Overview

overview

7

Static

static

7

NEAS.779a6...40.exe

windows7-x64

7

NEAS.779a6...40.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/10/2023, 18:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.779a64ef52d3a6619d6d1be3a7451740.exe

  • Size

    483KB

  • MD5

    779a64ef52d3a6619d6d1be3a7451740

  • SHA1

    b23a8f11f29cc3aa6697c0f6401735bee5fa8b8f

  • SHA256

    fa887b14f58c84418bcc69e5cb39ef76d27367c960c9d16b980ab973a017ddc8

  • SHA512

    4543ec62e673535430f5a7f0d524a155a409df306465555e6ccfe9bf79396aecafeef62da66efa0239a2541e28640bcf378a850b8995a21bcb2ba24f44338712

  • SSDEEP

    6144:WdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqr:s8kxNhOZElO5kkWjhD4AI

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 34 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.779a64ef52d3a6619d6d1be3a7451740.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.779a64ef52d3a6619d6d1be3a7451740.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\RGXATNW.EXE
      C:\Windows\RGXATNW.EXE
      2⤵
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1804

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.202.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.202.248.87.in-addr.arpa
    IN PTR
    Response
    1.202.248.87.in-addr.arpa
    IN PTR
    https-87-248-202-1amsllnwnet
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    158.240.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.240.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    240.81.21.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.81.21.72.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    9.57.101.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.57.101.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    170.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    170.117.168.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    1.202.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    1.202.248.87.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    158.240.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    158.240.127.40.in-addr.arpa

  • 8.8.8.8:53
    240.81.21.72.in-addr.arpa
    dns
    355 B
     5

    DNS Request

    240.81.21.72.in-addr.arpa

    DNS Request

    240.81.21.72.in-addr.arpa

    DNS Request

    240.81.21.72.in-addr.arpa

    DNS Request

    240.81.21.72.in-addr.arpa

    DNS Request

    240.81.21.72.in-addr.arpa

  • 8.8.8.8:53
    9.57.101.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.57.101.20.in-addr.arpa

  • 8.8.8.8:53
    170.117.168.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    170.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\RGXATNW.EXE
    Filesize

    484KB

    MD5

    2352502ebb345133595e4c01b6500cf7

    SHA1

    467659928122d2b221f4003828aa4d7cb7da49ac

    SHA256

    7d1760cec4e39c71f9e9f253904be1ded6ddfb1940ecdf7925efb9bd9af20abc

    SHA512

    673bfa2d9f460067661b2f12d86a3e4fd94a39d9f0f48bd56277d1d6c5e51c8faf188a65b530258fae7fb9a06492125dfa44f4f3909f7999d2b320df287fad1a

    Download Submit

  • C:\Windows\RGXATNW.EXE
    Filesize

    484KB

    MD5

    2352502ebb345133595e4c01b6500cf7

    SHA1

    467659928122d2b221f4003828aa4d7cb7da49ac

    SHA256

    7d1760cec4e39c71f9e9f253904be1ded6ddfb1940ecdf7925efb9bd9af20abc

    SHA512

    673bfa2d9f460067661b2f12d86a3e4fd94a39d9f0f48bd56277d1d6c5e51c8faf188a65b530258fae7fb9a06492125dfa44f4f3909f7999d2b320df287fad1a

    Download Submit

  • F:\$RECYCLE.BIN\GEDUMNP.EXE
    Filesize

    484KB

    MD5

    59173a7ecf614dc2149f03cd0bba8d1f

    SHA1

    99aca5f4d0d91d14360dc827421108a69a87a45a

    SHA256

    31a868e87e6e42af8c40aaff7852c5aab67e9ce5b84b17a4baca0c2d325bc1e8

    SHA512

    27c3354dd643ebfb557741120d611acb5cf6009bfa1b608c7412bb3c98a9980519afbecc745302e03f50c32c9e2bc8b7117ff733b6bfb8b79c675fa2a3eb6ddf

    Download Submit

  • \??\c:\filedebug
    Filesize

    273B

    MD5

    23520138624e96d6f13041a395fd1994

    SHA1

    fe1e7fa38c205d3f5ec8a3135bae87bead0cdaa2

    SHA256

    9f8684b1ad705469b70e562fad0518a68f366252db3fdf773be8523905d0d750

    SHA512

    30f762cbae0502a732350703348692f9526b72481bac468c3b036e13c9ff12d58e16e0f0fb5ee1f2cdcf71685664d86c49bef7886c4c5a4686feb5853bd9bd6a

    Download Submit

  • memory/1800-0-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1800-1-0x0000000002200000-0x0000000002201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1800-24-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1804-23-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1804-25-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1804-26-0x00000000020C0000-0x00000000020C1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.