88d57e024def61df913e1a6d208cdd8f8b33fb4ab92898538598faee6f53f48c

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.14969dd06b81f059e5afb3b48a5f1100.exe
Size

29KB
MD5

14969dd06b81f059e5afb3b48a5f1100
SHA1

45bdc1edf25f9e942317d64872a3391236850a17
SHA256

88d57e024def61df913e1a6d208cdd8f8b33fb4ab92898538598faee6f53f48c
SHA512

10f0ca92868c951d6d5ea2385d0b5bb10a830d593153b2f0ddbf34a410ad7968b12ca681b5571d8ebccbee1fe5f40dbcc4d71d028ce3c14538aa21aeacedd51a
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/8:AEwVs+0jNDY1qi/qk

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4828-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000022d70-7.dat	upx
behavioral2/files/0x0007000000022d70-4.dat	upx
behavioral2/memory/4828-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2784-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0009000000022c87-55.dat	upx
behavioral2/memory/4828-90-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-97-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4828-124-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-130-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4828-181-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4828-240-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-241-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4828-280-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-281-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4828-334-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2784-335-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe
File opened for modification	C:\Windows\java.exe	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe
File created	C:\Windows\java.exe	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2784	4828	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe	82
PID 4828 wrote to memory of 2784	4828	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe	82
PID 4828 wrote to memory of 2784	4828	NEAS.14969dd06b81f059e5afb3b48a5f1100.exe	82

C:\Users\Admin\AppData\Local\Temp\NEAS.14969dd06b81f059e5afb3b48a5f1100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.14969dd06b81f059e5afb3b48a5f1100.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2JBMCFQZ\default[2].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\default[2].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5T0U3BIO\default[3].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MKS56Y3I\default[3].htm

Filesize
303B

MD5
6a0f569150af2b9f0db7444703c27a68

SHA1
69591c4c6e85d710d5bf89c4b6330d813bf24eb9

SHA256
4dd9d1b48bef8fbd32a979c93141c60683c30da136fc0a58c69970ca78dd9878

SHA512
e1c71ab22237b98603a57b3949329b242663c6d369c7ea1a2f17b05b673eb991b1890474a131fc424b921dfb26dc06acfff5df7400186d2491785c6ac420d05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PR01V9ZG\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvusw0miTg.log

Filesize
256B

MD5
ef1fa4bb761cb6dc1e9cb375aa25da89

SHA1
629a305f6c635a08882328b2104955c38ea700a2

SHA256
045248e8b4bd2f0539acce6d49a0ee4cc76189e4c949a95a034305abb076ad74

SHA512
a9a95627d28176b6f61087f54a603943cfccc6c2ab730bcdb3425c344d0ed53a06521a67b1ca537f0b7f568bf0e850e1923291019bff86d70cbb4b6c2bfc96dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6673.tmp

Filesize
29KB

MD5
9afadeef2fdbb8a2bc51bb5056d33edc

SHA1
97b46cabfd69ee8b3a9286774282b49914da2c9a

SHA256
3fd95b8aa267a39a17c26555d4a3957d19ca08a5dcc310955a0bdf7ffc023f17

SHA512
0b56cd6a132af7ceddfc846600bb3294783681757c69fc12c75bacf002a1e9307414ffeea50b983d74cf3fa3ed5eac3decc846eb0a4f53d8fa94a198004917fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
0861e6d85e20386e343909ce625a46ff

SHA1
e48db7806182f98312993f85faf3265bcf6d91be

SHA256
4f9109a5b926ccc4a8d5d8baf811ff287599d53b3efbf2c9936ff492b4413813

SHA512
3cb79e56a3b3c489a42ceb1dcf33578199fc9159c30157a062650568ccdde9831dafe7eb7bdc0f17f3c755aa23859d8520949ec6345ea1be92612fe8248de5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
f39f4b08d90e3a3fb904281c8a401c75

SHA1
b9f18cb37b3f60869f661fa332b60316c5bd42ec

SHA256
9d4f5ab484f2fc848a45bf8b9e88d46070ac7fdf7c74435ef8074c7288eb0b42

SHA512
e733ebb152a7cf852b866b44dcd4e13a5a9d3868c46370b844844861da6cff05489bb8a9261ce47e2435426fc75eb7c4f8b7350e369d8a0f8c8213b744914684

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2784-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-335-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-241-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-97-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-281-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4828-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-240-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-280-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-181-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-124-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-334-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4828-90-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads