a25a7bc4a616bd221efd1b5acefdd7555064563700ed1c0dee54c778dad0046f

General

Target

NEAS.4a2d7540938fb35bcfef300d251b97e0.exe
Size

29KB
MD5

4a2d7540938fb35bcfef300d251b97e0
SHA1

2c843f2bf8a31520f7b0d77a29c3958ffb7a8363
SHA256

a25a7bc4a616bd221efd1b5acefdd7555064563700ed1c0dee54c778dad0046f
SHA512

5c9e9472e612ccdb10020f438d45bc0db11783e438a6d5afed38401e4acae7c003c576edb215ff0f168cbadffcb1acbc7154dec84e4603e9ed3f0c31611d03f0
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Cx:AEwVs+0jNDY1qi/qy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4836	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1728-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1728-3-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000022da9-7.dat	upx
behavioral2/files/0x0008000000022da9-6.dat	upx
behavioral2/memory/4836-9-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1728-15-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4836-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-29-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4836-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1728-52-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4836-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1728-68-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4836-69-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000022df6-70.dat	upx
behavioral2/memory/1728-84-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4836-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1728-88-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4836-89-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe
File created	C:\Windows\services.exe	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe
File opened for modification	C:\Windows\java.exe	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 4836	1728	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe	88
PID 1728 wrote to memory of 4836	1728	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe	88
PID 1728 wrote to memory of 4836	1728	NEAS.4a2d7540938fb35bcfef300d251b97e0.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.4a2d7540938fb35bcfef300d251b97e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4a2d7540938fb35bcfef300d251b97e0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94U8peojbc.log

Filesize
256B

MD5
2587548fa7ca4972884e22704f5841ca

SHA1
e6d418dd0c39665920ab6fd5a9aa63aa5d18cd6d

SHA256
4cc86e4a4b1413da7d0275640ceb85bd921c72df56124e830fc02d5343ac0567

SHA512
f0e9952141b682c8624143a64be41d96289e82f5dd4ccbc7c5d90b6ac51ef8e5a17a0ede6dbfa5fbfc6fc016dd958bfad032c9b9bbb05a68c6fe76ab14b58bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F92.tmp

Filesize
29KB

MD5
3754960e32cef43f9fd56381783a79f1

SHA1
5bc5e6b302c14c620623dd2b0dea6701c5516e44

SHA256
32d3cf65cf5a3fde3a55dc6791dbd73ca8c3f0d89af6313b27ee3835e266152e

SHA512
0646d0e4988419c9de4e29d9b2d7e2675aa0d97fa59c73152776a2d533d4b81bfa10a5ce74cfad6025d2e0f4f6609a536184a881ece0851d938433c55ab7f5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
f094930fa554a2eb01d8a1d44dc7927b

SHA1
9cb751d5eae0e9b9008c2faa84b30098d3c70daa

SHA256
777a583b3d5e7f7d764a0aaea0c065c1285eba228384fd985d026b1cb21d21af

SHA512
41b75d620ca5fc829e38952dec095ea2021f90b11e78fb86747736ed0f7c5afd99272f58472209e249c48913102dd2d4b23316964da34fef86469b6b83687373

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
17f3e25d44636ffba5644557bcd027af

SHA1
3c8612671a2bc343c85e05556c6bc40ce2f2c135

SHA256
3046185e7e780ad83207bef993ac3ca7b6a56e8d917ac3fd7f3a04d157b4b1a5

SHA512
69dd9db179a515f76953c5d02f355b8c15711c887f72d7f155afc450b50b8e14dca0ef257c29d4aef1a28381864822c7401d38252040f72a1a4e3bb9abe307b1

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1728-15-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1728-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1728-84-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1728-88-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1728-68-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1728-3-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1728-52-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4836-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-29-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-89-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads