32.exeC:\Windows\system32\Dkqahk32.exe101⤵
-
C:\Windows\SysWOW64\Dqmjqb32.exeC:\Windows\system32\Dqmjqb32.exe102⤵
-
C:\Windows\SysWOW64\Doojni32.exeC:\Windows\system32\Doojni32.exe103⤵
-
C:\Windows\SysWOW64\Ddkbfp32.exeC:\Windows\system32\Ddkbfp32.exe104⤵
-
C:\Windows\SysWOW64\Eoagdi32.exeC:\Windows\system32\Eoagdi32.exe105⤵
-
C:\Windows\SysWOW64\Ehikmohb.exeC:\Windows\system32\Ehikmohb.exe106⤵
-
C:\Windows\SysWOW64\Enfceefi.exeC:\Windows\system32\Enfceefi.exe107⤵
-
C:\Windows\SysWOW64\Ehlhbn32.exeC:\Windows\system32\Ehlhbn32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Eqgmgq32.exeC:\Windows\system32\Eqgmgq32.exe109⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Enkmpe32.exeC:\Windows\system32\Enkmpe32.exe110⤵
-
C:\Windows\SysWOW64\Ekoniian.exeC:\Windows\system32\Ekoniian.exe111⤵
-
C:\Windows\SysWOW64\Eqkfapoe.exeC:\Windows\system32\Eqkfapoe.exe112⤵
-
C:\Windows\SysWOW64\Fgenoj32.exeC:\Windows\system32\Fgenoj32.exe113⤵
-
C:\Windows\SysWOW64\Fdiohnek.exeC:\Windows\system32\Fdiohnek.exe114⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Foocegea.exeC:\Windows\system32\Foocegea.exe115⤵
-
C:\Windows\SysWOW64\Fqpomo32.exeC:\Windows\system32\Fqpomo32.exe116⤵
-
C:\Windows\SysWOW64\Fkfcjh32.exeC:\Windows\system32\Fkfcjh32.exe117⤵
-
C:\Windows\SysWOW64\Fbplgbbb.exeC:\Windows\system32\Fbplgbbb.exe118⤵
-
C:\Windows\SysWOW64\Fgldoi32.exeC:\Windows\system32\Fgldoi32.exe119⤵
-
C:\Windows\SysWOW64\Fbbhla32.exeC:\Windows\system32\Fbbhla32.exe120⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Filailgl.exeC:\Windows\system32\Filailgl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-