5d423aa9778e4e832b8c964ffc1ac3260c105d6234038d963143cad9fa11ed8b

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 08:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Size

29KB
MD5

f24f33e6069ccc5a6f1f75232d70cb90
SHA1

ed967350e365e39bf8d52001f74e99cda0423b86
SHA256

5d423aa9778e4e832b8c964ffc1ac3260c105d6234038d963143cad9fa11ed8b
SHA512

3274f098e240bc0246a72acc5beb83a25f3886efd324a8b57a614ac788a79620e8822f11c12d741f173e43e6e14ac2d442a1bbb7789e953c37a76feff93de425
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/xS:AEwVs+0jNDY1qi/q0

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	services.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2364-3-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0010000000015c28-9.dat	upx
behavioral1/memory/2208-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0010000000015c28-7.dat	upx
behavioral1/memory/2364-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2364-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2208-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000600000000f661-46.dat	upx
behavioral1/memory/2364-65-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-66-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-526-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-527-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-528-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-529-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-533-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-534-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-538-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-539-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-540-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-541-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-545-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-546-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-556-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-559-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-560-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-561-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2364-574-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2208-575-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
File opened for modification	C:\Windows\java.exe	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
File created	C:\Windows\java.exe	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2208	2364	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe	28
PID 2364 wrote to memory of 2208	2364	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe	28
PID 2364 wrote to memory of 2208	2364	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe	28
PID 2364 wrote to memory of 2208	2364	NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f24f33e6069ccc5a6f1f75232d70cb90.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ec0a1f6acbc546e867b4d6e3c8adcb1

SHA1
561d2afb1474d02bedd4f897a8c387836fe9ba31

SHA256
dfcf88b8df7357447e55684f5850a0011ca1e049bcdf26f666f660a411a32ee4

SHA512
1d69ef54c856b4c6a0f538b8b5555429b1dcb78173b3dad8f1a842b4a15cd103ce07f450270097811f1d201f7e5449697a701d1b13c40ead12bab1b202cca76c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67c0dca5c1dbba3c194b0db255d7efd6

SHA1
cca94311c91a3064288c3c73fa93e1d86aa24fa7

SHA256
0dc2f1e52c06be6be29f4cc73b04b97add5baba28f6174ceef4f32e4067b2f3e

SHA512
f7f27388632c263afa3c8f840fcf16d02ccf5797d1a02021f0cb2c16c221b5b556325b2c6b6434dbbb9377193c88b8850b3cad62e6fb0247e3cff2b5aba57b3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e0bfc07db39493f729993253c83447c

SHA1
21ee3c84e6350e2757780ccfe7694df3afcb8d25

SHA256
52f6c98e78aaca3394e11d2295fb403cdf8fd39326b1c018c23685436a322c7e

SHA512
0fa221d8c5fe4d8360a8c7728d21db376a13b08f2c49ad7358bd756bd49ccb4d890b68666d61e04e894c355cdd4d44f284dfb6261a5925e08ed66073dc77e7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18aff8664b340bc4b685682d7c3f3a74

SHA1
fb0baf72af834ef87a06ab38a4f82fdcfe8ce045

SHA256
4ced4b8531dd7928eec802d7bcdcf5b6abfecae25194c4b2e612bcf39c7b7197

SHA512
ced688afe594fbd1e01224822e8f544d3d6971161e8bd1017f16889d8a019542a26944d7651f30436afa64a0a91bebb570c197514d0198e982d2d7eb4621e88e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
155c86e9f885d8a88352d14adfb272c2

SHA1
410a2b2619938c781609cc56557cbc959c726c72

SHA256
8d15dc7848d6073749842a2c8ff10988db83907748ecbe448e1cc3e331296506

SHA512
38d9486422493e1d9e7117e6626498a8769b33d7fbe2baf80f828ccef3c66490da563c6f2c1a9be306f70f58646d1033c10262f6e7cd2887663852819703adc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5163adcd8e4a457a9adfda4d09761609

SHA1
6dd81a2ecc8f75dcbb98dec2f9ab52958a218b2c

SHA256
ce83c004b93f7024edd0def53e26bef1e90f2db8a4eef0cbed16a3552a00c1a5

SHA512
2de21c3a3273a5408317a89e39099aaeecf2e86ac29b567c316c7c3efe36b2aa02631673d3501e51c0cabdb04c52fed5ba88cb22db4dc6845e620fca09c1155c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a546690e2c0bd429d5de234060b4c9be

SHA1
4b192ec95bed1b6a502a9ed990feafb9f8641e5b

SHA256
a7f29b028119e1e243c3fadb36df8e23d147b4bf2d24b66ee3acbd1432419525

SHA512
9cf33d14a1014176f8a1847e65f6144ef56d01674f645e4f11a355c93ba81fd859473f0269bf1000a07a06ffdb424affdec6763759a8a604ac2f168a61f7eeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab69B2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar69E6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjFmsfu0.log

Filesize
256B

MD5
c8d6e345c676ce2434d11b0d2f10077a

SHA1
71ca9a0e05eab585ee1410158d69c51c37b5af4b

SHA256
e642fa0915f80a2f786b14100abc3f3752d18f90fdd46157888ce5bbaed8fc54

SHA512
80425f74f0f55286cd4c47d212b76266705fbc99818642804df7f0dccdf63108bc790d56ad7df039affb7f2d33dfcb39901946d17a4004206f421dd56924b3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6395.tmp

Filesize
29KB

MD5
50d1de247b4eafb327630059856240de

SHA1
c5baf5a8ded5d237f150ef58aed912f672301932

SHA256
c1b6d93eaaaf1fbb209fb54d193758ad9d1956042e1c57b4a76a6cc06f52ce9b

SHA512
da8d5dd9c897f238a4d3d9e31b50d152b886f1b380c7fcc445da1731c057b2f3a90315893c560ffad31edac10b0daea1defa1737b389e61968be06b043826170

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
340b91c85f89413c6afbc1700356f119

SHA1
d1250d85a6ef12bb25ef87167971fd00887d16d8

SHA256
e0d91e45c14ca08e4f273ec724483eb821f7a944d713bf66e8502ecd46abaf61

SHA512
6ab370d2176bdd28538287cd11c62e246f3534c35c1942e73ef07540fb28da71dec8ff5550dd47d1854563d659e65bbf9ed923bd572d7f0894ad69b7e255379e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
82cc4f90ccdf409fff9ed3c496cdfd36

SHA1
58b4cf03d552cd547ebe488b37fc1a5d9af7c837

SHA256
8cd01f748c4f77acabef538e43929be5f6d127d9ec3d192c7025ae8afd589698

SHA512
fa5216da2249694b3d804d60fa6a1c997318e2726ecd6f7b4b6c1c6a8cc869707ee07769dda31e606b5821e08bf82d651015c92b453fe2a72de47ed8a3bb2457

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
7ab0876ab601726130e10364439cd027

SHA1
f77e5f821f8c29f3f626d0f313d823cf1d760094

SHA256
68bd2221198ce7d5e8c29e0322b097eff199ee144a093dc2bbda0568e711473d

SHA512
678f64bf22b8f95a3a210af563573e6a9937150ed2cbdd85ae357aa4ce533d0c2cace28ba3aa730094f42ed693825abc74e3af4784f34fc1bb51a373341dba51

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2208-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-575-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-561-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-534-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-559-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-527-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-546-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-529-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-541-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2208-539-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2364-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2364-538-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-533-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-540-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2364-545-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-528-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-526-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-556-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-560-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2364-574-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2364-65-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads