732fb723d612da72d591815bc04cb5e22bda4dbf1b758fdb72eea920f3a23293

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.563f90ac7e3480a335616bbec05d9040.exe
Size

29KB
MD5

563f90ac7e3480a335616bbec05d9040
SHA1

8e3fd0b32e4dca824dd00ed0c860119544377c91
SHA256

732fb723d612da72d591815bc04cb5e22bda4dbf1b758fdb72eea920f3a23293
SHA512

55c774e840ebb44d5aa4c82cec9139d42ca1beb341e26bde9ae542f62d39ba49fc37e1e5b8e9c890dc711fea19919fb4b4eab0d7cda4557f2faad67836b4b0c9
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1h:AEwVs+0jNDY1qi/qj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	services.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/748-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000022df5-4.dat	upx
behavioral2/memory/2016-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000022df5-6.dat	upx
behavioral2/memory/748-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2016-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2016-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2016-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000b000000022450-41.dat	upx
behavioral2/memory/748-46-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-47-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-100-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-136-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-138-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-202-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-206-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-245-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-248-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-285-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-291-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-332-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-333-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-370-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-371-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-410-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-411-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/748-450-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2016-451-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.563f90ac7e3480a335616bbec05d9040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.563f90ac7e3480a335616bbec05d9040.exe
File opened for modification	C:\Windows\java.exe	NEAS.563f90ac7e3480a335616bbec05d9040.exe
File created	C:\Windows\java.exe	NEAS.563f90ac7e3480a335616bbec05d9040.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 2016	748	NEAS.563f90ac7e3480a335616bbec05d9040.exe	86
PID 748 wrote to memory of 2016	748	NEAS.563f90ac7e3480a335616bbec05d9040.exe	86
PID 748 wrote to memory of 2016	748	NEAS.563f90ac7e3480a335616bbec05d9040.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.563f90ac7e3480a335616bbec05d9040.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.563f90ac7e3480a335616bbec05d9040.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A37RD0G\default[4].htm

Filesize
304B

MD5
57e90e4154b7cd9f1ef8a42a680d4eb6

SHA1
e9e1cdb76f921a0579fe13b55645c58bf2406144

SHA256
5f43170f230ecbe938dae2f5ab36fb2a0fae41195154fe8df32d6016f957fdf3

SHA512
9ce03985f48ab068de1de5d3cb8bd0e2b63280ad4eabc1280ab39d1d1b215291da6c1a7bb3f1b68b7e3ceb571a3cfc1de5b998e2a61100eda530e0e169bf0033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A37RD0G\default[8].htm

Filesize
311B

MD5
cb42662caffe525e9957c942617edf06

SHA1
615009db9a1a242579e639ee0fc7a2a765095bfe

SHA256
312bf5c9a1a122abc6361bf8ed01a44346285b962c0d273ef2de0eb796ae1b15

SHA512
3e6777f1f74f64fff6cb2bd1a81a6c08d9a64feeebc3deb7cacb8f0f41b23a5c59a8e6294b99c76dd386aaaf9043a1a252ac47910fe1801bdc2995f7b675692c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7A37RD0G\default[9].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHMDQFFV\defaultQM6SR3OQ.htm

Filesize
303B

MD5
716cb7f5b783829c36e49996fc0bf627

SHA1
63471c20af48dd7052d63a695a12d86e2fc6871d

SHA256
6ad9b32ca3ec43c9017ab8f11b6f82e7ed43083efddf1ef74a3165f778312b40

SHA512
c3d126513cad64785ae5a16c5564cee6d7da1d26682d93d00a04937d9f98a89f54c74f5dda0c200c77f092fd8092db4f4f7a7a8544057eeb83d058f28fdf0346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHMDQFFV\default[1].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHMDQFFV\default[2].htm

Filesize
305B

MD5
f84538b33a071d01320a46b057aef921

SHA1
e7b43145855c43f8c5d43a9b39e707885c17294e

SHA256
e5a764c9c517f97e07ee2c8e1296e5f68ef436ea513eefb639fc40dffac6e1fc

SHA512
eff4fdc3ad9ba8f40b99b3e4f856546b5f2b17d0e715f4529a0c7f9e3150964a2b1625c0f734b643ff4496cfd9d256aa096c7e2c4e1911e6262dc9fd869dca5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHMDQFFV\default[9].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8T7NIZL\default[10].htm

Filesize
315B

MD5
14b82aec966e8e370a28053db081f4e9

SHA1
a0f30ebbdb4c69947d3bd41fa63ec4929dddd649

SHA256
202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf

SHA512
ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8T7NIZL\default[9].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X8T7NIZL\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BAE.tmp

Filesize
29KB

MD5
72de84ada5d1f8c1c14145790ecdcc42

SHA1
75b3e0b1c4120d424c3048a75b8cba9e3ce7e977

SHA256
b65856fb86743573cadf193f683040ca8f0904b278c42acbafbfc8c441f03aa1

SHA512
8cbdcf8f1805441395794baf3bdd98ecb0f62575c6fa4e3c02c8921a859dfcd40cf57c6150e999bf8179271e1517d9c0812f6ba914cb5722f06bed2c0d44e418

Download Submit
C:\Users\Admin\AppData\Local\Temp\vryojvGcGs.log

Filesize
256B

MD5
d72c2a751c41d2a121aa81f99bc3753c

SHA1
c7451e7e090a231bf97036e1b697df3cf4c0ea69

SHA256
1c61f8b36a514e95541f462b73af3541a9315da6d21d598e0f0b77071a7e12c2

SHA512
baad4915e74c6155cbddc13265ff08981af2968d296bc8994890778a4f73c11b519890e8eba87454aacf14ced1f93ca96103e5b6ae1f703ad9befa8aead6e418

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
4ac937ad6929f0d427f423eae582566e

SHA1
2717395a9eb742369ad7a5db69de3f6914737220

SHA256
425cf778a658a5dd4dac66a80c18c6edf4724ddddce60ba1055b1438d4c8aa32

SHA512
7119694f8a7158647666dc7cf0f3217b3e520b43cadd18120df4d0b5d1ae6095d70e637bdad2e6d3d22a253dcdda0a8e7f09878121db8c634a44175fd5fab16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
e87d50a1f2e052d9e5990ecd0cb58eaf

SHA1
b076130eaf7e6f5b0986bb0099c21681eab0f6c1

SHA256
f68de384352e8eb13379f00caf279e86a21df1d927ebed0cc3597c95ea26622b

SHA512
713160b608ea0523d85523591ea71453d9d1b5de1c747a996109a92c7998a45821cddf4ba05baf77c898eb00f48dad25f0d1e2cb5a0c440586a2d36f6ab27d29

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/748-450-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-285-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-136-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-410-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-100-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-46-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-202-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-370-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-245-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/748-332-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2016-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-371-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-333-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-248-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-291-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-411-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2016-451-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads