04a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
Size

206KB
MD5

8265b46825474f08279734d3a1f1bbee
SHA1

69cf68dd15309f39677d8fd7795041c275c5653b
SHA256

04a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7
SHA512

d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04
SSDEEP

6144:1cfMsSybxMqmdUTBL17G+rhJZj2ndG93:mMxybx9mdUTlAihrWg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2616	YahooAUService.exe
2632	z6B61.tmp
2816	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe

Loads dropped DLL 3 IoCs

pid	Process
1892	sethc.exe
2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
2632	z6B61.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\YahooUpdate\Checksum = "0"	YahooAUService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\YahooUpdate	YahooAUService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\YahooUpdate\Version = "0"	YahooAUService.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
2632	z6B61.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2216	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	28
PID 2208 wrote to memory of 2216	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	28
PID 2208 wrote to memory of 2216	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	28
PID 2208 wrote to memory of 2216	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	28
PID 2208 wrote to memory of 1892	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	29
PID 2208 wrote to memory of 1892	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	29
PID 2208 wrote to memory of 1892	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	29
PID 2208 wrote to memory of 1892	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	29
PID 2208 wrote to memory of 1892	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	29
PID 2208 wrote to memory of 2632	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	31
PID 2208 wrote to memory of 2632	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	31
PID 2208 wrote to memory of 2632	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	31
PID 2208 wrote to memory of 2632	2208	NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe	31
PID 2632 wrote to memory of 2492	2632	z6B61.tmp	32
PID 2632 wrote to memory of 2492	2632	z6B61.tmp	32
PID 2632 wrote to memory of 2492	2632	z6B61.tmp	32
PID 2632 wrote to memory of 2492	2632	z6B61.tmp	32
PID 2632 wrote to memory of 2816	2632	z6B61.tmp	33
PID 2632 wrote to memory of 2816	2632	z6B61.tmp	33
PID 2632 wrote to memory of 2816	2632	z6B61.tmp	33
PID 2632 wrote to memory of 2816	2632	z6B61.tmp	33

C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\system32\sethc.exe"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\system32\sethc.exe"
  2⤵
  - Loads dropped DLL
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\z6B61.tmp
  "C:\Users\Admin\AppData\Local\Temp\z6B61.tmp" C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\sethc.exe
    "C:\Windows\system32\sethc.exe"
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe"
    3⤵
    - Executes dropped EXE
    PID:2816

C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe
"C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe" -silentupdate
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Yahoo!\YahooAUService.exe

Filesize
63KB

MD5
1f7884a31c80ea799e5a1f06e1b13c3e

SHA1
ccd6ed93c240a770b5213366b790c5e45328dfe9

SHA256
3877a5fb6ddd09072dbaecdffbbe0b382cf36985a62abcc89b296f78480d0d8d

SHA512
eb46615323c8390a31735ba0d09eb65373b9ac953ef89ca815cfed6f468276e0e6b656a75e032c1e29cb971a2c296802aa06e8cddbda073332efa942d637c7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe

Filesize
44KB

MD5
7c3a72d36df62213505924710fcb367b

SHA1
20d123b009445e3e4644417da4da1b3632e2bdf4

SHA256
2c0f0e37c328f3e2d35b6128fe2e0089f93d9755ae1ca7fbf59cfb11327fbbd7

SHA512
43247b3fe7f0bea40fedf26310bfeb75ede5617905f68181da2febfac221d267c96164209d510c0ade2c43fb96dd39f2d148acb916d67ab050ad5dfa7dfbbba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe

Filesize
44KB

MD5
7c3a72d36df62213505924710fcb367b

SHA1
20d123b009445e3e4644417da4da1b3632e2bdf4

SHA256
2c0f0e37c328f3e2d35b6128fe2e0089f93d9755ae1ca7fbf59cfb11327fbbd7

SHA512
43247b3fe7f0bea40fedf26310bfeb75ede5617905f68181da2febfac221d267c96164209d510c0ade2c43fb96dd39f2d148acb916d67ab050ad5dfa7dfbbba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6A67.tmp

Filesize
36KB

MD5
641eca00be4f32012461499d58951157

SHA1
f3e294f289ade3bf2b007d7948549a8f9ac97cf2

SHA256
9788cc54f91fac2dedac19dea43b07f1a7391d04d1f03ab0353d1957b6962b92

SHA512
b73b1c1119289a51dcf8348f5b14d674130c79ff94e0c24482e76fa1cce536a891ba084d6dd3fee37d7affcf6aff745f093ab1f5d2f2396f94944b2c000d32a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6B61.tmp

Filesize
206KB

MD5
8265b46825474f08279734d3a1f1bbee

SHA1
69cf68dd15309f39677d8fd7795041c275c5653b

SHA256
04a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7

SHA512
d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6B61.tmp

Filesize
206KB

MD5
8265b46825474f08279734d3a1f1bbee

SHA1
69cf68dd15309f39677d8fd7795041c275c5653b

SHA256
04a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7

SHA512
d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.NEAS8265b46825474f08279734d3a1f1bbeeexe_JC.exe

Filesize
44KB

MD5
7c3a72d36df62213505924710fcb367b

SHA1
20d123b009445e3e4644417da4da1b3632e2bdf4

SHA256
2c0f0e37c328f3e2d35b6128fe2e0089f93d9755ae1ca7fbf59cfb11327fbbd7

SHA512
43247b3fe7f0bea40fedf26310bfeb75ede5617905f68181da2febfac221d267c96164209d510c0ade2c43fb96dd39f2d148acb916d67ab050ad5dfa7dfbbba5

Download Submit
\Users\Admin\AppData\Local\Temp\c6A67.tmp

Filesize
36KB

MD5
641eca00be4f32012461499d58951157

SHA1
f3e294f289ade3bf2b007d7948549a8f9ac97cf2

SHA256
9788cc54f91fac2dedac19dea43b07f1a7391d04d1f03ab0353d1957b6962b92

SHA512
b73b1c1119289a51dcf8348f5b14d674130c79ff94e0c24482e76fa1cce536a891ba084d6dd3fee37d7affcf6aff745f093ab1f5d2f2396f94944b2c000d32a4

Download Submit
\Users\Admin\AppData\Local\Temp\z6B61.tmp

Filesize
206KB

MD5
8265b46825474f08279734d3a1f1bbee

SHA1
69cf68dd15309f39677d8fd7795041c275c5653b

SHA256
04a9bbe61349ec0e4af1fb45eff5c8d2ba811af8aaac2ac96defccedeb3418b7

SHA512
d0cdc6e8dd0a1924c39b91d837f182f2750c542facc49a36626330147cf6f9254735cb4ae3311c7f1d261af434776c468f59a490c9bbd5662203e6df0a5b8b04

Download Submit
memory/1892-9-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2632-31-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2632-36-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2816-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2816-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download