c1105061553868eb708e61236cdc5798c948e03f10b619004d9387e041ccd54e

General

Target

NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
Size

3.9MB
MD5

61418413389e6d8a1e211e0439d9e610
SHA1

67014cd768a296d0905744041a5555a4a4954be4
SHA256

c1105061553868eb708e61236cdc5798c948e03f10b619004d9387e041ccd54e
SHA512

f38b828f54a560aadec70f4dfb9eb9a6ee66834a63917e2b4d55f05e3868b53f9b3c22fabc3c94c68abf22e9c788061a1ffafd56e8772933c185ff3e95aa013e
SSDEEP

98304:vLWZSniVByw6gEXGzEY7ssGw6gEXGzEY7JRwtBadLhRQyzw6gEXGzEY7ssGw6gEQ:MXKgGQjEgGQjHIegGQjEgGQj

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00070000000120e5-11.dat	upx
behavioral1/memory/2600-18-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00070000000120e5-17.dat	upx
behavioral1/files/0x00070000000120e5-14.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1076	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2600	1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	29
PID 1724 wrote to memory of 2600	1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	29
PID 1724 wrote to memory of 2600	1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	29
PID 1724 wrote to memory of 2600	1724	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	29
PID 2600 wrote to memory of 1076	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	30
PID 2600 wrote to memory of 1076	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	30
PID 2600 wrote to memory of 1076	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	30
PID 2600 wrote to memory of 1076	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	30
PID 2600 wrote to memory of 2712	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	33
PID 2600 wrote to memory of 2712	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	33
PID 2600 wrote to memory of 2712	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	33
PID 2600 wrote to memory of 2712	2600	NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe	33
PID 2712 wrote to memory of 2604	2712	cmd.exe	35
PID 2712 wrote to memory of 2604	2712	cmd.exe	35
PID 2712 wrote to memory of 2604	2712	cmd.exe	35
PID 2712 wrote to memory of 2604	2712	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe" /TN zyuExGPtfeb3 /F
    3⤵
    - Creates scheduled task(s)
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN zyuExGPtfeb3 > C:\Users\Admin\AppData\Local\Temp\XpsF04u.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN zyuExGPtfeb3
      4⤵
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Filesize
3.9MB

MD5
9a0bb9e6a7863f793578ced77446d4da

SHA1
aa5ccd182927921f3bb59faecb5e4d46be641194

SHA256
95b418012d1d7994187b6f295237ccb194020c4be19dd521359ee9501090482e

SHA512
4ee5a6acf5a8ceb9743b5c9eca0f107058c1900f2d09e2374e5a865a205471014d102f4e6c8677265ec7714e24b0483971741656bfe5f9be5590eb9da9a4ca00

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Filesize
3.9MB

MD5
9a0bb9e6a7863f793578ced77446d4da

SHA1
aa5ccd182927921f3bb59faecb5e4d46be641194

SHA256
95b418012d1d7994187b6f295237ccb194020c4be19dd521359ee9501090482e

SHA512
4ee5a6acf5a8ceb9743b5c9eca0f107058c1900f2d09e2374e5a865a205471014d102f4e6c8677265ec7714e24b0483971741656bfe5f9be5590eb9da9a4ca00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XpsF04u.xml

Filesize
1KB

MD5
7811904db661ee320a264f42dc0589e5

SHA1
1d69a55fdc569330793cc72a1b25b1231a86dd5d

SHA256
c927cf56b215f832216dfe0078031f96e81c53cb0215aae2ace8046639d6d5c9

SHA512
0658c6b7746d3977e0d0392cb3e287b2bfcf72c0ea322fb02b9c968e56ae460ef67988d12021bc4afe6ea4cf3b6fa68cbaad52f87fa0f696a71eed1202efabe8

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.61418413389e6d8a1e211e0439d9e610_JC.exe

Filesize
3.9MB

MD5
9a0bb9e6a7863f793578ced77446d4da

SHA1
aa5ccd182927921f3bb59faecb5e4d46be641194

SHA256
95b418012d1d7994187b6f295237ccb194020c4be19dd521359ee9501090482e

SHA512
4ee5a6acf5a8ceb9743b5c9eca0f107058c1900f2d09e2374e5a865a205471014d102f4e6c8677265ec7714e24b0483971741656bfe5f9be5590eb9da9a4ca00

Download Submit
memory/1724-16-0x0000000023650000-0x00000000238AC000-memory.dmp

Filesize
2.4MB

Download
memory/1724-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1724-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1724-3-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/1724-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2600-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2600-21-0x0000000001660000-0x00000000016DE000-memory.dmp

Filesize
504KB

Download
memory/2600-27-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2600-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2600-32-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads