45e88f2c225fa54e8a1ba46439b3ecc94f76d98b95273a6f6522d37950141cf2

General

Target

NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe
Size

592KB
MD5

6648dd6e742ccfdcfbb52c3bb20eab40
SHA1

d63ffc1e4f031c5677dc350cefda04a56ce9e634
SHA256

45e88f2c225fa54e8a1ba46439b3ecc94f76d98b95273a6f6522d37950141cf2
SHA512

4e8aa16ffb408c4137574f9abce92cb429da3d6257052b40ecb518a24b18a69c3221671b3f5c0f8dfdeae60b4d308b8f60c969d308f07f0d8b4bf37b6f7ae7a9
SSDEEP

12288:y8Cmd8IvTnO5OzFugWiKCtPwMFmtUTbERkeJ:y8PNKAF/PwHKQRtJ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	Install.exe

Loads dropped DLL 3 IoCs

pid	Process
2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe
2656	Install.exe
2656	Install.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2168-31-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2656	Install.exe
2656	Install.exe
2656	Install.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	Install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28
PID 2168 wrote to memory of 2656	2168	NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6648dd6e742ccfdcfbb52c3bb20eab40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
300KB

MD5
f6a62eb330e37ee7fa42050572a08b98

SHA1
14c309659f78410532e92c73518c81a8650ef829

SHA256
db6f403b665aaf1bfa60d3b5cbcfaad8de92e15fb59a2053089295b2b54a0522

SHA512
30f9343d9fd508910e5f45086986d694713cb6096fcf05fd3e6f01e02a50e30e5db20cd9cbf06a427e3b3741006ff9f6e5d3c01984afa127da1c2e9647704d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
300KB

MD5
f6a62eb330e37ee7fa42050572a08b98

SHA1
14c309659f78410532e92c73518c81a8650ef829

SHA256
db6f403b665aaf1bfa60d3b5cbcfaad8de92e15fb59a2053089295b2b54a0522

SHA512
30f9343d9fd508910e5f45086986d694713cb6096fcf05fd3e6f01e02a50e30e5db20cd9cbf06a427e3b3741006ff9f6e5d3c01984afa127da1c2e9647704d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
300KB

MD5
f6a62eb330e37ee7fa42050572a08b98

SHA1
14c309659f78410532e92c73518c81a8650ef829

SHA256
db6f403b665aaf1bfa60d3b5cbcfaad8de92e15fb59a2053089295b2b54a0522

SHA512
30f9343d9fd508910e5f45086986d694713cb6096fcf05fd3e6f01e02a50e30e5db20cd9cbf06a427e3b3741006ff9f6e5d3c01984afa127da1c2e9647704d98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
300KB

MD5
f6a62eb330e37ee7fa42050572a08b98

SHA1
14c309659f78410532e92c73518c81a8650ef829

SHA256
db6f403b665aaf1bfa60d3b5cbcfaad8de92e15fb59a2053089295b2b54a0522

SHA512
30f9343d9fd508910e5f45086986d694713cb6096fcf05fd3e6f01e02a50e30e5db20cd9cbf06a427e3b3741006ff9f6e5d3c01984afa127da1c2e9647704d98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
300KB

MD5
f6a62eb330e37ee7fa42050572a08b98

SHA1
14c309659f78410532e92c73518c81a8650ef829

SHA256
db6f403b665aaf1bfa60d3b5cbcfaad8de92e15fb59a2053089295b2b54a0522

SHA512
30f9343d9fd508910e5f45086986d694713cb6096fcf05fd3e6f01e02a50e30e5db20cd9cbf06a427e3b3741006ff9f6e5d3c01984afa127da1c2e9647704d98

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
300KB

MD5
f6a62eb330e37ee7fa42050572a08b98

SHA1
14c309659f78410532e92c73518c81a8650ef829

SHA256
db6f403b665aaf1bfa60d3b5cbcfaad8de92e15fb59a2053089295b2b54a0522

SHA512
30f9343d9fd508910e5f45086986d694713cb6096fcf05fd3e6f01e02a50e30e5db20cd9cbf06a427e3b3741006ff9f6e5d3c01984afa127da1c2e9647704d98

Download Submit
memory/2168-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2168-1-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2168-2-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/2168-31-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2168-33-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing