2feb079cd6c3ecb40c73326fb8ed4b1bddf08e4c17f0cca65be8b441e44c978e

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.527dee94b98f876e1d85324196054470.exe
Size

5.8MB
MD5

527dee94b98f876e1d85324196054470
SHA1

530536c9436c186a5930d605f79d17fd406edd23
SHA256

2feb079cd6c3ecb40c73326fb8ed4b1bddf08e4c17f0cca65be8b441e44c978e
SHA512

f49e5e23eb2d4ada3d9cfc9646938c15ecfd2e9d29bf27aa7d3143c858c4c2a9a8111a0c0b35a94de2209f7957eeed43953c3edd6f13530c854af5379704a303
SSDEEP

98304:fMbnsqA8bPk5HyUN8k5h/wDdEoNiV4I/hwAf1wAoTamiQMbnsqAuzHR3x5nte:Ub3bPk5HyC8k5h/wDdEoNiV4I/WWwA7W

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4636-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4636-2-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\notepad.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\unregmp2.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\msra.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\gpscript.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\regedt32.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\subst.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\winrs.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\clip.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\fc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\wlanext.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\RdpSaUacHelper.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\convert.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\PATHPING.EXE	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\PickerHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\WPDShextAutoplay.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cipher.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmstp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\upnpcont.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\write.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\hh.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\systeminfo.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\Com\MigRegDB.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dfrgui.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dvdplay.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\efsui.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\mstsc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\setx.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cmdl32.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\OposHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\rdrleakdiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\TokenBrokerCookies.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\verifiergui.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\cliconfg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\prevhost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\regsvr32.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\regedit.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\InputSwitchToastHandler.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\reg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\msiexec.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\bootcfg.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\Taskmgr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SysWOW64\perfmon.exe	NEAS.527dee94b98f876e1d85324196054470.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\NcsiUwpApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_edmgen_b77a5c561934e089_4.0.15805.0_none_ae80a3049486a75f\EdmGen.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\hcsdiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\CredDialogHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.1_none_e190f18a08ed1a44\FlashUtil_ActiveX.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.19041.82_none_2358a116979cc599\FlashUtil_ActiveX.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_10.0.19041.1_none_e51212a36c631d23\CasPol.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\hh.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\splwow64.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\PinningConfirmationDialog.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_addinutil_b77a5c561934e089_4.0.15805.0_none_fcd173bc1b434b81\AddInUtil.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_4.0.15805.0_none_73cc8b3e43ba1056\aspnet_compiler.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_dfsvc_b03f5f7f11d50a3a_4.0.15805.0_none_c0d2d1227427864f\dfsvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\Boot\PCAT\memtest.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\FilePicker.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.19041.1_none_aae8e58aa310aa7d\eventvwr.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\f\hvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\hvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\explorer.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\r\hcsdiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\vmcompute.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\sysmon.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\CallingShellApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_comsvcconfig_b03f5f7f11d50a3a_4.0.15805.0_none_468e01fabfc37212\ComSvcConfig.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\VmComputeAgent.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\FileExplorer.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_curl_31bf3856ad364e35_10.0.19041.1_none_345cbd92bc885eba\curl.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.1_none_3d521dedd6c76700\hcsdiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.264_none_6b6699b671c8f5a8\f\VmComputeAgent.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15805.0_none_646d7347043be71c\aspnet_regbrowsers.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\hvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-containerdiagnosticstool_31bf3856ad364e35_10.0.19041.928_none_6571ff6e96271a64\f\hcsdiag.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\vmcompute.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\servicing\TrustedInstaller.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\Microsoft.ECApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_addinprocess_b77a5c561934e089_4.0.15805.0_none_74baba51266f3010\AddInProcess.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\n\CExecSvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\f\vmcompute.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WpcUapApp.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_bsdtar_31bf3856ad364e35_10.0.19041.1_none_0c1f19c50b5e5f6e\tar.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.264_none_d58a0ca50a94510c\f\vmcompute.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\r\vmcompute.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\bfsvc.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\HelpPane.exe	NEAS.527dee94b98f876e1d85324196054470.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe	NEAS.527dee94b98f876e1d85324196054470.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.527dee94b98f876e1d85324196054470.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.527dee94b98f876e1d85324196054470.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4636-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4636-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads