a2a0b71978917f72f73a1e9e2cc2966521ccbe6a57781fc392a1d8f3738acf8d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Size

426KB
MD5

9af01ff47c8e2052a3da7b8f81adfc80
SHA1

854d4f19dddaf8a212e101e4740c6ce8f2170bd5
SHA256

a2a0b71978917f72f73a1e9e2cc2966521ccbe6a57781fc392a1d8f3738acf8d
SHA512

5f3a51c9372893cd2a2fddc12d07a19a217561a59f230998c1bafcb5445c4b08abefd5c2aed9222a8ca1c6debd45ffef9060a439646434f44bfae25fe20d42b4
SSDEEP

6144:gdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqx:G8kxNhOZElO5kkWjhD4AF

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	HYQ.EXE

Loads dropped DLL 2 IoCs

pid	Process
2600	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
2600	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\System Volume Information\\EKCYYV.EXE \"%1\" %*"	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	HYQ.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PNE.EXE = "C:\\System Volume Information\\EKCYYV.EXE"	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\J:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\E:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\K:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\V:	HYQ.EXE
File opened (read-only)	\??\P:	HYQ.EXE
File opened (read-only)	\??\S:	HYQ.EXE
File opened (read-only)	\??\P:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\Q:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\V:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\I:	HYQ.EXE
File opened (read-only)	\??\L:	HYQ.EXE
File opened (read-only)	\??\R:	HYQ.EXE
File opened (read-only)	\??\S:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\T:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\U:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\M:	HYQ.EXE
File opened (read-only)	\??\Q:	HYQ.EXE
File opened (read-only)	\??\E:	HYQ.EXE
File opened (read-only)	\??\O:	HYQ.EXE
File opened (read-only)	\??\I:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\L:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\O:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\R:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\G:	HYQ.EXE
File opened (read-only)	\??\T:	HYQ.EXE
File opened (read-only)	\??\U:	HYQ.EXE
File opened (read-only)	\??\H:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\M:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\N:	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File opened (read-only)	\??\H:	HYQ.EXE
File opened (read-only)	\??\K:	HYQ.EXE
File opened (read-only)	\??\J:	HYQ.EXE
File opened (read-only)	\??\N:	HYQ.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\UAHY.EXE	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
File created	C:\Program Files (x86)\AWLWZ.EXE	HYQ.EXE

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\System Volume Information\\XXRVES.EXE \"%1\""	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	HYQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\LTPV.EXE %1"	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\System Volume Information\\EKCYYV.EXE \"%1\" %*"	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\EJU.EXE %1"	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell	HYQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\System Volume Information\\XXRVES.EXE \"%1\""	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell	HYQ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	HYQ.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2644	2600	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe	28
PID 2600 wrote to memory of 2644	2600	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe	28
PID 2600 wrote to memory of 2644	2600	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe	28
PID 2600 wrote to memory of 2644	2600	NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9af01ff47c8e2052a3da7b8f81adfc80.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600
- C:\$Recycle.Bin\HYQ.EXE
  C:\$Recycle.Bin\HYQ.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\HYQ.EXE

Filesize
426KB

MD5
1cd9e52c6b9bf3e7f8acc6a5002c5ee5

SHA1
d47dd0cc6191339eaf2dd77d5dcc6f82261ce8f2

SHA256
2fdf6bb97f1b7498a4a31476c0274b4a5ca1407bffdf75b6bff0406c5898f05d

SHA512
aeae5b6c4111bb8bb44b97529bff2fc2458ce0f02e657367720dc1708ae882d2688c12be27c6a85a20fcea7f1f4b9880d3e2bfdf88f394e18dee6f5139b7785a

Download Submit
C:\$Recycle.Bin\HYQ.EXE

Filesize
426KB

MD5
1cd9e52c6b9bf3e7f8acc6a5002c5ee5

SHA1
d47dd0cc6191339eaf2dd77d5dcc6f82261ce8f2

SHA256
2fdf6bb97f1b7498a4a31476c0274b4a5ca1407bffdf75b6bff0406c5898f05d

SHA512
aeae5b6c4111bb8bb44b97529bff2fc2458ce0f02e657367720dc1708ae882d2688c12be27c6a85a20fcea7f1f4b9880d3e2bfdf88f394e18dee6f5139b7785a

Download Submit
C:\PerfLogs\EJU.EXE

Filesize
426KB

MD5
0af3f7300eacb31c7da69f00510f115e

SHA1
158203916d90c878ae53e57248933ee1e1a43b74

SHA256
d1e315f45df978b8ce2231e05822db00e84214932e654560f8dcc21e49ae9146

SHA512
4bc8937e73b0a4e091c643cbedfdfac7165b002368c6f41f58be4ba7a30f6db7049c761dfa6c0a1119bf8b17ea4c4c6d49748076b792cc65e49007c6f21f1a74

Download Submit
\$Recycle.Bin\HYQ.EXE

Filesize
426KB

MD5
1cd9e52c6b9bf3e7f8acc6a5002c5ee5

SHA1
d47dd0cc6191339eaf2dd77d5dcc6f82261ce8f2

SHA256
2fdf6bb97f1b7498a4a31476c0274b4a5ca1407bffdf75b6bff0406c5898f05d

SHA512
aeae5b6c4111bb8bb44b97529bff2fc2458ce0f02e657367720dc1708ae882d2688c12be27c6a85a20fcea7f1f4b9880d3e2bfdf88f394e18dee6f5139b7785a

Download Submit
\$Recycle.Bin\HYQ.EXE

Filesize
426KB

MD5
1cd9e52c6b9bf3e7f8acc6a5002c5ee5

SHA1
d47dd0cc6191339eaf2dd77d5dcc6f82261ce8f2

SHA256
2fdf6bb97f1b7498a4a31476c0274b4a5ca1407bffdf75b6bff0406c5898f05d

SHA512
aeae5b6c4111bb8bb44b97529bff2fc2458ce0f02e657367720dc1708ae882d2688c12be27c6a85a20fcea7f1f4b9880d3e2bfdf88f394e18dee6f5139b7785a

Download Submit
memory/2600-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2644-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads