Overview

overview

10

Static

static

7

NEAS.NEAS6...JC.exe

windows7-x64

10

NEAS.NEAS6...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2023, 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.NEAS681981b9430d432335c42c668f1fbe0fexe_JC.exe

  • Size

    19KB

  • MD5

    681981b9430d432335c42c668f1fbe0f

  • SHA1

    13c8aa181730bdd5575b187177e96d81fe6bd338

  • SHA256

    72d3c458fadf30e91a33910332d67af987a22dd0034e3c589ca1bc5b27538dbf

  • SHA512

    b261c7256367a9255829d4869d79f446743e743220c91d3634cb03dce381ebbc99a03bf5a7a45ad8747d02940a4a8c62de3d00a3de70d692e593ad0a32671dc8

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvXfILG:rRkiLw3HsDSARGG/gi

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
    • C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS681981b9430d432335c42c668f1fbe0fexe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS681981b9430d432335c42c668f1fbe0fexe_JC.exe"
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\rmass.exe
        "C:\Windows\system32\rmass.exe"
        2⤵
        • Windows security bypass
        • Drops file in Drivers directory
        • Modifies Installed Components in the registry
        • Sets file execution options in registry
        • Executes dropped EXE
        • Windows security modification
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:860
        • C:\Windows\SysWOW64\rmass.exe
          --k33p
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4744
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3128

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        21KB

        MD5

        26abbaf02afec8d062f0f78bfd006ae1

        SHA1

        d23aabccf0dc933869182657104ec90612accbda

        SHA256

        ab06a5d457ef4a56fe2b4842c42d207e0fbbb495306da99a4ef5c79a4180594f

        SHA512

        53263c14c5638f1d25866a551f04201879d5531b046eb44e4df7cdad09d205417b3acecf103f64759a4823f352fddee332f59889819654c1a722100eca7d6ffb

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        22KB

        MD5

        bcfddf06953c6e243666318e77a735bc

        SHA1

        9fdb1eb3efb365fde8a5235d0a32c4a0e8643211

        SHA256

        e0c0ad4d0a0b8787b3bd1115fe7d50c47d60222465ecbc7e101e7981c7041b42

        SHA512

        1643cd1765624a82eab13d69b6e8ad914b74b9492c4aaa82e874e666bd6929b04e52911cc1b76a828969883210e95880019c0343befcebdda39fda90172532e8

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        681981b9430d432335c42c668f1fbe0f

        SHA1

        13c8aa181730bdd5575b187177e96d81fe6bd338

        SHA256

        72d3c458fadf30e91a33910332d67af987a22dd0034e3c589ca1bc5b27538dbf

        SHA512

        b261c7256367a9255829d4869d79f446743e743220c91d3634cb03dce381ebbc99a03bf5a7a45ad8747d02940a4a8c62de3d00a3de70d692e593ad0a32671dc8

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        681981b9430d432335c42c668f1fbe0f

        SHA1

        13c8aa181730bdd5575b187177e96d81fe6bd338

        SHA256

        72d3c458fadf30e91a33910332d67af987a22dd0034e3c589ca1bc5b27538dbf

        SHA512

        b261c7256367a9255829d4869d79f446743e743220c91d3634cb03dce381ebbc99a03bf5a7a45ad8747d02940a4a8c62de3d00a3de70d692e593ad0a32671dc8

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        681981b9430d432335c42c668f1fbe0f

        SHA1

        13c8aa181730bdd5575b187177e96d81fe6bd338

        SHA256

        72d3c458fadf30e91a33910332d67af987a22dd0034e3c589ca1bc5b27538dbf

        SHA512

        b261c7256367a9255829d4869d79f446743e743220c91d3634cb03dce381ebbc99a03bf5a7a45ad8747d02940a4a8c62de3d00a3de70d692e593ad0a32671dc8

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        6f47b62de25d1745e296a06b3f98ed19

        SHA1

        a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f

        SHA256

        15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4

        SHA512

        dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7

        Download Submit

      • memory/732-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/732-7-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/860-41-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4744-45-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download