5fea23e919d3ffa1fe5ca1ef80165f4d00e97e315098c8601f0b0ab8786bb327

General

Target

NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
Size

241KB
MD5

08d6a612caf1d5fb25258af7c6857fb0
SHA1

e9153f122e7d708d2513c1d8a6f0e4ee972e09f3
SHA256

5fea23e919d3ffa1fe5ca1ef80165f4d00e97e315098c8601f0b0ab8786bb327
SHA512

bf3b91eaca64871be8de66a1f8a7944d486112868e72235e265e6b4d98b8a41b48bec7c90a8c6b64c611cd58046da83c2288be9b171eae51357b0dffff8e4608
SSDEEP

3072:oNzztfivMVMYuFkV3qBnFqOLp4mvy2ACh3+j5z8UcTr/C:oVz8YurEmvy2AChozwPC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\PROGRA~2\\APPATC~1\\rundll32.exe\" -vt yazb"	rundll32.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\APPATC~1\rundll32.exe:bla	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
File opened for modification	C:\PROGRA~2\APPATC~1\rundll32.exe	rundll32.exe
File created	C:\PROGRA~2\APPATC~1\rundll32.exe	rundll32.exe
File opened for modification	C:\PROGRA~2\APPATC~1\rundll32.exe	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
File created	C:\PROGRA~2\APPATC~1\rundll32.exe	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\APPATC~1\rundll32.exe:bla	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28
PID 1736 wrote to memory of 2704	1736	NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08d6a612caf1d5fb25258af7c6857fb0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1736
- C:\PROGRA~2\APPATC~1\rundll32.exe
  C:\PROGRA~2\APPATC~1\rundll32.exe --ru -vt yazb
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\APPATC~1\rundll32.exe

Filesize
241KB

MD5
31a77b5ad4a7816591b384f0647c2a4a

SHA1
9b0c95f198183c7a9f71ec71eea6ff00110320fd

SHA256
9b3495beccc5e8d4d1a65a1706558b44aba15ecfa498e5010b91b8c3a61ff4a0

SHA512
9a3d9c8027a2e7ae2a0377026e70c6a4112428b79ec407950ab113634b200bf57cf9fb41fdf73f861922942ab9de6672d768bc18bc8855629f2b22b6ad97d951

Download Submit
C:\PROGRA~2\APPATC~1\rundll32.exe

Filesize
241KB

MD5
31a77b5ad4a7816591b384f0647c2a4a

SHA1
9b0c95f198183c7a9f71ec71eea6ff00110320fd

SHA256
9b3495beccc5e8d4d1a65a1706558b44aba15ecfa498e5010b91b8c3a61ff4a0

SHA512
9a3d9c8027a2e7ae2a0377026e70c6a4112428b79ec407950ab113634b200bf57cf9fb41fdf73f861922942ab9de6672d768bc18bc8855629f2b22b6ad97d951

Download Submit
C:\PROGRA~2\APPATC~1\rundll32.exe

Filesize
241KB

MD5
31a77b5ad4a7816591b384f0647c2a4a

SHA1
9b0c95f198183c7a9f71ec71eea6ff00110320fd

SHA256
9b3495beccc5e8d4d1a65a1706558b44aba15ecfa498e5010b91b8c3a61ff4a0

SHA512
9a3d9c8027a2e7ae2a0377026e70c6a4112428b79ec407950ab113634b200bf57cf9fb41fdf73f861922942ab9de6672d768bc18bc8855629f2b22b6ad97d951

Download Submit
\PROGRA~2\APPATC~1\rundll32.exe

Filesize
241KB

MD5
31a77b5ad4a7816591b384f0647c2a4a

SHA1
9b0c95f198183c7a9f71ec71eea6ff00110320fd

SHA256
9b3495beccc5e8d4d1a65a1706558b44aba15ecfa498e5010b91b8c3a61ff4a0

SHA512
9a3d9c8027a2e7ae2a0377026e70c6a4112428b79ec407950ab113634b200bf57cf9fb41fdf73f861922942ab9de6672d768bc18bc8855629f2b22b6ad97d951

Download Submit
\PROGRA~2\APPATC~1\rundll32.exe

Filesize
241KB

MD5
31a77b5ad4a7816591b384f0647c2a4a

SHA1
9b0c95f198183c7a9f71ec71eea6ff00110320fd

SHA256
9b3495beccc5e8d4d1a65a1706558b44aba15ecfa498e5010b91b8c3a61ff4a0

SHA512
9a3d9c8027a2e7ae2a0377026e70c6a4112428b79ec407950ab113634b200bf57cf9fb41fdf73f861922942ab9de6672d768bc18bc8855629f2b22b6ad97d951

Download Submit
memory/1736-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2704-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads