Analysis
-
max time kernel
159s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
28/10/2023, 20:17
General
-
Target
NEAS.ed12820a7dac16bd3bc576d2f507aa40.exe
-
Size
1.5MB
-
MD5
ed12820a7dac16bd3bc576d2f507aa40
-
SHA1
34785deca8a2a67ac899fcc3f5db80a52570fc72
-
SHA256
1aad11bb3d9ac908162d2386ce3d6025dfeeb3b4c83466b3261825f4133b4b09
-
SHA512
ea5524319438f385e47d861e56225cee1e0f8bed95007716c590483c2f9f54a6170806e2d3c0206bd2de7fc4df26cb713c2e6d13655c1a1436413646f7b27095
-
SSDEEP
12288:Ts69JfPbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+XTvZHWuEo3oWB+:TF9JzecI50+YNpsKv2EvZHp3oWB+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ed12820a7dac16bd3bc576d2f507aa40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ed12820a7dac16bd3bc576d2f507aa40.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Iadljc32.exeC:\Windows\system32\Iadljc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mfeccm32.exeC:\Windows\system32\Mfeccm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pbmffi32.exeC:\Windows\system32\Pbmffi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bckknd32.exeC:\Windows\system32\Bckknd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fjbddh32.exeC:\Windows\system32\Fjbddh32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghdaokfe.exeC:\Windows\system32\Ghdaokfe.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Idbalhho.exeC:\Windows\system32\Idbalhho.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jookjpam.exeC:\Windows\system32\Jookjpam.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lkchpoka.exeC:\Windows\system32\Lkchpoka.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Micheb32.exeC:\Windows\system32\Micheb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ofjokc32.exeC:\Windows\system32\Ofjokc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Pmdpok32.exeC:\Windows\system32\Pmdpok32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qipjokik.exeC:\Windows\system32\Qipjokik.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aifpoj32.exeC:\Windows\system32\Aifpoj32.exe24⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bodano32.exeC:\Windows\system32\Bodano32.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dmhkoaco.exeC:\Windows\system32\Dmhkoaco.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Emoaopnf.exeC:\Windows\system32\Emoaopnf.exe5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Eglkmh32.exeC:\Windows\system32\Eglkmh32.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fanbll32.exeC:\Windows\system32\Fanbll32.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gndpkp32.exeC:\Windows\system32\Gndpkp32.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gplbcgbg.exeC:\Windows\system32\Gplbcgbg.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ikdlmmbh.exeC:\Windows\system32\Ikdlmmbh.exe11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iodaikfl.exeC:\Windows\system32\Iodaikfl.exe12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kpkqbq32.exeC:\Windows\system32\Kpkqbq32.exe13⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Lhgbomfo.exeC:\Windows\system32\Lhgbomfo.exe14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nbfeoohe.exeC:\Windows\system32\Nbfeoohe.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Pngbam32.exeC:\Windows\system32\Pngbam32.exe16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qlkbka32.exeC:\Windows\system32\Qlkbka32.exe17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Befmpdmq.exeC:\Windows\system32\Befmpdmq.exe18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bhibgo32.exeC:\Windows\system32\Bhibgo32.exe19⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Cpgqik32.exeC:\Windows\system32\Cpgqik32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Eplckh32.exeC:\Windows\system32\Eplckh32.exe21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Emhmkh32.exeC:\Windows\system32\Emhmkh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fqhbgf32.exeC:\Windows\system32\Fqhbgf32.exe23⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Gbcaemdg.exeC:\Windows\system32\Gbcaemdg.exe24⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Gmkbgf32.exeC:\Windows\system32\Gmkbgf32.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hjeiai32.exeC:\Windows\system32\Hjeiai32.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hjjbmhfg.exeC:\Windows\system32\Hjjbmhfg.exe27⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ipldpo32.exeC:\Windows\system32\Ipldpo32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jabgkpad.exeC:\Windows\system32\Jabgkpad.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pkebekgo.exeC:\Windows\system32\Pkebekgo.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qgalelin.exeC:\Windows\system32\Qgalelin.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Acmfel32.exeC:\Windows\system32\Acmfel32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Baepjpea.exeC:\Windows\system32\Baepjpea.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Clknnf32.exeC:\Windows\system32\Clknnf32.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dogfkpih.exeC:\Windows\system32\Dogfkpih.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Eedkniob.exeC:\Windows\system32\Eedkniob.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ehddpdlc.exeC:\Windows\system32\Ehddpdlc.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ehgqed32.exeC:\Windows\system32\Ehgqed32.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Flnlaahl.exeC:\Windows\system32\Flnlaahl.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Goabhl32.exeC:\Windows\system32\Goabhl32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hoakpi32.exeC:\Windows\system32\Hoakpi32.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jfaenqjm.exeC:\Windows\system32\Jfaenqjm.exe42⤵
-
C:\Windows\SysWOW64\Jcefgeif.exeC:\Windows\system32\Jcefgeif.exe43⤵
-
C:\Windows\SysWOW64\Jlpklg32.exeC:\Windows\system32\Jlpklg32.exe44⤵
-
C:\Windows\SysWOW64\Jmpgfjmd.exeC:\Windows\system32\Jmpgfjmd.exe45⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kmbdkj32.exeC:\Windows\system32\Kmbdkj32.exe46⤵
-
C:\Windows\SysWOW64\Kemhpl32.exeC:\Windows\system32\Kemhpl32.exe47⤵
-
C:\Windows\SysWOW64\Kdnincal.exeC:\Windows\system32\Kdnincal.exe48⤵
-
C:\Windows\SysWOW64\Kikafjoc.exeC:\Windows\system32\Kikafjoc.exe49⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Kfoapo32.exeC:\Windows\system32\Kfoapo32.exe50⤵
-
C:\Windows\SysWOW64\Lpnlicne.exeC:\Windows\system32\Lpnlicne.exe51⤵
-
C:\Windows\SysWOW64\Lmdihgkl.exeC:\Windows\system32\Lmdihgkl.exe52⤵
-
C:\Windows\SysWOW64\Lepnli32.exeC:\Windows\system32\Lepnli32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mgokflpj.exeC:\Windows\system32\Mgokflpj.exe54⤵
-
C:\Windows\SysWOW64\Mcfkkmeo.exeC:\Windows\system32\Mcfkkmeo.exe55⤵
-
C:\Windows\SysWOW64\Mckefmai.exeC:\Windows\system32\Mckefmai.exe56⤵
-
C:\Windows\SysWOW64\Mpoepa32.exeC:\Windows\system32\Mpoepa32.exe57⤵
-
C:\Windows\SysWOW64\Meknhh32.exeC:\Windows\system32\Meknhh32.exe58⤵
-
C:\Windows\SysWOW64\Nconal32.exeC:\Windows\system32\Nconal32.exe59⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Opmaaodc.exeC:\Windows\system32\Opmaaodc.exe60⤵
-
C:\Windows\SysWOW64\Ogkcihgj.exeC:\Windows\system32\Ogkcihgj.exe61⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Pfcmpdjp.exeC:\Windows\system32\Pfcmpdjp.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Qjjhla32.exeC:\Windows\system32\Qjjhla32.exe63⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qcbmegol.exeC:\Windows\system32\Qcbmegol.exe64⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Anjngp32.exeC:\Windows\system32\Anjngp32.exe65⤵
-
C:\Windows\SysWOW64\Agcbqecp.exeC:\Windows\system32\Agcbqecp.exe66⤵
-
C:\Windows\SysWOW64\Ampkil32.exeC:\Windows\system32\Ampkil32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Ambgnl32.exeC:\Windows\system32\Ambgnl32.exe68⤵
-
C:\Windows\SysWOW64\Afmhma32.exeC:\Windows\system32\Afmhma32.exe69⤵
-
C:\Windows\SysWOW64\Bfoebq32.exeC:\Windows\system32\Bfoebq32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bccfleqi.exeC:\Windows\system32\Bccfleqi.exe71⤵
-
C:\Windows\SysWOW64\Bjmnho32.exeC:\Windows\system32\Bjmnho32.exe72⤵
-
C:\Windows\SysWOW64\Bcebadof.exeC:\Windows\system32\Bcebadof.exe73⤵
-
C:\Windows\SysWOW64\Bjddinbn.exeC:\Windows\system32\Bjddinbn.exe74⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Celelf32.exeC:\Windows\system32\Celelf32.exe75⤵
-
C:\Windows\SysWOW64\Cagolf32.exeC:\Windows\system32\Cagolf32.exe76⤵
-
C:\Windows\SysWOW64\Dajlafon.exeC:\Windows\system32\Dajlafon.exe77⤵
-
C:\Windows\SysWOW64\Edhado32.exeC:\Windows\system32\Edhado32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Egijfjmp.exeC:\Windows\system32\Egijfjmp.exe79⤵
-
C:\Windows\SysWOW64\Edmjpoli.exeC:\Windows\system32\Edmjpoli.exe80⤵
-
C:\Windows\SysWOW64\Fobomglo.exeC:\Windows\system32\Fobomglo.exe81⤵
-
C:\Windows\SysWOW64\Gddigk32.exeC:\Windows\system32\Gddigk32.exe82⤵
-
C:\Windows\SysWOW64\Hbhjqp32.exeC:\Windows\system32\Hbhjqp32.exe83⤵
-
C:\Windows\SysWOW64\Hgebif32.exeC:\Windows\system32\Hgebif32.exe84⤵
-
C:\Windows\SysWOW64\Hkckoe32.exeC:\Windows\system32\Hkckoe32.exe85⤵
-
C:\Windows\SysWOW64\Hoadecal.exeC:\Windows\system32\Hoadecal.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Hdnlmj32.exeC:\Windows\system32\Hdnlmj32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hkhdjdgq.exeC:\Windows\system32\Hkhdjdgq.exe88⤵
-
C:\Windows\SysWOW64\Igabdekb.exeC:\Windows\system32\Igabdekb.exe89⤵
-
C:\Windows\SysWOW64\Ibffbnjh.exeC:\Windows\system32\Ibffbnjh.exe90⤵
-
C:\Windows\SysWOW64\Mojhphij.exeC:\Windows\system32\Mojhphij.exe91⤵
-
C:\Windows\SysWOW64\Miomnaip.exeC:\Windows\system32\Miomnaip.exe92⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mpiejkql.exeC:\Windows\system32\Mpiejkql.exe93⤵
-
C:\Windows\SysWOW64\Mhdjonng.exeC:\Windows\system32\Mhdjonng.exe94⤵
-
C:\Windows\SysWOW64\Nifcnpch.exeC:\Windows\system32\Nifcnpch.exe95⤵
-
C:\Windows\SysWOW64\Nohdaf32.exeC:\Windows\system32\Nohdaf32.exe96⤵
-
C:\Windows\SysWOW64\Nimioo32.exeC:\Windows\system32\Nimioo32.exe97⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Nojagf32.exeC:\Windows\system32\Nojagf32.exe98⤵
-
C:\Windows\SysWOW64\Nipedokm.exeC:\Windows\system32\Nipedokm.exe99⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Oeffip32.exeC:\Windows\system32\Oeffip32.exe100⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Oplkgi32.exeC:\Windows\system32\Oplkgi32.exe101⤵
-
C:\Windows\SysWOW64\Bqdbec32.exeC:\Windows\system32\Bqdbec32.exe102⤵
-
C:\Windows\SysWOW64\Bgnkamef.exeC:\Windows\system32\Bgnkamef.exe103⤵
-
C:\Windows\SysWOW64\Bqfokblg.exeC:\Windows\system32\Bqfokblg.exe104⤵
-
C:\Windows\SysWOW64\Bfchcijo.exeC:\Windows\system32\Bfchcijo.exe105⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Bqhlpbjd.exeC:\Windows\system32\Bqhlpbjd.exe106⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Bjaqih32.exeC:\Windows\system32\Bjaqih32.exe107⤵
-
C:\Windows\SysWOW64\Capbaacl.exeC:\Windows\system32\Capbaacl.exe108⤵
-
C:\Windows\SysWOW64\Cafhap32.exeC:\Windows\system32\Cafhap32.exe109⤵
-
C:\Windows\SysWOW64\Dgqqnjea.exeC:\Windows\system32\Dgqqnjea.exe110⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dmmifaci.exeC:\Windows\system32\Dmmifaci.exe111⤵
-
C:\Windows\SysWOW64\Dgcmdj32.exeC:\Windows\system32\Dgcmdj32.exe112⤵
-
C:\Windows\SysWOW64\Dmpfla32.exeC:\Windows\system32\Dmpfla32.exe113⤵
-
C:\Windows\SysWOW64\Dhejij32.exeC:\Windows\system32\Dhejij32.exe114⤵
-
C:\Windows\SysWOW64\Dmbbaq32.exeC:\Windows\system32\Dmbbaq32.exe115⤵
-
C:\Windows\SysWOW64\Dhgfoioi.exeC:\Windows\system32\Dhgfoioi.exe116⤵
-
C:\Windows\SysWOW64\Dmdogpmq.exeC:\Windows\system32\Dmdogpmq.exe117⤵
-
C:\Windows\SysWOW64\Dfmcpf32.exeC:\Windows\system32\Dfmcpf32.exe118⤵
-
C:\Windows\SysWOW64\Dpehikja.exeC:\Windows\system32\Dpehikja.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Einmaaqb.exeC:\Windows\system32\Einmaaqb.exe120⤵
-
C:\Windows\SysWOW64\Ehomph32.exeC:\Windows\system32\Ehomph32.exe121⤵
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-