ae267ef9c582c24109e3102ebc6688428eb1c1dfed5e0e504dc986d65b916a02

Analysis

max time kernel
142s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.901858196da1fe79c24564a8e28461a0.exe
Size

29KB
MD5

901858196da1fe79c24564a8e28461a0
SHA1

6c851851295716c5646c08cb1157bcf59b164285
SHA256

ae267ef9c582c24109e3102ebc6688428eb1c1dfed5e0e504dc986d65b916a02
SHA512

4e13b097feee6c6be0805726930dfa205e1a5691ad52a9fef9d5c26f3b6354ae8eb5ebce5384504696daa20946064e81a38317d6b72ec588cbbc033cc0220d52
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Ax:AEwVs+0jNDY1qi/qg

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4952	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4416-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000022e24-4.dat	upx
behavioral2/memory/4952-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000022e24-7.dat	upx
behavioral2/memory/4416-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000022e52-48.dat	upx
behavioral2/memory/4952-99-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-98-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4416-133-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-202-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-207-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-245-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-251-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-286-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-287-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-330-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-331-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-368-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/4952-369-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4952-416-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4416-415-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.901858196da1fe79c24564a8e28461a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.901858196da1fe79c24564a8e28461a0.exe
File opened for modification	C:\Windows\java.exe	NEAS.901858196da1fe79c24564a8e28461a0.exe
File created	C:\Windows\java.exe	NEAS.901858196da1fe79c24564a8e28461a0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4952	4416	NEAS.901858196da1fe79c24564a8e28461a0.exe	86
PID 4416 wrote to memory of 4952	4416	NEAS.901858196da1fe79c24564a8e28461a0.exe	86
PID 4416 wrote to memory of 4952	4416	NEAS.901858196da1fe79c24564a8e28461a0.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.901858196da1fe79c24564a8e28461a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.901858196da1fe79c24564a8e28461a0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\default[1].htm

Filesize
303B

MD5
6a0f569150af2b9f0db7444703c27a68

SHA1
69591c4c6e85d710d5bf89c4b6330d813bf24eb9

SHA256
4dd9d1b48bef8fbd32a979c93141c60683c30da136fc0a58c69970ca78dd9878

SHA512
e1c71ab22237b98603a57b3949329b242663c6d369c7ea1a2f17b05b673eb991b1890474a131fc424b921dfb26dc06acfff5df7400186d2491785c6ac420d05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[1].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[3].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UDS0USIU\default[2].htm

Filesize
303B

MD5
6a62ed00d5950a7aa3df6d446d0beb92

SHA1
608da2a7b63e92b731a7beb2d990405d7a6e9611

SHA256
7aaaf31ea9c2999c775008a4b769336c91d87dc8f6dc0a1015bb45c61bc39fdb

SHA512
10a77d30bd2a5a930233e79830ac6e0a695bcfacb4e33fe9a67a7dc4b4c0ffaf3ca6ce458bf2a6714b9c590997ff816f207bee87536516a2c8e711c3c161773d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\default[7].htm

Filesize
305B

MD5
28d3586cf0fecdada411e6598d0d24b9

SHA1
87f72f1d3f9eb8682c25d9ffc0397064489903ff

SHA256
3f9df02aa51466baf3b4089857c0c9f84b40e8506a4322f3836ce2b995552593

SHA512
41e79f5946cbf77ec84555acb9cffecaeada064855c41a46b56c3102f0fb406a627d84347ac14a74768db87e93e68ca534887a32d4cf220e013ce24bfdfab0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsh2p.log

Filesize
256B

MD5
c33f5ae9d7f77840173eef9d94a91060

SHA1
189669f790ee727e18e06e5abf14e871b8e3079f

SHA256
72542093055867d2e263c44981bde762c60e585caa1d7ff34eb039a3aa6f2532

SHA512
f0b636463018bf9f6fd535e058e07e04ead0985b9e527799a01ef1f1ee661e34aec2aad88f4f2f4437e2d6c0a6e3892c58108584bf4a7a34987f2f601c47f6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB67C.tmp

Filesize
29KB

MD5
b0f8a7f0a90ca0988199b83032f57d22

SHA1
fce54c6b6e16029b80f9a6823a155ac1649bc43d

SHA256
37811ed9ec2066bc7e0381f2ceaec890b51076102a261281d122259b26255b1c

SHA512
388ddb6d0e9cd6ec84507bcadefe3ee5493a84a44a5990473c69f68497ba828872a208b64b0f6c03dd890c82706052c15be05292d89fd538fa91842f39df9843

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
c0cd799c017a7be13807b4464fb7e381

SHA1
3f340942d4e39aaa422dedb83269ab495e089529

SHA256
96870c17b9b6f416737b69eb3213e40dc073b73361608f9c11b40aabd08f022d

SHA512
a892effa2e44e897d588902186fd14e8c8c14c8820e37531ff93feacc3a9ebd780248a914dc2c53d450e81d6d7b3f4107e0d74c22ce33e4f35e2f0d6c4dd38db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
c0737adc6660a916d7f2d8a01b4761fd

SHA1
d6990a9bdd178d4c793ed7671df2c9f50bc1c461

SHA256
b2f3a107291e7cf8a414640f2477ecf9991957a63b9c6a9ddaf4fb970577c937

SHA512
e0ec0065d51549208edd352cd7d4f7ef1e0c827c644829b0a0ee91ff0ffb28696645a800620aa90c7a8d0ba3db1a56901cc33ec9bc5bdfed41d57b03408b1e41

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4416-286-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-330-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-368-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-98-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-133-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-245-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-415-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4416-202-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4952-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-99-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-287-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-331-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-369-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-416-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4952-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads