d63cf732cf7d3eea185a7e0c55fa9c71b40888db76acf518c5aad9760f214e1e

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 12:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.daf79da48d0b207549d8a59038908200.exe
Size

5.8MB
MD5

daf79da48d0b207549d8a59038908200
SHA1

58d5f964750db644e5a5d4a0cb9a74aa54bce75d
SHA256

d63cf732cf7d3eea185a7e0c55fa9c71b40888db76acf518c5aad9760f214e1e
SHA512

3b6e75cefb8d71d4610e2c38e5f50560992196d43f062d865703e1228b8fc8e325d923bc398397a76404ad4f93c24450d710c2753911533ab00df99e552bd789
SSDEEP

98304:T1QTTN8/rZKW/CZGz2wYzxHrodCyMUS8a1KppzVrC3mwJWoDnbz45Az95uX/ppDl:5yN8BKEz2wYxHroU/USB1MBBcmYnb1hy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2304	unzip.exe
3064	unzip.exe

Loads dropped DLL 7 IoCs

pid	Process
2508	NEAS.daf79da48d0b207549d8a59038908200.exe
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	NEAS.daf79da48d0b207549d8a59038908200.tmp
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	NEAS.daf79da48d0b207549d8a59038908200.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	NEAS.daf79da48d0b207549d8a59038908200.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp
2228	NEAS.daf79da48d0b207549d8a59038908200.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2508 wrote to memory of 2228	2508	NEAS.daf79da48d0b207549d8a59038908200.exe	28
PID 2228 wrote to memory of 2304	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	29
PID 2228 wrote to memory of 2304	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	29
PID 2228 wrote to memory of 2304	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	29
PID 2228 wrote to memory of 2304	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	29
PID 2228 wrote to memory of 3064	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	31
PID 2228 wrote to memory of 3064	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	31
PID 2228 wrote to memory of 3064	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	31
PID 2228 wrote to memory of 3064	2228	NEAS.daf79da48d0b207549d8a59038908200.tmp	31

C:\Users\Admin\AppData\Local\Temp\NEAS.daf79da48d0b207549d8a59038908200.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.daf79da48d0b207549d8a59038908200.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\is-KU5N4.tmp\NEAS.daf79da48d0b207549d8a59038908200.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KU5N4.tmp\NEAS.daf79da48d0b207549d8a59038908200.tmp" /SL5="$5015E,5226587,1089536,C:\Users\Admin\AppData\Local\Temp\NEAS.daf79da48d0b207549d8a59038908200.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe" -P qwerty0987 -d C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\301AAFF8-3991-54AE-EB4D-AC16BB6BB3FB C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\R8YVKYYIZ.zip
    3⤵
    - Executes dropped EXE
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe" -P qwerty0987 -d C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\301AAFF8-3991-54AE-EB4D-AC16BB6BB3FB C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\CCG3YRAGI.zip
    3⤵
    - Executes dropped EXE
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9B67.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9BC8.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\301AAFF8-3991-54AE-EB4D-AC16BB6BB3FB\Install\info.xml

Filesize
2KB

MD5
5c120121c3f8aaab688f582f194de200

SHA1
799bad92fa17e7a59f48ab119c730d03d74c97d1

SHA256
c77b1074694dea3f9d3e9868c787d78a0b47d6fbca82484b289542fcf6154150

SHA512
be8d0839b0b363cb7a489bac085e074eae0cf3229a5dc736b9bbe344139d181a807dd573555ce46e60f09b89226e3bf0621be6e8a51f9c2fbd2e73c828896e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\301AAFF8-3991-54AE-EB4D-AC16BB6BB3FB\install\0\offer0.html

Filesize
18KB

MD5
48c21f401fc06ec0a10d004bad0ba956

SHA1
aa48c7c7505fdac93075c01da2345ed6cdaf6efe

SHA256
1b26e842227751cdec46f10ee8c1bbf88243563e454688b781a7993905476a6d

SHA512
f1c855b448b29475f0eda6710683a8fc0119145a68ba703e9acd3601a3ee65bdac9dfb58acfcb7381b0b3c98afd3f1d8c98cfb48e93271297a9b87b7a3d4989d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\CCG3YRAGI.zip

Filesize
3.4MB

MD5
48c2987f19c6d1330c9f614ce92615e8

SHA1
82056152e74d22fef298c448173e95fbd9693e13

SHA256
2bf2064ccbc7ff3fadebf1c9ff16efb00b8e54b431bc736831700dd7008a880f

SHA512
43865c48e691d8458e518fd1f98dd9aa038fed481b22f2077cc19febbabed0fd8575325efbdcb15f702f29223969b60f94d180b759b34260b57eb0341b61db61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\R8YVKYYIZ.zip

Filesize
174KB

MD5
b3aa99f3b0222a475ea1d9de203a1d73

SHA1
ba9d76843cb2d94ac8f1de0122d1af81085dc79e

SHA256
044fb286786698953478bd26981faa528bd155ed83e91e7e200433bf0416cd4f

SHA512
88f1f0320c0e4b4192d9cc42b1a719579361de080e2cef3be738fb56bc8a88a40b436d930096e90693c620f0088a5c58164d9dbb05f979d7d1616ac802ef545e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KU5N4.tmp\NEAS.daf79da48d0b207549d8a59038908200.tmp

Filesize
2.8MB

MD5
35efaf74b110d284e1c6487c128ce90b

SHA1
75af2e48bf8860e3b35c370393b849fa18f8249d

SHA256
ca838aa7346c05b523066f8871698fbe80018d4c39b57947cdff1f1dbde8980a

SHA512
24fc6cb5f061c7c146ef98c16a1aa774cad5f87ee0bfe11c769620ffb7665e58282a67c023c1651c83004f036583647139e43676d9d7a5f0055ce12ec2c8f142

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KU5N4.tmp\NEAS.daf79da48d0b207549d8a59038908200.tmp

Filesize
2.8MB

MD5
35efaf74b110d284e1c6487c128ce90b

SHA1
75af2e48bf8860e3b35c370393b849fa18f8249d

SHA256
ca838aa7346c05b523066f8871698fbe80018d4c39b57947cdff1f1dbde8980a

SHA512
24fc6cb5f061c7c146ef98c16a1aa774cad5f87ee0bfe11c769620ffb7665e58282a67c023c1651c83004f036583647139e43676d9d7a5f0055ce12ec2c8f142

Download Submit
\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\unzip.exe

Filesize
164KB

MD5
75375c22c72f1beb76bea39c22a1ed68

SHA1
e1652b058195db3f5f754b7ab430652ae04a50b8

SHA256
8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

SHA512
1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

Download Submit
\Users\Admin\AppData\Local\Temp\is-AOJ64.tmp\webview.dll

Filesize
576KB

MD5
a1f5e05431b55f06f0d122241681a942

SHA1
24862e478cbe762edb7054f83a9f85ceedf4bb29

SHA256
c2d0083b14066001a850b2c361864c94bdecd2659e089eff295c85c5df138bec

SHA512
e3008aab690960141f197ad3b676494a4be2457fffbcc1825eb19dfd64fd8065a60b362ed41590b55517b9d0ffe4497314f63047a1449e826999b58e011e3ea5

Download Submit
\Users\Admin\AppData\Local\Temp\is-KU5N4.tmp\NEAS.daf79da48d0b207549d8a59038908200.tmp

Filesize
2.8MB

MD5
35efaf74b110d284e1c6487c128ce90b

SHA1
75af2e48bf8860e3b35c370393b849fa18f8249d

SHA256
ca838aa7346c05b523066f8871698fbe80018d4c39b57947cdff1f1dbde8980a

SHA512
24fc6cb5f061c7c146ef98c16a1aa774cad5f87ee0bfe11c769620ffb7665e58282a67c023c1651c83004f036583647139e43676d9d7a5f0055ce12ec2c8f142

Download Submit
memory/2228-12-0x0000000003230000-0x0000000003245000-memory.dmp

Filesize
84KB

Download
memory/2228-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2228-107-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2228-108-0x0000000003230000-0x0000000003245000-memory.dmp

Filesize
84KB

Download
memory/2228-109-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2508-105-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download