2feb079cd6c3ecb40c73326fb8ed4b1bddf08e4c17f0cca65be8b441e44c978e

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.527dee94b98f876e1d85324196054470.exe
Size

5.8MB
MD5

527dee94b98f876e1d85324196054470
SHA1

530536c9436c186a5930d605f79d17fd406edd23
SHA256

2feb079cd6c3ecb40c73326fb8ed4b1bddf08e4c17f0cca65be8b441e44c978e
SHA512

f49e5e23eb2d4ada3d9cfc9646938c15ecfd2e9d29bf27aa7d3143c858c4c2a9a8111a0c0b35a94de2209f7957eeed43953c3edd6f13530c854af5379704a303
SSDEEP

98304:fMbnsqA8bPk5HyUN8k5h/wDdEoNiV4I/hwAf1wAoTamiQMbnsqAuzHR3x5nte:Ub3bPk5HyC8k5h/wDdEoNiV4I/WWwA7W

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1700-4-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000100000000ea75-6.dat	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\diantz.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\driverquery.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cliconfg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\clip.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dialer.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\AdapterTroubleshooter.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\doskey.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmdl32.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dnscacheugc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\auditpol.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dccw.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\DisplaySwitch.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\autoconv.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\com\comrepl.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dfrgui.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\AtBroker.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\calc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dcomcnfg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmdkey.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cscript.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\regedit.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\ARP.EXE	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\bootcfg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\certreq.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\attrib.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\choice.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\convert.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\control.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\DevicePairingWizard.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cacls.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cipher.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\comp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\diskperf.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\ctfmon.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cttune.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\autochk.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\certutil.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\credwiz.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\colorcpl.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\compact.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\charmap.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmstp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\autofmt.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\chkdsk.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\DeviceProperties.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dllhost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmd.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\com\MigRegDB.exe	NEAS.527dee94b98f876e1d85324196054470.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\ehsched.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\McrMgr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\fveupdate.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\ehtray.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\loadmxf.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\WTVConverter.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\bfsvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\notepad.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\servicing\TrustedInstaller.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\RegisterMCEApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\Mcx2Prov.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\explorer.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\CreateDisc\SBEServer.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\ehome\mcupdate.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	NEAS.527dee94b98f876e1d85324196054470.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.527dee94b98f876e1d85324196054470.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.527dee94b98f876e1d85324196054470.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Filesize
5.9MB

MD5
2d6b317aa53ad07d1a7c8627853607c5

SHA1
3d0058df01fdf0ed32aee16e6a1efac104168e34

SHA256
18fdc69bc4c6269c689ff34c011e06caecaacf87a2a76d0ecc0f9d61c8194ff5

SHA512
a052e270871c7a9a2e7c1caa6cc408c86e19c20ad183db2998156903943d4b245c4a438eff0e43861bd8e379d280033e4da7f62f872723862a8e750dbc39166c

Download Submit
memory/1700-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads