23e5a3222b3ae9f4569d8aa39c596cdc19987c55b966a306476cb8752e9d8c17

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe
Size

100KB
MD5

ef20c2f0d656889a9a95d30558e5a8c0
SHA1

f534f5533a94a874cdad689be5c6139e3ca08cba
SHA256

23e5a3222b3ae9f4569d8aa39c596cdc19987c55b966a306476cb8752e9d8c17
SHA512

aac9e1de150b9d9b7c0e3ee91fe14f7cdabef24f03a7a993fb5f32967466aa601efdf668767633564ce4b11c648a63521b7f03c547ade265a55084f32cf5f202
SSDEEP

1536:xHUHW7VMPNzMh0QpFZyOSAYZRx6ik9ld8rAzt3i6EBXlLOUpNbAAlcR1llq9zSz2:unk0QpFZyOSAYZRx6iDrhLOUpN6R1lk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updates = "D:\\Updates.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Backup = "D:\\Backup.exe"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3020	reg.exe
2664	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2188	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	28
PID 1212 wrote to memory of 2188	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	28
PID 1212 wrote to memory of 2188	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	28
PID 1212 wrote to memory of 2188	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	28
PID 1212 wrote to memory of 2652	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	29
PID 1212 wrote to memory of 2652	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	29
PID 1212 wrote to memory of 2652	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	29
PID 1212 wrote to memory of 2652	1212	NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe	29
PID 2188 wrote to memory of 3020	2188	cmd.exe	32
PID 2188 wrote to memory of 3020	2188	cmd.exe	32
PID 2188 wrote to memory of 3020	2188	cmd.exe	32
PID 2188 wrote to memory of 3020	2188	cmd.exe	32
PID 2652 wrote to memory of 2664	2652	cmd.exe	33
PID 2652 wrote to memory of 2664	2652	cmd.exe	33
PID 2652 wrote to memory of 2664	2652	cmd.exe	33
PID 2652 wrote to memory of 2664	2652	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ef20c2f0d656889a9a95d30558e5a8c0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\software\microsoft\windows\currentversion\run /v Updates /t REG_SZ /d D:\Updates.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\software\microsoft\windows\currentversion\run /v Backup /t REG_SZ /d D:\Backup.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\Low.exe

Filesize
100KB

MD5
ef20c2f0d656889a9a95d30558e5a8c0

SHA1
f534f5533a94a874cdad689be5c6139e3ca08cba

SHA256
23e5a3222b3ae9f4569d8aa39c596cdc19987c55b966a306476cb8752e9d8c17

SHA512
aac9e1de150b9d9b7c0e3ee91fe14f7cdabef24f03a7a993fb5f32967466aa601efdf668767633564ce4b11c648a63521b7f03c547ade265a55084f32cf5f202

Download Submit
memory/1212-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1212-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads