32edaaf905dec3b112800fbf2829eee2a59b61cff59e35222d10271882c6e86b

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
Size

8.0MB
MD5

63c282c25e7e2336eb1d36ef97d8b260
SHA1

975262e66c071a453013996cfa942836a24d848d
SHA256

32edaaf905dec3b112800fbf2829eee2a59b61cff59e35222d10271882c6e86b
SHA512

842fb2df639e1378ea4fab21a46390580c6bd3fcf280799743abc68a1f5bd349fc726ec37510563b37387873c27174615502a2045e302af79c9ce38841170f9e
SSDEEP

196608:OhSt9LnY9XtV1w+THshOEe47TD9pNLXH6bZUaMHE7:OK+9XBFD74HJb36tUaS+

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
4548	À×ýˆ´«Ææ.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
4548	À×ýˆ´«Ææ.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5044-0-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/5044-1-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/files/0x000a000000022e4a-6.dat	upx
behavioral2/files/0x000a000000022e4a-7.dat	upx
behavioral2/memory/1952-8-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/5044-9-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/1952-13-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/1952-140-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/1952-141-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/1952-142-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/files/0x0009000000022dea-145.dat	upx
behavioral2/files/0x0009000000022dea-146.dat	upx
behavioral2/memory/4548-147-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/1952-148-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/4548-151-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/4548-314-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/4548-315-0x0000000000400000-0x0000000001C34000-memory.dmp	upx
behavioral2/memory/4548-327-0x0000000000400000-0x0000000001C34000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\P:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\Q:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\W:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\U:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\A:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\E:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\G:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\K:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\M:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\N:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\S:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\V:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\X:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\Y:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\B:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\J:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\L:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\O:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\R:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\I:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\T:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
File opened (read-only)	\??\Z:	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5008	4548	WerFault.exe	91

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
4548	À×ýˆ´«Ææ.exe
4548	À×ýˆ´«Ææ.exe
4548	À×ýˆ´«Ææ.exe
4548	À×ýˆ´«Ææ.exe
4548	À×ýˆ´«Ææ.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 1952	5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe	87
PID 5044 wrote to memory of 1952	5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe	87
PID 5044 wrote to memory of 1952	5044	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe	87
PID 1952 wrote to memory of 4548	1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe	91
PID 1952 wrote to memory of 4548	1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe	91
PID 1952 wrote to memory of 4548	1952	NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
  C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\À×ýˆ´«Ææ.exe
    C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\À×ýˆ´«Ææ.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 2728
      4⤵
      Program crash
      PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4548 -ip 4548
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\24a9fbba4e7f56a370a5e7e5cdeb2063.zip

Filesize
3.2MB

MD5
06e49601650c2641f0098f316027dfdb

SHA1
9990a5ff16c27b103cca285afa837faa53b48159

SHA256
96300651eac0423a8be50ba8761bcffc4295aa6193c9dc839487dd26b4ccad79

SHA512
0c2e0ddb835ac0ff2662a8a0144100b08cfac97c0f8271d01b78554aa621d1768bc8e0137a62659f7d08f78fc271ac715256699ba98f153f401a1f84f9fbbcdc

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\Data\MapDesc1.dat

Filesize
6KB

MD5
380c43146e1306544da283f2f2f90938

SHA1
84380e733f3a272a5386621abdf5848a04bc5f0a

SHA256
31c9caae23cdb163387729c00aa6427b0800c6922d0cce33fcfc670defbc348a

SHA512
9078b9dbe6358db82e99c1882397e2eba661ec138a391d132ae9f031bb04593aca0e7bc7ab8de083be9567cc6c31ec32352d91ed5f2c6846e8a8f82d7fe65414

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\Data\Tips.dat

Filesize
298B

MD5
0f428e0a9d6222a0e4285a8191b826a2

SHA1
e20f25876cc630ade5a05091b12c52f39a580d56

SHA256
6e235e50fba711f7e5dd003c25a12682bf62a040c8011f56c8e2f416c332b4f9

SHA512
0129cc286ed01c06e19d0aba7e614ad5a8c378f4813ba958d072b95f5c11acfc1e2f7efcb6b8460df0dda602bd7789f9cbd7836577e1df7587e5cbceb61a6784

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\Data\progress.bmp

Filesize
161KB

MD5
cd34fc0e9296e49905f04e687306238b

SHA1
878e45f7c998220489690c9125ce0f6f8851c5a6

SHA256
10c431350d98546410a11b21913bb788084510a75f3cc084e636e29d4ab12d43

SHA512
d0414b02ed2dd6cedc7f70f1018c5806600cd3561850fbe03d37e972b5d9b699c466353dc6f302e4d5a54567bc291b2c989c4f6fce2e8d315a466f38215184e8

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe

Filesize
8.0MB

MD5
63c282c25e7e2336eb1d36ef97d8b260

SHA1
975262e66c071a453013996cfa942836a24d848d

SHA256
32edaaf905dec3b112800fbf2829eee2a59b61cff59e35222d10271882c6e86b

SHA512
842fb2df639e1378ea4fab21a46390580c6bd3fcf280799743abc68a1f5bd349fc726ec37510563b37387873c27174615502a2045e302af79c9ce38841170f9e

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\NEAS.63c282c25e7e2336eb1d36ef97d8b260.exe

Filesize
8.0MB

MD5
63c282c25e7e2336eb1d36ef97d8b260

SHA1
975262e66c071a453013996cfa942836a24d848d

SHA256
32edaaf905dec3b112800fbf2829eee2a59b61cff59e35222d10271882c6e86b

SHA512
842fb2df639e1378ea4fab21a46390580c6bd3fcf280799743abc68a1f5bd349fc726ec37510563b37387873c27174615502a2045e302af79c9ce38841170f9e

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\Resources\Data\MapDesc1.dat

Filesize
6KB

MD5
44a191bb846c0ec64bfba2a424f34af5

SHA1
3de8929b5de5b176250c3331016663a7f00ff3f0

SHA256
4b7aa19e165e92cded38619e65d874f2424918fcd55a9ea674bd91d8e91f8b30

SHA512
86f66ed2859305f466dd392a2f1ec70b814168382ac6164bbc35a5d8487c4c60557a98e07070e1ab0088a965c7afce7868d3a682bbdb2e10ad63355b683f72c9

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\data\NewopUI.pak

Filesize
3.6MB

MD5
243bc6c286582a3692a43e7bd9a34426

SHA1
7bb6def103fa9ac312d475c5dc6fe43fda993c41

SHA256
4b9209525355702ead983c8d309e3140a2bc2c09eaa5581ec1af6149f318c22a

SHA512
d6fcc4abcb7b7f1a4e7e7dc4fa7275ec773cff3e7bd55acee45c821b2e40ad9fe2ce52ff3927aa8bc79fb1c20eba142c6162d6013262f4b4ef145208f16ef06b

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\À×ýˆ´«Ææ.exe

Filesize
11.1MB

MD5
13fd05cc8a20b364ea8c13995125ef2e

SHA1
1a736e7e356f211f6c363048b437a49c040dcd19

SHA256
c0c70ecf50371e2a20927c1c937c5f25ef4dd129a51a059a2c3164d9544c7988

SHA512
db6f678b3d0403260d1c5d8d59c8f8a115bc466113930d2cd1f0f65da1aa246a46a24c82808238bfb7092a45ade920f0d6de98ad813d08ea539fa7323eccd46f

Download Submit
C:\NEAS.63c282c25e7e2336eb1d36ef97d8b260\À×ýˆ´«Ææ.exe

Filesize
11.1MB

MD5
13fd05cc8a20b364ea8c13995125ef2e

SHA1
1a736e7e356f211f6c363048b437a49c040dcd19

SHA256
c0c70ecf50371e2a20927c1c937c5f25ef4dd129a51a059a2c3164d9544c7988

SHA512
db6f678b3d0403260d1c5d8d59c8f8a115bc466113930d2cd1f0f65da1aa246a46a24c82808238bfb7092a45ade920f0d6de98ad813d08ea539fa7323eccd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\24a9fbba4e7f56a370a5e7e5cdeb2063.txt

Filesize
40B

MD5
5d02c66bb2ca214c79942a2e22734ec4

SHA1
000c8de5f3ffe7fae01173b3ae7932190763e4ea

SHA256
6dda91225c0b2c6e3813808f4443fa4f396c18309daca32cc0aec1dc6a2875f2

SHA512
e8bb3621e7e78ae8b1ecf2cfe0809489b93a78c00289124e24334b59aa99521ff3a516ebd8d8ffcd1d32617f8301bf9b0a3146b3c5094a725ab95452d5cc4432

Download Submit
C:\Users\Admin\AppData\Local\Temp\24a9fbba4e7f56a370a5e7e5cdeb2063.txt

Filesize
40B

MD5
5d02c66bb2ca214c79942a2e22734ec4

SHA1
000c8de5f3ffe7fae01173b3ae7932190763e4ea

SHA256
6dda91225c0b2c6e3813808f4443fa4f396c18309daca32cc0aec1dc6a2875f2

SHA512
e8bb3621e7e78ae8b1ecf2cfe0809489b93a78c00289124e24334b59aa99521ff3a516ebd8d8ffcd1d32617f8301bf9b0a3146b3c5094a725ab95452d5cc4432

Download Submit
C:\Users\Admin\AppData\Local\Temp\adbf6162cfe6fa7bea6c49e80780461e.ini

Filesize
7KB

MD5
2a8770dee3beef02b514facd14b787a0

SHA1
d69d4f60148df896cd97dc55d82c8ad1b694e7f4

SHA256
1aa6d85c0580322ae8373084f08b9f757a7f28bb0d64a0789b28dbaf62b3c85f

SHA512
23a40b5d6ca4981fe05c497e33d6e73ea301b4d06ee05595a4c479031531f7b2bde7084b64b4facf0ee668c818dd82e7ea3f58bdfed4d472e1ce7bba89903c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.dat

Filesize
75B

MD5
752d278f578d47dc58009686c5c3050e

SHA1
c13c1fa577a17018deba737f24e42acbf4cdb22d

SHA256
b6107cc2bd2449d88d3cfb2c4a8c1bdf9d6598c33d2f4120e6fc97cfc974df46

SHA512
bb99c05e3f2c0aef431ab4320cfbfaf6a6a88820ee51bc0cf3ca28613ad67e635a458f852534c0130e5fa6b36a8bf4ea836ed881ac0a093c1c6e67bfb1a08f94

Download Submit
C:\Users\Admin\Desktop\À×ýˆ´«Ææ.lnk

Filesize
853B

MD5
907be6689449aa4c2f35a0109820d58a

SHA1
9c0a5651d108e34c2111275ff9d1d72ccd71dcf4

SHA256
f91565978380394b972e6c5023f71549ec534113fa803d83ab1c85d60a16dc9b

SHA512
d77f9aa96ddb8c89a1d3466c0dc8e99230443dbd95037796a712d6cf345cf77c0fd5f5db3f74dcfd91820780c426f8cc7c3ffc838b85b98f18190e7b9923a066

Download Submit
memory/1952-13-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/1952-141-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/1952-142-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/1952-140-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/1952-148-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/1952-8-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/1952-14-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/4548-147-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/4548-155-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/4548-151-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/4548-314-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/4548-315-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/4548-327-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/5044-9-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/5044-1-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download
memory/5044-0-0x0000000000400000-0x0000000001C34000-memory.dmp

Filesize
24.2MB

Download