efb6fb8e1657c9d54bbd903ed730bcc8d16fd91ce1bcbc3b3de1ce89cfd2f716

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8651d9373a5c8dc1046128ee368bc230.exe
Size

29KB
MD5

8651d9373a5c8dc1046128ee368bc230
SHA1

a8b362a2ecb5fa119be6def5cfd9d135d8396c31
SHA256

efb6fb8e1657c9d54bbd903ed730bcc8d16fd91ce1bcbc3b3de1ce89cfd2f716
SHA512

8872fc34f5c938f250bec081a95aa46bb563cd62def9fc7ebc88a6ac1ff6524ffe6b86841fe04fa46e26c358d07c3159af2371e099d78a77f53d52dd9c5881bc
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1f:AEwVs+0jNDY1qi/qtf

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2124	services.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4544-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000022de4-4.dat	upx
behavioral2/files/0x0007000000022de4-7.dat	upx
behavioral2/memory/2124-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2124-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2124-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2124-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2124-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2124-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e000000022d0f-46.dat	upx
behavioral2/memory/4544-80-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-81-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-118-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-176-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-222-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-224-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-269-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-274-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-320-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-325-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-356-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-357-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-387-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-388-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4544-434-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2124-435-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.8651d9373a5c8dc1046128ee368bc230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.8651d9373a5c8dc1046128ee368bc230.exe
File opened for modification	C:\Windows\java.exe	NEAS.8651d9373a5c8dc1046128ee368bc230.exe
File created	C:\Windows\java.exe	NEAS.8651d9373a5c8dc1046128ee368bc230.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2124	4544	NEAS.8651d9373a5c8dc1046128ee368bc230.exe	85
PID 4544 wrote to memory of 2124	4544	NEAS.8651d9373a5c8dc1046128ee368bc230.exe	85
PID 4544 wrote to memory of 2124	4544	NEAS.8651d9373a5c8dc1046128ee368bc230.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.8651d9373a5c8dc1046128ee368bc230.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8651d9373a5c8dc1046128ee368bc230.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B5FYTYSL\default[2].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B5FYTYSL\default[7].htm

Filesize
303B

MD5
716cb7f5b783829c36e49996fc0bf627

SHA1
63471c20af48dd7052d63a695a12d86e2fc6871d

SHA256
6ad9b32ca3ec43c9017ab8f11b6f82e7ed43083efddf1ef74a3165f778312b40

SHA512
c3d126513cad64785ae5a16c5564cee6d7da1d26682d93d00a04937d9f98a89f54c74f5dda0c200c77f092fd8092db4f4f7a7a8544057eeb83d058f28fdf0346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRUT4RU0\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NF6NB1\default[3].htm

Filesize
302B

MD5
485828cfdc2c1efc0c51ff9b74dd34f8

SHA1
6f685134b031e9b2fff0eb8c7212c99bfba3719f

SHA256
615a15f6247f8f979b3a066801c98489018b1d137fd5d9b7bce73824acc70f06

SHA512
69736b9700c2f47feab282d8bf8bd6f02c9f62ecb9c02466b6cf76b1cd4b1becc70803123e73427c871c2aeb2eb64540edf95a342f78d9211ac0571e8fd1f426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NF6NB1\default[4].htm

Filesize
303B

MD5
6a62ed00d5950a7aa3df6d446d0beb92

SHA1
608da2a7b63e92b731a7beb2d990405d7a6e9611

SHA256
7aaaf31ea9c2999c775008a4b769336c91d87dc8f6dc0a1015bb45c61bc39fdb

SHA512
10a77d30bd2a5a930233e79830ac6e0a695bcfacb4e33fe9a67a7dc4b4c0ffaf3ca6ce458bf2a6714b9c590997ff816f207bee87536516a2c8e711c3c161773d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NF6NB1\default[6].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\J9NF6NB1\default[7].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XV93K3MB\default[10].htm

Filesize
305B

MD5
157431349a057954f4227efc1383ecad

SHA1
69ccc939e6b36aa1fabb96ad999540a5ab118c48

SHA256
8553409a8a3813197c474a95d9ae35630e2a67f8e6f9f33b3f39ef4c78a8bfac

SHA512
6405adcfa81b53980f448c489c1d13506d874d839925bffe5826479105cbf5ba194a7bdb93095585441c79c58de42f1dab1138b3d561011dc60f4b66d11e9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XV93K3MB\default[2].htm

Filesize
304B

MD5
8251fff4df202c8d6dd6aaf34f4838ea

SHA1
fa88f08dfdeaff6b86873d447fd26cb7d83a694d

SHA256
a17db628f6bdbf4cdc6fe029542404867306406510dbbdb57a047a75ac294962

SHA512
e9c0fe2a920377777bdda16a8744cf80d15e1d1b3c94b704f8a4c4cf54d2529ede4aea8a2d6d38f4e3c4d02f602edfed659db6613ac7c374e5214a201f16a3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XV93K3MB\default[4].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XV93K3MB\default[6].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B61.tmp

Filesize
29KB

MD5
61e5932d2ecf2f5763fba58abef03532

SHA1
e491e8c3c8609a0165037a1f33f6457ce83d3093

SHA256
3455929177112955a532abd958414274dc925c6b660ed572571d07f289f89433

SHA512
9e725e295edea6bdd1f153dd8d8834325e8d69991853e9492fa64199e9e7a7384ce1fcc4c754173a2f162622cc4ef289d3764fb6bf3ee0d36b5ab95483bbc869

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
b1e31db557411381804157f8ba63f822

SHA1
98e6ee14c654b063625c01539e086a5546a859d2

SHA256
31af69f63dc9aa72ec20488dec6ca90b55a4c0972c1dd8c3a4bbf1f3e156f6e6

SHA512
6fd845cdc2ac341a5194e999a5379717501f73aa9e38335c731838b3f3a0c6fa1bcab9946ac614f0b2573635b89b7a3bbdd00c8d79510b1b5b2ffbd0335bb72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
27f2c6cf0614df92cc4c32d83e6e8464

SHA1
95e1185ca949a2be0f412f99728961655d3da0a3

SHA256
4d8e7565bccb265a396101529f96cdd0db271807ded34acac37849731df2c063

SHA512
bf135572c00a3b2acbc9b9384b7b61681c086da9278354ac4c94e8df0e664ecb41ad25549ebdd1a290706f7fe8a101c0f28fdc8ff0b8e1b3baabf88024816fb7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2124-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-435-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-357-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-388-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-274-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-325-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2124-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4544-320-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-356-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-269-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-387-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-80-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-222-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-434-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-176-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4544-118-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads