f1436070cb23e096c98b4c18088d8020208eb63f439bcac4c6721dcabfa3a60b

General

Target

NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
Size

2.0MB
MD5

5532cedfcc93e170f1fa8f89dae99d50
SHA1

27ba738d613d0b7c56c3121c49530ebd6e7d3991
SHA256

f1436070cb23e096c98b4c18088d8020208eb63f439bcac4c6721dcabfa3a60b
SHA512

66213be0a706d528fcf5e572492304de4d6532d78d544b8dc05dd2eafd7452f8022cf57c5a89a82215195c2208fa0a1071462a0c90a89e447ee3b5971ec597bf
SSDEEP

49152:oRBKILo69MFGQ7ai7D3xTgOxYwpKWbazR0vKLXZ:a0ILo69MFD2i7D3xkOxYwpKiatuKLXZ

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Loads dropped DLL 1 IoCs

pid	Process
1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1564-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x00070000000120b7-17.dat	upx
behavioral1/memory/1564-15-0x00000000232E0000-0x000000002353C000-memory.dmp	upx
behavioral1/files/0x00070000000120b7-13.dat	upx
behavioral1/files/0x00070000000120b7-11.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2700	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2652	1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	29
PID 1564 wrote to memory of 2652	1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	29
PID 1564 wrote to memory of 2652	1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	29
PID 1564 wrote to memory of 2652	1564	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	29
PID 2652 wrote to memory of 2700	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	30
PID 2652 wrote to memory of 2700	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	30
PID 2652 wrote to memory of 2700	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	30
PID 2652 wrote to memory of 2700	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	30
PID 2652 wrote to memory of 2872	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	32
PID 2652 wrote to memory of 2872	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	32
PID 2652 wrote to memory of 2872	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	32
PID 2652 wrote to memory of 2872	2652	NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe	32
PID 2872 wrote to memory of 2724	2872	cmd.exe	34
PID 2872 wrote to memory of 2724	2872	cmd.exe	34
PID 2872 wrote to memory of 2724	2872	cmd.exe	34
PID 2872 wrote to memory of 2724	2872	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe" /TN OWfbD88d4b3e /F
    3⤵
    - Creates scheduled task(s)
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN OWfbD88d4b3e > C:\Users\Admin\AppData\Local\Temp\6WgXEJgSs.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN OWfbD88d4b3e
      4⤵
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6WgXEJgSs.xml

Filesize
1KB

MD5
5f34611760a30cb21de22770b01d30f1

SHA1
c6f9aa14b68bb42cd7ff32801037a9fd5c291dda

SHA256
79c0b903b59eb417d3989a1fcaea8fe74b0b7448ece0c105efdeaa2b2c7b8294

SHA512
01a85b23fe4c9f223ad40529f59cab4c3cc26eeb1737a7ee74d552702b68b6a6036e299a9692eb37a85caee1f64c7cafeac8e0b66bb73b95ae0ab75509d042d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Filesize
2.0MB

MD5
8e6c4d162ccae018dbb01a31402b41a6

SHA1
8e3f5d7ab59a3436a75319d8055826fc6f7f6efc

SHA256
00427164e71e1f25ae37f169d5e90c40bdd98a96f0c4ac32dabef30cee81203d

SHA512
2912cad6738a6cf1ec5efb4934564db3e9cf982d182d9deaf6dc8e5aa8e3ac0659abb92945e0983fee44e0a3aab5b61dbee226743d155f83d3f9c180ef574775

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Filesize
2.0MB

MD5
8e6c4d162ccae018dbb01a31402b41a6

SHA1
8e3f5d7ab59a3436a75319d8055826fc6f7f6efc

SHA256
00427164e71e1f25ae37f169d5e90c40bdd98a96f0c4ac32dabef30cee81203d

SHA512
2912cad6738a6cf1ec5efb4934564db3e9cf982d182d9deaf6dc8e5aa8e3ac0659abb92945e0983fee44e0a3aab5b61dbee226743d155f83d3f9c180ef574775

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.5532cedfcc93e170f1fa8f89dae99d50_JC.exe

Filesize
2.0MB

MD5
8e6c4d162ccae018dbb01a31402b41a6

SHA1
8e3f5d7ab59a3436a75319d8055826fc6f7f6efc

SHA256
00427164e71e1f25ae37f169d5e90c40bdd98a96f0c4ac32dabef30cee81203d

SHA512
2912cad6738a6cf1ec5efb4934564db3e9cf982d182d9deaf6dc8e5aa8e3ac0659abb92945e0983fee44e0a3aab5b61dbee226743d155f83d3f9c180ef574775

Download Submit
memory/1564-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1564-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1564-15-0x00000000232E0000-0x000000002353C000-memory.dmp

Filesize
2.4MB

Download
memory/1564-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1564-2-0x00000000002D0000-0x000000000034E000-memory.dmp

Filesize
504KB

Download
memory/2652-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2652-22-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/2652-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2652-31-0x0000000000470000-0x00000000004DB000-memory.dmp

Filesize
428KB

Download
memory/2652-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads