Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
01/11/2023, 08:29
General
-
Target
NEAS.eb63a3d3f9689256901ec9635029db56.exe
-
Size
429KB
-
MD5
eb63a3d3f9689256901ec9635029db56
-
SHA1
72fa97a370ce1844008be55a9bcb61b5ec291e61
-
SHA256
87dbb1eff18ddc725d01090ab918c2fa0637e3012a655849d59e0eb741656b36
-
SHA512
3e91b15466cf77c3843c0d48e18bcd63ddea339b51501d182c62f64a5f08f56dc223e50883c3c5bbeffe63977f42b00d277fc0e3da833ad01b796464b1326d4d
-
SSDEEP
6144:6DgjU0INV/Ah1G/AcQ///NR5fLYG3eujPQ///NR5f:6Ujv/NcZ7/N
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.eb63a3d3f9689256901ec9635029db56.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.eb63a3d3f9689256901ec9635029db56.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
-
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fbplml32.exeC:\Windows\system32\Fbplml32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe7⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe17⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe24⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe27⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ajjokd32.exeC:\Windows\system32\Ajjokd32.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Apjdikqd.exeC:\Windows\system32\Apjdikqd.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Afhfaddk.exeC:\Windows\system32\Afhfaddk.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe43⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe45⤵
-
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe46⤵
-
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe47⤵
-
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe48⤵
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe49⤵
-
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe50⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe51⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe52⤵
-
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe54⤵
-
C:\Windows\SysWOW64\Ciihjmcj.exeC:\Windows\system32\Ciihjmcj.exe55⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe56⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe57⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe58⤵
-
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe59⤵
-
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe60⤵
-
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe61⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe62⤵
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe63⤵
-
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe64⤵
-
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe65⤵
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe66⤵
-
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe67⤵
-
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe69⤵
-
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe70⤵
-
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe71⤵
-
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe72⤵
-
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe73⤵
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe74⤵
-
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe75⤵
-
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe76⤵
-
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Jqmicpbj.exeC:\Windows\system32\Jqmicpbj.exe78⤵
-
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe79⤵
-
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe80⤵
-
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe81⤵
-
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe82⤵
-
C:\Windows\SysWOW64\Cejjdlap.exeC:\Windows\system32\Cejjdlap.exe83⤵
-
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe84⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe85⤵
-
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe86⤵
-
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe87⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe88⤵
-
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe89⤵
-
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe90⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Eihlahjd.exeC:\Windows\system32\Eihlahjd.exe91⤵
-
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe92⤵
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe93⤵
-
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe94⤵
-
C:\Windows\SysWOW64\Mlialb32.exeC:\Windows\system32\Mlialb32.exe95⤵
-
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe96⤵
-
C:\Windows\SysWOW64\Nlphmafm.exeC:\Windows\system32\Nlphmafm.exe97⤵
-
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Nidhffef.exeC:\Windows\system32\Nidhffef.exe99⤵
-
C:\Windows\SysWOW64\Nlbdba32.exeC:\Windows\system32\Nlbdba32.exe100⤵
-
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Npqmipjq.exeC:\Windows\system32\Npqmipjq.exe102⤵
-
C:\Windows\SysWOW64\Nboiekjd.exeC:\Windows\system32\Nboiekjd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe104⤵
-
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe105⤵
-
C:\Windows\SysWOW64\Odnfonag.exeC:\Windows\system32\Odnfonag.exe106⤵
-
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe107⤵
-
C:\Windows\SysWOW64\Oikngeoo.exeC:\Windows\system32\Oikngeoo.exe108⤵
-
C:\Windows\SysWOW64\Oljkcpnb.exeC:\Windows\system32\Oljkcpnb.exe109⤵
-
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ojkkah32.exeC:\Windows\system32\Ojkkah32.exe111⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe112⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ofalfi32.exeC:\Windows\system32\Ofalfi32.exe113⤵
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Obhlkjaj.exeC:\Windows\system32\Obhlkjaj.exe115⤵
-
C:\Windows\SysWOW64\Oibdhd32.exeC:\Windows\system32\Oibdhd32.exe116⤵
-
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe117⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Obkiqi32.exeC:\Windows\system32\Obkiqi32.exe118⤵
-
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe119⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pghaghfn.exeC:\Windows\system32\Pghaghfn.exe120⤵
-
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-