Overview

overview

10

Static

static

1

NEAS.3818c...30.exe

windows7-x64

10

NEAS.3818c...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2023, 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.3818c107f33a83e67d6aa1c187e68330.exe

  • Size

    209KB

  • MD5

    3818c107f33a83e67d6aa1c187e68330

  • SHA1

    dda53fe23153da45d10bc9687402875b1eeb4679

  • SHA256

    dfaceba3c3270c15a1ccc040a0e94e60ae0e9f7f5147e6b34f744ad3dc2b028a

  • SHA512

    913a5d74c61116fc312ea777d751cd0cbea703eadc3bba8cee6972a76e78f23cf1dfdc1a5287729b43d7c7af0a5dcab31b883f256e3e21257fcf1a33b3facafa

  • SSDEEP

    3072:AQcjk9tVRNIcjb4Ryfjijjx14hdeCXHKPJFo9zpE7Di0X0JuLL+o7BlpF9e:AQh9tVRm2kh34hdeCkcG7DEALLlnN

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.3818c107f33a83e67d6aa1c187e68330.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.3818c107f33a83e67d6aa1c187e68330.exe"
    1⤵
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies WinLogon
      • Suspicious behavior: EnumeratesProcesses
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    2f308ba18eb75627e1d371e352014290

    SHA1

    83a39b76ce2875d6297e5306dafc5dcf1b616150

    SHA256

    66155ad73a82f84598729b33520745c0cdf9cfe022fd8e391e583c347359207e

    SHA512

    66ee716e87b9d72b8c9a2e6254a1e3ee4fe61eede0eecc22e6f76b5cb2b5aaf4c91fb993094312e221a84e325535cca93aa149aedf303b15f20b061d97b297f4

    Download Submit

  • C:\Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    2f308ba18eb75627e1d371e352014290

    SHA1

    83a39b76ce2875d6297e5306dafc5dcf1b616150

    SHA256

    66155ad73a82f84598729b33520745c0cdf9cfe022fd8e391e583c347359207e

    SHA512

    66ee716e87b9d72b8c9a2e6254a1e3ee4fe61eede0eecc22e6f76b5cb2b5aaf4c91fb993094312e221a84e325535cca93aa149aedf303b15f20b061d97b297f4

    Download Submit

  • C:\Windows\apppatch\svchost.exe
    Filesize

    209KB

    MD5

    2f308ba18eb75627e1d371e352014290

    SHA1

    83a39b76ce2875d6297e5306dafc5dcf1b616150

    SHA256

    66155ad73a82f84598729b33520745c0cdf9cfe022fd8e391e583c347359207e

    SHA512

    66ee716e87b9d72b8c9a2e6254a1e3ee4fe61eede0eecc22e6f76b5cb2b5aaf4c91fb993094312e221a84e325535cca93aa149aedf303b15f20b061d97b297f4

    Download Submit

  • \Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    2f308ba18eb75627e1d371e352014290

    SHA1

    83a39b76ce2875d6297e5306dafc5dcf1b616150

    SHA256

    66155ad73a82f84598729b33520745c0cdf9cfe022fd8e391e583c347359207e

    SHA512

    66ee716e87b9d72b8c9a2e6254a1e3ee4fe61eede0eecc22e6f76b5cb2b5aaf4c91fb993094312e221a84e325535cca93aa149aedf303b15f20b061d97b297f4

    Download Submit

  • \Windows\AppPatch\svchost.exe
    Filesize

    209KB

    MD5

    2f308ba18eb75627e1d371e352014290

    SHA1

    83a39b76ce2875d6297e5306dafc5dcf1b616150

    SHA256

    66155ad73a82f84598729b33520745c0cdf9cfe022fd8e391e583c347359207e

    SHA512

    66ee716e87b9d72b8c9a2e6254a1e3ee4fe61eede0eecc22e6f76b5cb2b5aaf4c91fb993094312e221a84e325535cca93aa149aedf303b15f20b061d97b297f4

    Download Submit

  • memory/2448-0-0x0000000000290000-0x00000000002E8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2448-1-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2448-16-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2448-14-0x0000000000290000-0x00000000002E8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2800-20-0x0000000000470000-0x00000000004FA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2800-18-0x0000000000470000-0x00000000004FA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2800-22-0x0000000000470000-0x00000000004FA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2800-24-0x0000000000470000-0x00000000004FA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2800-26-0x0000000000470000-0x00000000004FA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2800-28-0x0000000000470000-0x00000000004FA000-memory.dmp

    Filesize

    552KB

    Download

  • memory/2800-30-0x0000000002050000-0x00000000020E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2800-32-0x0000000002050000-0x00000000020E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2800-34-0x0000000002050000-0x00000000020E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2800-33-0x0000000002050000-0x00000000020E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2800-17-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2800-38-0x0000000002050000-0x00000000020E9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2800-39-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download