a384fb42413bd8595e5d039e50104348102b6ff6847237d33cc2d819b54d0ed9

Analysis

max time kernel
172s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
Size

284KB
MD5

2b84e7dc9ee9e73611c38072066897b0
SHA1

6a1d9218b194c5f776503a3f1ea7f62b4a24bd26
SHA256

a384fb42413bd8595e5d039e50104348102b6ff6847237d33cc2d819b54d0ed9
SHA512

13e62ac70a9671c24339e58e218006451a2fc25733de0a3702ae4cda62329796c9549344659f10a384d889add63006778778b89b0b209c946875c8cb03de71bc
SSDEEP

3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lC:mPA6wxmuJspr2l

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2084	skyrpe.exe

Loads dropped DLL 5 IoCs

pid	Process
1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1612-106792-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-106794-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-106798-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-106800-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-106801-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-106803-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-106802-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1612-107119-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
2084	skyrpe.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 2244 wrote to memory of 1612	2244	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	29
PID 1612 wrote to memory of 936	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	30
PID 1612 wrote to memory of 936	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	30
PID 1612 wrote to memory of 936	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	30
PID 1612 wrote to memory of 936	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	30
PID 936 wrote to memory of 2252	936	cmd.exe	32
PID 936 wrote to memory of 2252	936	cmd.exe	32
PID 936 wrote to memory of 2252	936	cmd.exe	32
PID 936 wrote to memory of 2252	936	cmd.exe	32
PID 1612 wrote to memory of 2084	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	33
PID 1612 wrote to memory of 2084	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	33
PID 1612 wrote to memory of 2084	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	33
PID 1612 wrote to memory of 2084	1612	NEAS.2b84e7dc9ee9e73611c38072066897b0.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2b84e7dc9ee9e73611c38072066897b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\NEAS.2b84e7dc9ee9e73611c38072066897b0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.2b84e7dc9ee9e73611c38072066897b0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMNKS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f
      4⤵
      Adds Run key to start application
      PID:2252
- - C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe
    "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VMNKS.bat

Filesize
139B

MD5
0654f004b2e314bad7f75867e91da37d

SHA1
4232c22e7340b12108d86e3cb35ed288a3dbc7f1

SHA256
ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249

SHA512
dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMNKS.bat

Filesize
139B

MD5
0654f004b2e314bad7f75867e91da37d

SHA1
4232c22e7340b12108d86e3cb35ed288a3dbc7f1

SHA256
ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249

SHA512
dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553

Download Submit
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
21f320e1f2e8c516a1fac580527b3b7c

SHA1
9060e9bc1c586ae0a5029c82bcc2d56316f76128

SHA256
2aa83736ced6a41055861a6d8170da3c522f4f5b0fb1046ac359ddf91631cc51

SHA512
df459eee19044c65f86bd0b7d5d70d4f5fa09dd626be1978f0a2f96c21cfa3f24662121ed26abd68e797eebe0b948917c63feabd5f7eaf279816e5d3068de5cd

Download Submit
memory/1612-106792-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106794-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106801-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106803-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106802-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106798-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106796-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1612-106800-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-107119-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1612-106790-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2084-107121-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2244-106789-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2244-106784-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2244-277-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2244-190-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads