Overview

overview

7

Static

static

7

NEAS.779a6...40.exe

windows7-x64

7

NEAS.779a6...40.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2023 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.779a64ef52d3a6619d6d1be3a7451740.exe

  • Size

    483KB

  • MD5

    779a64ef52d3a6619d6d1be3a7451740

  • SHA1

    b23a8f11f29cc3aa6697c0f6401735bee5fa8b8f

  • SHA256

    fa887b14f58c84418bcc69e5cb39ef76d27367c960c9d16b980ab973a017ddc8

  • SHA512

    4543ec62e673535430f5a7f0d524a155a409df306465555e6ccfe9bf79396aecafeef62da66efa0239a2541e28640bcf378a850b8995a21bcb2ba24f44338712

  • SSDEEP

    6144:WdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqr:s8kxNhOZElO5kkWjhD4AI

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 34 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.779a64ef52d3a6619d6d1be3a7451740.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.779a64ef52d3a6619d6d1be3a7451740.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\RGXATNW.EXE
      C:\Windows\RGXATNW.EXE
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\RGXATNW.EXE
    Filesize

    484KB

    MD5

    2352502ebb345133595e4c01b6500cf7

    SHA1

    467659928122d2b221f4003828aa4d7cb7da49ac

    SHA256

    7d1760cec4e39c71f9e9f253904be1ded6ddfb1940ecdf7925efb9bd9af20abc

    SHA512

    673bfa2d9f460067661b2f12d86a3e4fd94a39d9f0f48bd56277d1d6c5e51c8faf188a65b530258fae7fb9a06492125dfa44f4f3909f7999d2b320df287fad1a

    Download Submit

  • C:\Windows\RGXATNW.EXE
    Filesize

    484KB

    MD5

    2352502ebb345133595e4c01b6500cf7

    SHA1

    467659928122d2b221f4003828aa4d7cb7da49ac

    SHA256

    7d1760cec4e39c71f9e9f253904be1ded6ddfb1940ecdf7925efb9bd9af20abc

    SHA512

    673bfa2d9f460067661b2f12d86a3e4fd94a39d9f0f48bd56277d1d6c5e51c8faf188a65b530258fae7fb9a06492125dfa44f4f3909f7999d2b320df287fad1a

    Download Submit

  • F:\$RECYCLE.BIN\GEDUMNP.EXE
    Filesize

    484KB

    MD5

    59173a7ecf614dc2149f03cd0bba8d1f

    SHA1

    99aca5f4d0d91d14360dc827421108a69a87a45a

    SHA256

    31a868e87e6e42af8c40aaff7852c5aab67e9ce5b84b17a4baca0c2d325bc1e8

    SHA512

    27c3354dd643ebfb557741120d611acb5cf6009bfa1b608c7412bb3c98a9980519afbecc745302e03f50c32c9e2bc8b7117ff733b6bfb8b79c675fa2a3eb6ddf

    Download Submit

  • \??\c:\filedebug
    Filesize

    273B

    MD5

    23520138624e96d6f13041a395fd1994

    SHA1

    fe1e7fa38c205d3f5ec8a3135bae87bead0cdaa2

    SHA256

    9f8684b1ad705469b70e562fad0518a68f366252db3fdf773be8523905d0d750

    SHA512

    30f762cbae0502a732350703348692f9526b72481bac468c3b036e13c9ff12d58e16e0f0fb5ee1f2cdcf71685664d86c49bef7886c4c5a4686feb5853bd9bd6a

    Download Submit

  • memory/1800-0-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1800-1-0x0000000002200000-0x0000000002201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1800-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1804-23-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1804-26-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download