506747a67f4453ecc36029d70f80724127e90b5cf3aca045ff16825e09928584

Analysis

max time kernel
153s
max time network
166s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Size

28KB
MD5

ca31d28804733755d32a94be10e9a2ee
SHA1

3a3aa613123284403fca8d2566ff6d827a82e106
SHA256

506747a67f4453ecc36029d70f80724127e90b5cf3aca045ff16825e09928584
SHA512

187221cfe944acf869d1c7aff70097ae748f6ef1e2ba944d0c4153cc9d725debe79fcaadfc9c81cb2ac2ea95731e7d11cc5a58e7a1717d42eb35700fa00c218d
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN6A1k:Dv8IRRdsxq1DjJcqfyk

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1508-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1508-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00040000000130e5-7.dat	upx
behavioral1/files/0x00040000000130e5-9.dat	upx
behavioral1/memory/1892-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1508-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1892-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-58.dat	upx
behavioral1/memory/1508-296-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-297-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1508-870-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-871-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1508-991-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-992-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1508-996-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-997-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1508-1007-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-1008-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1508-1011-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1892-1012-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
File opened for modification	C:\Windows\java.exe	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
File created	C:\Windows\java.exe	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1892	1508	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe	28
PID 1508 wrote to memory of 1892	1508	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe	28
PID 1508 wrote to memory of 1892	1508	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe	28
PID 1508 wrote to memory of 1892	1508	NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASca31d28804733755d32a94be10e9a2eeexe_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8aad3929847a4dd0f47a34fe88cb665e

SHA1
29c91e77e618f89fae2c3eeb7edf181e16d797f7

SHA256
c3700f92929d5a87e56d0ca4e7a6da1185c56cd358410622fae5d5e9ab5bc1b4

SHA512
110f81b759ec7e53aae5e08f890b786c9787ccd3e9c09628da202082619d3bde7aa1f18a567bbd33c75a660423e892d750ebf34ffce31ae6237b41923fae087e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc210d4b7cc26c71bb67d0c0a70d8d78

SHA1
79133e5e7f0202a386865ccd49aa8ec31ab9f938

SHA256
e82e1b26090e7a369969110cc50c22547e7c997ebd500ff818c4dd6858d744fa

SHA512
9a7c5767e2d91fc897ac9d36840048ed03b6e31146493c4d048ee11dd9a434ba4ff6ad2b45cdd2257cd4c136b84b524b39cb0280fb0bb43d9e61beb2cd4e4a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cb8594e94e3bc84e8ccd79291b331e7

SHA1
9d5c01550520efd65af6166430778590eb8196db

SHA256
024067a340f6893cff5f43334f84908346a8b8baf6003a5d3b35a8b0549942ea

SHA512
2be752cac42ed3dbbb8ddc8e902ced41fe99a533bbfded526ddae6b49cc22b1b1992d13f549b20c935740d8543443491c7b61db59031240731a5c0be7afdd8b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
372c71f4b1e1a89d61bcae94f0f5bfbf

SHA1
4614e8ee2449d0407738a45b5889db944220d3a4

SHA256
1012ed50992c86051c375abbfc083be643c3296b5bf86bfdd6bf0a9378f02743

SHA512
c71b2c7b9091a97c15d9cf9b79a54c375fb28b29c12da2a669293573e82a7a7c076d84687f90422c604d775922dbdd4e61cbd804156336a5439478c5e5b06282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ad2a1e0f807c81293d0ff62a4e3f5fe

SHA1
a8811968e355c5423e74538a327d889e0b369d17

SHA256
85f70936154355135df59213bb01bc34ec83150f18404817d4a56dee85c0488b

SHA512
e375546220a277df6838b278294e406d73d75c9160ca641ffccf5acabe2c22f8c4bd0426c81d627d0085877a75f9e4837a886abea4a91843d895c3545f80ffa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70a1bbd2f059eec09733583364af37e1

SHA1
396bda86dae0c3c765c7ac3991f0c62ac6118c07

SHA256
b1a961e854c958dcf168ea6dfda2be5bdf977a8732f90503c93877ea1dc8fe89

SHA512
aa42e1ff729e71cb87354b0ba4d95f6b03335aff1c31c4cdb23201b654e51ae0fa59544fd3de6d9601f9e3079ee6de08784ba5a9f8411ef46147f4bce4b7fdfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b76ddff84d0fbd6aa6961fd4e8d2659b

SHA1
dfc46d60e9c949fd5a6b9b7fa167e589760b0de3

SHA256
be1b164838e47478c471c41af83a66bb1de63c0de265a7d0c3ace6590e6c1747

SHA512
c4ce25901a46a8ffae5b0c2c8d8da45b07aa7f2f3d1d4fdb456f6076f210c27a82377d3dcd6084f83a90c9611ca672a9685351c1d74b4a1c7b018ea879c3deed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2a4a0474adf0eac3602280f6c4e2d4b

SHA1
965a68aaf9c44dd1142c7f3c9d0b918adfa9c202

SHA256
48bc65a784a3dbe0bc289bf0557d50a96d35f2e0bfb037e2d5cf3d64da7cc3bb

SHA512
ad7a74bb185d99a5efa4b1f9dbbfa3c7c69e75bc58eedce0f11b102d016784803330e824719f82b81358caaf7bff350467d9f3578e02d9132442e286589e138f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b8354121685cedb97e59d92e17ae6cd

