b2837fdfe6c4394e177f6bc07b9c5fbb451a8e61df8aace9ac973922fdf33674

Analysis

max time kernel
158s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.55b0c32d8de04449bfe14162f44a01a0.exe
Size

29KB
MD5

55b0c32d8de04449bfe14162f44a01a0
SHA1

7b68f7ab98eebb79a5f6e9c859f31bfba59d2ddc
SHA256

b2837fdfe6c4394e177f6bc07b9c5fbb451a8e61df8aace9ac973922fdf33674
SHA512

058d841cb26b26230d0cf27b8d32c8b1015825ff7587b73cee4dce6607e3767cbe43b37cb021a836962b17807da76a393418af7b95bab461198b09126ee63d02
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/L0:AEwVs+0jNDY1qi/qY

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5104	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3728-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000022dcb-4.dat	upx
behavioral2/files/0x0007000000022dcb-7.dat	upx
behavioral2/memory/5104-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5104-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0006000000022f9b-64.dat	upx
behavioral2/memory/3728-79-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5104-96-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-134-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5104-154-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-189-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5104-194-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3728-229-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/5104-235-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe
File opened for modification	C:\Windows\java.exe	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe
File created	C:\Windows\java.exe	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 5104	3728	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe	86
PID 3728 wrote to memory of 5104	3728	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe	86
PID 3728 wrote to memory of 5104	3728	NEAS.55b0c32d8de04449bfe14162f44a01a0.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.55b0c32d8de04449bfe14162f44a01a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.55b0c32d8de04449bfe14162f44a01a0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5CVX12JG\default[5].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FNC8FKXQ\default[2].htm

Filesize
303B

MD5
0a53779b07f9c9c56ef169499851915e

SHA1
281bf81610dae812be159f95a0858f88f9b96637

SHA256
b946117d346ecf850135aae1ac65b368f4effd806bf5180ecd3c585f1324dbd1

SHA512
5a5016dcdeef68be7115eafee0a6844e3cc868fa04f353980d924fca7394962d919d8dece40b15b7ddcc867f956fc8c0e522b68688ca409f1671c39e42973dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MMC5AP7F\default[1].htm

Filesize
304B

MD5
084f55ccad6fddfe1704851a5074a194

SHA1
844821de6a0f3c2410341af6b3979f6b59f16a3a

SHA256
b10034ade693ec98852ac56ed2b784c546aeb3f11593a7ece687b17c283cb4cf

SHA512
776a722ff79b1665f904be9972229f03b67c0a54c9ebb4b639d959e2c87398a3eb5930ebd7c2a03b14ccdbba380ae26ae1ffdbd1f65f8a900fddb4fde467aa31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MMC5AP7F\default[2].htm

Filesize
304B

MD5
8fc460e5c1851dae2ede898b85804b31

SHA1
c2887be287c1ea86cd250c38fb4e55518f764abe

SHA256
7b5f9fe5a9244d0bd4888e5b70912a35d01fceed4c899585c39543682e43e1a3

SHA512
7d454c1d92dd448dc9c5e00a2773bd141816aefeb0ae4ac509872db998d16889773b28753d0b02f7375631202f1d5986a18e3a67350d34741dcfc6f6c58a8775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MMC5AP7F\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\default[1].htm

Filesize
303B

MD5
fa78d0b4605d3ecbc7478657252d1ca7

SHA1
878ad097a27b5224d3bae4b77a8b2721352131b6

SHA256
7209c96d8c89edf2191a9ca9b66b5c35cde69b193065e70180f37b718e022913

SHA512
08853cb4af314ef742befde246372c17e630b216a78f21d2dfea805c89a7fc8337432d8449bf68e010ff6f858940b1b65a8ee571fcf367c0c4918d94b50e5208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\default[2].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\default[3].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Temp\94U8peojbc.log

Filesize
256B

MD5
3d93cfb36f2bdc025747ee610b69cf28

SHA1
8a61a128c9d598d765675497ca342bf9096777aa

SHA256
b0bd1ba11e1d30f5016bcb43e81d73fd8e810484e3b98587548c7ec0ba0784fd

SHA512
a6bf014ad7b191b57c4a894af11162b83ecbdb68123e566e7b7dd68e41fba6a8fa37c1629cb018726b4e7c83511f6efd08c5d118fa089fd9ac3630dbb2f8b783

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90EE.tmp

Filesize
29KB

MD5
3e714d9e72999a0f1007d31b08d98bbc

SHA1
cb918afc08779ab10b5b212b8bed5175073a64cf

SHA256
734379f3b7da491b7dde64b9a0d88168253ecd73742ef3fc50523d83417f0453

SHA512
47604c001ff784529d81e332c3edbd98b9481a5f931db4628259f1fb00dc57c83a135d5a5528fc8e809c97825734f2e88c5ac273c179d7c980db83ff3ecf5e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
aaa0a7832d1d3c25f2c4e5001cb58e38

SHA1
3bc1547288e947f00070fc404cfb02614114ac5d

SHA256
87af7fe1c46c3024adbe840680185995aef68beb057f8128fc1add573e56a399

SHA512
c5600ffe35dfab7517ef75b4e96fcc14a6bcc7dbb52e87bc8daccb2e64ae02f1b43ce8bfb461cff4eaabc9277503056d75d0bbe7132604ebf3f260d693bdfc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
6a47a897f227474e6a3b8b6798c45b0b

SHA1
7a91bce7e8a92f7ac0346b7130bef557f3dd4a43

SHA256
26a9a2f2bde8423e0e503953ac9d0e910305e0d72b03b6522fe068d06f573e3b

SHA512
8558155130d4a63520942a22daa50476bb7cbe43d6f49fcf93afa17544ce211d3b3bf3aa2f858cc70161e0e264aef2975119bef4741783077d947ce8ef33c2aa

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3728-79-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-229-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-189-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3728-134-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/5104-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-154-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-235-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads