4369063ba9e8f00abf12eb09cc2ce6cb52e4805847472dba44bf9215ca0a6b47

Analysis

max time kernel
262s
max time network
308s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
Size

2.3MB
MD5

2e929e07c442f67b0d91c1cb712392b0
SHA1

4435a4c82f91f498ed2dbf4a6d0122360e660fe6
SHA256

4369063ba9e8f00abf12eb09cc2ce6cb52e4805847472dba44bf9215ca0a6b47
SHA512

124200a802095f1f7fff99b145260b064bae85fa2c275fc95c17731f9bc2dbe2b2b4a2d87111e6825f5404ac393dda4c2cf081f3c79e11e6b8464fc317541e9c
SSDEEP

49152:RWpQTW3vYptbUE0QI662K8E11Jkc/ookTD79C6A4tVxckwDzksDM2jh3BqS7YtGz:ZptbUE0Qw2K51Jkc/ooYk45xn6MMQS7z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2616	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
468	Process not Found
1640	alg.exe
2372	aspnet_state.exe
1212	mscorsvw.exe
1056	mscorsvw.exe

Loads dropped DLL 3 IoCs

pid	Process
2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
468	Process not Found
468	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7cafe35dcb29f0fa.bin	aspnet_state.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27
PID 2832 wrote to memory of 2616	2832	NEAS.2e929e07c442f67b0d91c1cb712392b0.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2e929e07c442f67b0d91c1cb712392b0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\jds259569049.tmp\NEAS.2e929e07c442f67b0d91c1cb712392b0.exe
  "C:\Users\Admin\AppData\Local\Temp\jds259569049.tmp\NEAS.2e929e07c442f67b0d91c1cb712392b0.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1212

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds259569049.tmp\NEAS.2e929e07c442f67b0d91c1cb712392b0.exe

Filesize
1.6MB

MD5
2ae766974ba27233b9a3875bc1f2ce65

SHA1
6b93e73130fb70c1abf199768fef983466827bbc

SHA256
acf5e22c4b1a98dc889fe2ad25626ea6fb8cce66edf1c2a4773ad4742f71203c

SHA512
d579d3d14857365cf1f2cf4d7d9f29f47a4dd071d61b4dd4c1310ae2864ea2671d6d55042e49ba57600b936420f09feb3d3005047bdc317dee488ee187026b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
7c24c49c2e0235e3a8a143202ec6ad0c

SHA1
8ae5a5d3e7ed9ffe3d98d7ea4fffae4695f4591b

SHA256
1df4868c197109a82aea096e2484e7ee99f5f98b22df0065d71145b109baac6d

SHA512
41e1583a0f07e588c6523fad7d3cd69c4764d4b4987714575e807d511072d3ad6b213d292e3c9915386b6668f1926b163f89e074d8a9e4e5714830a3eadc2797

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
d02b21b5835302c4d677c662da034e7d

SHA1
824004e968d3d22a66293cbc3c3235cfc7781ff6

SHA256
f97a02e25cde31e21584a2f4b3eceb76af1d7e933c70fef69578bc091cb31a1f

SHA512
053f8a1b1f0f3317e93f049b185dc57b9cf5278c3f0bad86bbd79c2e9e65db33a90a6e252176679535439b8464958343a6dfdbb242e4f4da24cc9095c40d0232

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
af516fa2dd50bb5ef3b78bac45bae8ce

SHA1
f63762e05b9949f34cb3e4de3fd1127bbdded279

SHA256
363e985dcc7e76e698c8bddc1a49865aedceffbc3ae70754c00376ba55623b6e

SHA512
40ef47010143813289e1ab5ca9cf4de137c7cad99cce4b1f8b958fed21028cdbac94db5140f77d3622a2916e3c821a720eece118e0c80dbcba30f2e3976b9089

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
d2da84a456eec35f5216552c1be8c8d7

SHA1
a5acfe22e35479fdfc460198aa79730070ca9a57

SHA256
fef697af7d0ee34c1ce7173b5d896b8d2198021755c3fa91f525bb71dc0b191c

SHA512
be409a651c64c3221e273aa0eb318562bd8f3cc791935d99a9b73bbb3235661b4fd6de1fff1d852fb337716d50a5e9e158754143d1f7288b8732615356d5b8a6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
fe76557cd846c2cb81cd8fed601fbcd2

SHA1
c9caeb8a484e168e45609e8d3f2929c4cd80609a

SHA256
4b4ff4bdbe538e3412cb45ddc81a154017513e084eb929c6326f6e87642e32d2

SHA512
d8534f89f6c417691c23ca0a42d7230f9d4b03f258b7e6d3ec889201c4b5148c4792d8eb3fd25c36d544dc7f590b4363ac1bdbb77ec4069fc62aae3cff93a50c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.2MB

MD5
fe76557cd846c2cb81cd8fed601fbcd2

SHA1
c9caeb8a484e168e45609e8d3f2929c4cd80609a

SHA256
4b4ff4bdbe538e3412cb45ddc81a154017513e084eb929c6326f6e87642e32d2

SHA512
d8534f89f6c417691c23ca0a42d7230f9d4b03f258b7e6d3ec889201c4b5148c4792d8eb3fd25c36d544dc7f590b4363ac1bdbb77ec4069fc62aae3cff93a50c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
43e20aa07a62432da4651e845a9b8f87

SHA1
269b4db2ced6ae1d72dad58b9a5e8ffdd358940f

SHA256
d6f3db419ad66b329f9189e8e72c8b960f7e1b48d212abf47dc640620c2dd9ab

SHA512
c05628f05537b014a00905877492181c01ca45033903368eab181c9145f58bf3d5c294642dd9b4d4ec4e190472b75124cdd6228e7fd2ae1110e7591b1d2e7aa7

Download Submit
\Users\Admin\AppData\Local\Temp\jds259569049.tmp\NEAS.2e929e07c442f67b0d91c1cb712392b0.exe

Filesize
1.6MB

MD5
2ae766974ba27233b9a3875bc1f2ce65

SHA1
6b93e73130fb70c1abf199768fef983466827bbc

SHA256
acf5e22c4b1a98dc889fe2ad25626ea6fb8cce66edf1c2a4773ad4742f71203c

SHA512
d579d3d14857365cf1f2cf4d7d9f29f47a4dd071d61b4dd4c1310ae2864ea2671d6d55042e49ba57600b936420f09feb3d3005047bdc317dee488ee187026b7a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.3MB

MD5
af516fa2dd50bb5ef3b78bac45bae8ce

SHA1
f63762e05b9949f34cb3e4de3fd1127bbdded279

SHA256
363e985dcc7e76e698c8bddc1a49865aedceffbc3ae70754c00376ba55623b6e

SHA512
40ef47010143813289e1ab5ca9cf4de137c7cad99cce4b1f8b958fed21028cdbac94db5140f77d3622a2916e3c821a720eece118e0c80dbcba30f2e3976b9089

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.2MB

MD5
d2da84a456eec35f5216552c1be8c8d7

SHA1
a5acfe22e35479fdfc460198aa79730070ca9a57

SHA256
fef697af7d0ee34c1ce7173b5d896b8d2198021755c3fa91f525bb71dc0b191c

SHA512
be409a651c64c3221e273aa0eb318562bd8f3cc791935d99a9b73bbb3235661b4fd6de1fff1d852fb337716d50a5e9e158754143d1f7288b8732615356d5b8a6

Download Submit
\Windows\System32\alg.exe

Filesize
1.3MB

MD5
43e20aa07a62432da4651e845a9b8f87

SHA1
269b4db2ced6ae1d72dad58b9a5e8ffdd358940f

SHA256
d6f3db419ad66b329f9189e8e72c8b960f7e1b48d212abf47dc640620c2dd9ab

SHA512
c05628f05537b014a00905877492181c01ca45033903368eab181c9145f58bf3d5c294642dd9b4d4ec4e190472b75124cdd6228e7fd2ae1110e7591b1d2e7aa7

Download Submit
memory/1056-152-0x0000000010000000-0x00000000101E6000-memory.dmp

Filesize
1.9MB

Download
memory/1056-160-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1056-153-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1056-159-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1212-135-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1212-134-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1212-141-0x0000000000290000-0x00000000002F7000-memory.dmp

Filesize
412KB

Download
memory/1212-147-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/1640-25-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/1640-29-0x0000000100000000-0x00000001001E3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-61-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2372-54-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2372-53-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2372-34-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/2832-16-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/2832-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2832-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2832-0-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download