SHA1
dd970ef0fb4efd30a35dc815f623a738fba4c011

SHA256
0bc5de00ee4c2c7349ffd36665519a377f30f8018854bed299c47a8ec39cd49b

SHA512
fefaa6d9bc35b478b24e1312fc7f14f649b37ff3c9574453b360706d25e14e23c4ac2b0449fa10d91d96462d0c3a69983a514ac011a2e56dd3465cb2965e88f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e342e0af80668e126e0e5fc224eaf49e

SHA1
fbc7d87a7e643ecd44bdf04677716519cdc88570

SHA256
f0906202f2cf2912a21dd7aebf159ca28bc8e0fe5eb0f2c1ef3a386068279ee9

SHA512
c2ec5c3344376eae64d2b0f8fe93e4d375e571eaa9d5fcbe7f2508a8d00aa8746558c37a27adbded8878bbe1a92ca5f10b34fd995eac638601748652e8de9a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69d8a496006827500e9062f8e2b607a5

SHA1
b947f1629bd54a7637bc4a3ef040d177f926cbc5

SHA256
5665b22b1129bba950a217be4aef1350926bb26c2b93da3c0acc23abd3a5a8d5

SHA512
b89e0b0f6af1df12b641aa0c8f9497c509bbe0fdb5cc123df6e16119379064261b7563780ed0b8fab7199ba422862b584029e8f16374ca9f3b183b37584dbc8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f151af69506df2cc9210b29315ecf587

SHA1
07fd49b2da9547a70caa21909a7af5419a0ed3ef

SHA256
f28549d95b9dab00e70519eef2f29569a8bcc414e19cd813438b8bd27acb54f1

SHA512
d6063e2c95596bb6728935406200ef0cfb21eba91bc28dff2cde76ee6c0f03c47a07745fef8df5513e3a91cee90de1a349a792ae58583466bd2ae7ce763e994d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6e8ce94fad0d648c420c6193a99c8f4

SHA1
c2937702630e6897ead8c1e86bb41f620c4a974f

SHA256
d19174b40dbd3107f123a5b03a4bf2d37af534c45dfa353066f66e86c6cf18aa

SHA512
08889de27930c2cc476c1a0dfe8ed6d980c247ce8c16d86c31cf17ff39aa679ece14ac2eb0c53550a6856d0587c95c22f64d6ba39292378e27c29ff68ef66c8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1b24655469b1d72e795f278f541db03

SHA1
729cc66adc4b7f039b167d0ad9aa782984f31759

SHA256
e814db703825a73436ce8a7025a355860d215b7b37323e865150c4ce077e6933

SHA512
678c9d7aba19d6bfa6b12a66c80c52d5a4488cceb53f0ce2327274165654a49f3be597fc8677616846c29854456f7b1a3492e8ba61a2fb8e697a763eab6bb948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R1YQ38W2\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC25.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC95.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DD7.tmp

Filesize
28KB

MD5
8738706375e4e824823a33d6b70e9e86

SHA1
28f5594e34716c8e169be4e8823fbb6f34007567

SHA256
c86e59fab3f6347dc6e4045c934419ac6c20bfed844b625f593401a8eb0e965b

SHA512
2359b6d49a48c557a826430fe4bf26b10bc7c65ecf6b5a9fb4bacb8bb7caceb25892a809719bd57e6135ab2ba2f237a74d75a4de656462ae794631fe5715ca19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
49dc7989a391a8ab278b588a823bfb22

SHA1
0b0dc1d2ae3b086ecc0cfd8281884a180226e4f6

SHA256
63f3ce69495259a75bd944846220b175512c59493ea727ad7a63bd88576ee316

SHA512
4132c63a50af68e7c8dc3c11b8361bec548f08f4e671b22280ab60f555b6544c8195c3709309f224bd2557700eb828002b1e58308be576ee4d27bf972bb8a6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
419c9ffbac38354b119a2336b6a3d73d

SHA1
7a662cbcc3c57c57bf4f961bc76da03f8dcd7fc7

SHA256
14c0447c644ffc41dec16d006a0900df36af8a75f2e3b7234afd5855f247e088

SHA512
3225ae1795e3008d175627a880ccdfe19cd8c3a8e7a496d21c1ee355f6d9b459d007be38d47d008076453512ecfca6b78a97324ddd94161e5532e9cebf64f2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
103c77bc853b93cdc5ace27e0047097e

SHA1
e3075c63ddd00e3b5f294763f2b23fa67f41370e

SHA256
9501c29467b4cc0c92a1f7ef0ad037747f647e9ae60a64f1f1a2bee5bfc1d6f0

SHA512
7954d1c187e02518b6c9808d33222c7a708e5f0081deac2f052bf903fe13bdeaa3f3f24bcbbfa559c26cf68f2b4d7e82647cd3e8e8265cf072ea78801a45c4b2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1508-870-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-296-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-991-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-996-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-1007-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-1011-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1508-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-297-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-871-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-992-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-997-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-1008-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1892-1012-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads