6161187759215e0bb50f68d53dc26520c8f5f30a1088946db9e5155ea5bedf0a

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Size

404KB
MD5

a884d2c2fd006eb7168721953418c6e0
SHA1

65b01a8a2b947fd0067ff249b5642dc80b3570b7
SHA256

6161187759215e0bb50f68d53dc26520c8f5f30a1088946db9e5155ea5bedf0a
SHA512

a82c42b54632ebbf93c8520e5f028f9db6239258d6c3b40faeacb93686debd44d2727df6bfa233db0cd1be94b517c4d164b6c39c1d3547e09172cf5ac0922515
SSDEEP

6144:82f5/Sw05oppA9nxNEzWBGR+7wwlmP5MSqlAldaLvNkX:Hu5oppOnxqSBGc7i5MNQaLvN+

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-0-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4816-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "0"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4816-14-0x0000000000400000-0x00000000004B7000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1606980848-1085031214-2146881839-500\Control Panel\Desktop	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main	Regini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Regini.exe
Key created	\REGISTRY\USER\S-1-5-21-1606980848-1085031214-2146881839-500\Software\Microsoft\Internet Explorer\Main	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\S-1-5-21-746137067-179605362-1417001333-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_Url = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Secondary Start Pages	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Secondary Start Pages	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001b0002004e0000000100000020070000320200000500000062050000260000000200000021070000c90100000700000020050000d701000004000000210100000a02000003000000280300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0434d72850dd411990800400523e39a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\Main	Regini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Bar = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_Url = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.9196.com"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\.DEFAULT	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\URL Protocol	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DD6C641-98CB-11D1-9846-00A024CFEF6D}\InprocServer32	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DD6C641-98CB-11D1-9846-00A024CFEF6D}\InprocServer32\ = "D:\\Program Files\\Pure Codec\\Codecs\\l3codecx.ax"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rm	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38BE3002-DBF4-11D0-860E-00A024CFEF6D}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\PersistentHandler	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.ARJ	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\COMMAND	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.FLAC\SHELLEX\{E357FCCD-A995-4576-B01F-234630154E96}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MHTMLFILE\DEFAULTICON	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\HTTP\DEFAULTICON	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MHTMLFILE\SHELL\OPEN\COMMAND	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\APPLICATION/X-COMPRESSED	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.FLAC\OPENWITHPROGIDS	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\PersistentHandler	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.IMG\OPENWITHPROGIDS	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\APPLICATION/X-GZIP	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\APPLICATION/X-TAR	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb\ = "pureplay.rmvb"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MHTMLFILE\CLSID	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\COMMAND	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps\URL Protocol	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\AUDIO/AIFF	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtm	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MHTMLFILE\SHELL\OPENNEW\COMMAND	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\AUDIO/X-AIFF	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38BE3000-DBF4-11D0-860E-00A024CFEF6D}\InprocServer32	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pps	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppstream	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.SHTM\PERSISTENTHANDLER	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asf\ = "pureplay.asf"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps\ = "PPS²¥·ÅÐ\u00adÒé"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\PersistentHandler	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\AUDIO/X-MIDI	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rm\ = "pureplay.rm"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmv\ = "pureplay.wmv"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\PersistentHandler	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\AUDIO/X-MID	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\AUDIO/X-MPEG	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ = "Audio.wma"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.FLAC\SHELLEX\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\.CUE	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ape	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38BE3001-DBF4-11D0-860E-00A024CFEF6D}\InprocServer32\ = "D:\\Program Files\\Pure Codec\\Codecs\\l3codecx.ax"	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe
4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4288	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	90
PID 4816 wrote to memory of 4288	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	90
PID 4816 wrote to memory of 4288	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	90
PID 4816 wrote to memory of 4436	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	92
PID 4816 wrote to memory of 4436	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	92
PID 4816 wrote to memory of 4436	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	92
PID 4816 wrote to memory of 2464	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	94
PID 4816 wrote to memory of 2464	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	94
PID 4816 wrote to memory of 2464	4816	NEAS.a884d2c2fd006eb7168721953418c6e0.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.a884d2c2fd006eb7168721953418c6e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a884d2c2fd006eb7168721953418c6e0.exe"
1⤵
- Modifies firewall policy service
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\Regini.exe
  Regini.exe "C:\regset.ini"
  2⤵
  - Modifies Internet Explorer settings
  PID:4288
- C:\Windows\SysWOW64\Regini.exe
  Regini.exe "C:\regset.ini"
  2⤵
  - Modifies Internet Explorer settings
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del /s/q/f "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\*Internet*"
  2⤵
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\regset.ini

Filesize
129B

MD5
c5a81066ba5a4a563326adcd11b234ba

SHA1
a21014625af27937423716eb7cb33fae8a5d9e69

SHA256
6e364e01cf670e3ddae57e24492461a2a28205b7679e8523b910cb5600157be5

SHA512
669f77338ebabb3af467afdc9532faa70c997974ad1f8cbab80257ca14a01bc38dc608c565f5c4de3ad8f39fe2cd4a4abfbddf76547a9db2cec6dd480fabcc73

Download Submit
C:\regset.ini

Filesize
129B

MD5
8e4d200f3e0fd48f439d2266e245c5aa

SHA1
1a647a87097d4654c70a01488bcfe8516b924e62

SHA256
580c1711600f3d5be14fad53b133f73c121bbd035de277e39936d576ac9c6dbd

SHA512
bc91186ea542b97685a133e236814ae68f6c4540cbcf76f991055b82c133357359b8b2b4632162e79f71badd122cfe108478eeb9a25401938d1e3e375d3d3b10

Download Submit
memory/4816-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4816-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download