aa5598a6a2fdc5b313e32ba137b11a7ba7e003829829d933d5f014ccf0db96b8

General

Target

NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Size

197KB
MD5

da0aa478d1e20da9ff1067ef91727470
SHA1

57e22d346a6a91aece6de1dca0c930dd7e3648df
SHA256

aa5598a6a2fdc5b313e32ba137b11a7ba7e003829829d933d5f014ccf0db96b8
SHA512

2fe328545dcbe1909a29010168e091547dec4e9c1ac83ec1bae6913b977f4f2ba080b67ee78cbf1c854c3352ccb036efa8a12c1bb84dcafe4eceb42e06022455
SSDEEP

3072:KhS7VD4/EnzzMUD8u8EC45xRS5b7lIf3GYHfqR1hAtTD5DyXglREK0c:dOizzb8uDxZCHlIZgEh5DyXglh

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e1c-9.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e10-20.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e10-21.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1980	BFON.EXE

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\odt\\ISAQ.EXE \"%1\" %*"	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	BFON.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISAQ.EXE = "C:\\odt\\ISAQ.EXE"	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\P:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\R:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\U:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\I:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\M:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\Q:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\S:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\T:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\J:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\L:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\H:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\K:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\V:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\E:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\G:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
File opened (read-only)	\??\N:	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\odt\\UUTX.EXE \"%1\""	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\odt\\ISAQ.EXE %1"	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	BFON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\BGWHOT.EXE \"%1\""	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\odt\\ISAQ.EXE \"%1\" %*"	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\JRSXNQ.EXE %1"	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1980	BFON.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1980	1512	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe	86
PID 1512 wrote to memory of 1980	1512	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe	86
PID 1512 wrote to memory of 1980	1512	NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.da0aa478d1e20da9ff1067ef91727470_JC.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512
- C:\PerfLogs\BFON.EXE
  C:\PerfLogs\BFON.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\BFON.EXE

Filesize
198KB

MD5
12bb3acd2febdbf7e7159f320ea9c3c1

SHA1
9b5a248bc390cb34fb24610132aa02190603e3a0

SHA256
5a67e349eff31e666544fb0d5e927986a069adeb2bee5f709efaa7d1f01bf79a

SHA512
773b874348fa54657909862264897d777563c275197361270eebc484cfbe57006fce138d01f2a6a7eefa92497f02cf84d19b803f81d765487af7f1aada23f523

Download Submit
C:\PerfLogs\BFON.EXE

Filesize
198KB

MD5
12bb3acd2febdbf7e7159f320ea9c3c1

SHA1
9b5a248bc390cb34fb24610132aa02190603e3a0

SHA256
5a67e349eff31e666544fb0d5e927986a069adeb2bee5f709efaa7d1f01bf79a

SHA512
773b874348fa54657909862264897d777563c275197361270eebc484cfbe57006fce138d01f2a6a7eefa92497f02cf84d19b803f81d765487af7f1aada23f523

Download Submit
C:\odt\UUTX.EXE

Filesize
198KB

MD5
5c026c0d657f12264f7ac3a985d144e9

SHA1
ed1416de780e5fc68e6e5223fdb15510367e9e9a

SHA256
f9e04beddfc260ef272499a9ffc55777e90fc3ae692c0b43afa13a31321b2a58

SHA512
2b2b686a2ea668b271999b6c21b8e5ee4949c22699fbb1942607d2d975bf60c7dc6d4ebf269cb5f0cd2501e06129629b0f53940dbabfae98ea314381a75b19bb

Download Submit
memory/1512-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1512-0-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1980-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-25-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-22-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1980-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-34-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-35-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads