Overview

overview

10

Static

static

7

NEAS.6d758...c0.exe

windows7-x64

10

NEAS.6d758...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2023 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.6d758cb67a111a85b314bb0d939702c0.exe

  • Size

    19KB

  • MD5

    6d758cb67a111a85b314bb0d939702c0

  • SHA1

    fc1e533e311b25d480fbef9964ed285ba0f1d35c

  • SHA256

    6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

  • SHA512

    737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

  • SSDEEP

    384:UBWoC5GDr6wc/w3HgM6vDUTAXBGCVf4WVlFvX+faArc:rRkiLw3HsDSARGG/uJA

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
    • C:\Users\Admin\AppData\Local\Temp\NEAS.6d758cb67a111a85b314bb0d939702c0.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.6d758cb67a111a85b314bb0d939702c0.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\rmass.exe
        "C:\Windows\system32\rmass.exe"
        2⤵
        • Windows security bypass
        • Drops file in Drivers directory
        • Modifies Installed Components in the registry
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\rmass.exe
          --k33p
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2040
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\RECOVER32.DLL
        Filesize

        5KB

        MD5

        2b2c28a7a01f9584fe220ef84003427f

        SHA1

        5fc023df0b5064045eb8de7f2dbe26f07f6fec70

        SHA256

        9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb

        SHA512

        39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

        Download Submit

      • C:\Windows\SysWOW64\ahuy.exe
        Filesize

        21KB

        MD5

        82c6003920d00519a9c8fb45c41c412b

        SHA1

        25f9413bc8ae6374585a71e96b69c685e924c0fb

        SHA256

        7a3c2917c0a96f028360341b398ae0158444459790d2ad1fd21d817df40c384f

        SHA512

        2cfd64b2420dce25a2b0b9408c0438f0dddb81f90b070be8bb384a05e5589d3f5674ce08a486c97802cdb721af09763b4fa50972fe71639c35585d9be9bb6a06

        Download Submit

      • C:\Windows\SysWOW64\ntdbg.exe
        Filesize

        22KB

        MD5

        ab38d268a819f006e48bbae57a8c8d90

        SHA1

        cb7f1302231c5b96dcb0bc72f8aaba81b1dc7f26

        SHA256

        1b4055a285d46e0f9899a78768c2b7546ee9a102585b016016162bd9043b19e2

        SHA512

        2b52d0b17b8d8af7678df41cf8d6d038568741af589b8597d22ec02d94276219ac7c26b84a55f6f7a3e758d27a7a46771a74135b93bb239651509f70c63dc2cd

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • C:\Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • \Windows\SysWOW64\rmass.exe
        Filesize

        19KB

        MD5

        6d758cb67a111a85b314bb0d939702c0

        SHA1

        fc1e533e311b25d480fbef9964ed285ba0f1d35c

        SHA256

        6bb4c6714e3089cb51daa14615c0ab9425c282ce6a6fbf16b7c6cf213985e9cf

        SHA512

        737da7ef8790fa3d24b24ff49affe901fcbe807f02fbbfa731867dfe29d5cb80de4fa40d1f8a4b35be402008e4a5de543708f06b96806c9ae9d5e434e4ee850d

        Download Submit

      • memory/1732-0-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1732-11-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2028-20-0x0000000000360000-0x0000000000371000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2028-17-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2028-46-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2040-50-0x0000000000400000-0x0000000000411000-memory.dmp

        Filesize

        68KB

        Download