e42732a354b69e525fc99e4dc202c03b5483f2b96545f607a1a6dd8fed8d3edf

General

Target

NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe
Size

1.4MB
MD5

fd5a5bdcee764c8c0be27c43639da7b0
SHA1

015caf1a61d72fd22303280cf1ea6530d1379eb5
SHA256

e42732a354b69e525fc99e4dc202c03b5483f2b96545f607a1a6dd8fed8d3edf
SHA512

25e5360853cc4f6df3b6174a691acf63ac9457a284e69c7b3c671f6172a33e5ab2c1774b36f37a17a77e1a8168920c0d4c322630ffd913b2a40292bdc2f66c35
SSDEEP

24576:H8Pq4bAtH7I95KI7JnC3WIKVQMPn4mvwNWGL0403Q15gI:cTMtbZI7+WaMfwNWGLUcL

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	Install.exe

Loads dropped DLL 3 IoCs

pid	Process
2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe
2764	Install.exe
2764	Install.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2780-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2780-30-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2764	Install.exe
2764	Install.exe
2764	Install.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	Install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29
PID 2780 wrote to memory of 2764	2780	NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fd5a5bdcee764c8c0be27c43639da7b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
625KB

MD5
cd408824c03800c3c3a2d4c3b99c4344

SHA1
5a3495a1b61886a520e528114f4ac7f167158281

SHA256
7f3d572d7a2d3c2268144b756997897fdb74b4588e607848c40334a8c68d92ec

SHA512
b10442781ca04537400a551462f4df7025526390513d1de60251e80815da967bb7e783a8ec2db6a448b68c86c6b2d9b6662c76026a6757a4eefea012ea2536a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
625KB

MD5
cd408824c03800c3c3a2d4c3b99c4344

SHA1
5a3495a1b61886a520e528114f4ac7f167158281

SHA256
7f3d572d7a2d3c2268144b756997897fdb74b4588e607848c40334a8c68d92ec

SHA512
b10442781ca04537400a551462f4df7025526390513d1de60251e80815da967bb7e783a8ec2db6a448b68c86c6b2d9b6662c76026a6757a4eefea012ea2536a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
625KB

MD5
cd408824c03800c3c3a2d4c3b99c4344

SHA1
5a3495a1b61886a520e528114f4ac7f167158281

SHA256
7f3d572d7a2d3c2268144b756997897fdb74b4588e607848c40334a8c68d92ec

SHA512
b10442781ca04537400a551462f4df7025526390513d1de60251e80815da967bb7e783a8ec2db6a448b68c86c6b2d9b6662c76026a6757a4eefea012ea2536a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NetPanel.ini

Filesize
341B

MD5
3a4fb57e3f17f174d4161ba7bfa3f671

SHA1
02406720bcce101b5ab1bd93ce6f65c7384dd816

SHA256
a7c8fa3c7a5857cb29cff2cd497fef9a9427d1d57b50f9e7982ab742aeebfdf7

SHA512
b32b93e117d02005a217e672ae262cca8224d4c6c207ad67430d67f8ed1a5febd642b8d3c8e2a48d2a25bda3a753494a7d1de90bfbced84d3199773308bcdd88

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
625KB

MD5
cd408824c03800c3c3a2d4c3b99c4344

SHA1
5a3495a1b61886a520e528114f4ac7f167158281

SHA256
7f3d572d7a2d3c2268144b756997897fdb74b4588e607848c40334a8c68d92ec

SHA512
b10442781ca04537400a551462f4df7025526390513d1de60251e80815da967bb7e783a8ec2db6a448b68c86c6b2d9b6662c76026a6757a4eefea012ea2536a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
625KB

MD5
cd408824c03800c3c3a2d4c3b99c4344

SHA1
5a3495a1b61886a520e528114f4ac7f167158281

SHA256
7f3d572d7a2d3c2268144b756997897fdb74b4588e607848c40334a8c68d92ec

SHA512
b10442781ca04537400a551462f4df7025526390513d1de60251e80815da967bb7e783a8ec2db6a448b68c86c6b2d9b6662c76026a6757a4eefea012ea2536a4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
625KB

MD5
cd408824c03800c3c3a2d4c3b99c4344

SHA1
5a3495a1b61886a520e528114f4ac7f167158281

SHA256
7f3d572d7a2d3c2268144b756997897fdb74b4588e607848c40334a8c68d92ec

SHA512
b10442781ca04537400a551462f4df7025526390513d1de60251e80815da967bb7e783a8ec2db6a448b68c86c6b2d9b6662c76026a6757a4eefea012ea2536a4

Download Submit
memory/2780-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2780-1-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/2780-2-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/2780-30-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2780-31-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/2780-32-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/2780-33-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing