bb4f5cfe022c484b52a0ca2d5e4cf7a2d7124bb995056fa7528f12bf7e499572

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe
Size

29KB
MD5

4aedaf80187d6067311c3dc0d2be3230
SHA1

f61804d5d008a5be8161f7d843d0a76b1e29fb4d
SHA256

bb4f5cfe022c484b52a0ca2d5e4cf7a2d7124bb995056fa7528f12bf7e499572
SHA512

32cf6eab911f458bc560711d28836604e04ab2a57b03b798b65eb46a0cd82642eca00fea3d28fc7d2aae6d89deb7098b44c672b11929ea536926b143adff4f09
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/1d:AEwVs+0jNDY1qi/qj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3200	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/860-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0007000000022e62-4.dat	upx
behavioral2/memory/3200-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0007000000022e62-7.dat	upx
behavioral2/memory/860-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3200-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3200-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000500000001ea12-55.dat	upx
behavioral2/memory/860-100-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3200-106-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/860-144-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3200-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/860-216-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3200-217-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/860-253-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3200-254-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/860-295-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3200-296-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe
File created	C:\Windows\java.exe	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe
File created	C:\Windows\services.exe	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3200	860	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe	86
PID 860 wrote to memory of 3200	860	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe	86
PID 860 wrote to memory of 3200	860	NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4aedaf80187d6067311c3dc0d2be3230_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[2].htm

Filesize
304B

MD5
8251fff4df202c8d6dd6aaf34f4838ea

SHA1
fa88f08dfdeaff6b86873d447fd26cb7d83a694d

SHA256
a17db628f6bdbf4cdc6fe029542404867306406510dbbdb57a047a75ac294962

SHA512
e9c0fe2a920377777bdda16a8744cf80d15e1d1b3c94b704f8a4c4cf54d2529ede4aea8a2d6d38f4e3c4d02f602edfed659db6613ac7c374e5214a201f16a3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[4].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\default[1].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\default[2].htm

Filesize
304B

MD5
084f55ccad6fddfe1704851a5074a194

SHA1
844821de6a0f3c2410341af6b3979f6b59f16a3a

SHA256
b10034ade693ec98852ac56ed2b784c546aeb3f11593a7ece687b17c283cb4cf

SHA512
776a722ff79b1665f904be9972229f03b67c0a54c9ebb4b639d959e2c87398a3eb5930ebd7c2a03b14ccdbba380ae26ae1ffdbd1f65f8a900fddb4fde467aa31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsh2p.log

Filesize
256B

MD5
82c3f5e9ac49412992f4e3e57e1cb495

SHA1
2c513ffa5e9048e8e62187cffdb23fadbb2ee0c3

SHA256
1794a8df6d46dc1e289e69ef8f8343a08c01b3b9c8cdd617ff127b486516c55b

SHA512
4902d4c525027af37de0e9fefe2f329934fb1abd1141c784fdcb5918adf16ee9752a6f6f7c2a0685fe2bad3dd307c43605651b943be6995710df4bb89ff60d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp117B.tmp

Filesize
29KB

MD5
70e444b86c8ece1ec6492ef858f4f640

SHA1
40f9d160c80edad206e346abd8a35c3fefcb5241

SHA256
42a207ed82852d1880eee9b7545ae4e1ccc5472b0d9789983bf54090a4990110

SHA512
b4600f6150011356335961beda1e5ba96b3e160a0a38b07b412d980d61ede77661e2adc615409810e269ee5eacb2dc4b5967abde28844aff81e5093c7be88785

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
c5c7068dd1e113d630dc1eef45703844

SHA1
4c470ed9cfcc130620ee63c447919e88d71525df

SHA256
7776229502b15e0022d7a4974475de097fc3ccd3c1d623e0179600a1b0b070fc

SHA512
b625853784d2e67a006d518ef874488b7798ef025b1d471a43021e11d4cb0e53f2692e267ad179f3d25e2da1b2a41a66f60ceedda272793d8f2526c832ce6deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
6ef2bda737b4d59060c6fb6d0ba1c728

SHA1
6c4afab4e3ab9f83d43510e7f9f01e542eb4565b

SHA256
203c12e0cc862a508fd7f9245145ad36fa607f382eaf602b30ab44f9912b8885

SHA512
eb71e78f64eaea35a28b6b6177ea53bdba841b942d3b731c7a989fff6235e2f7c477a57dba2a4012d86c13cec2b8c575a4a3644886a0389dd0a0cb555e38b13e

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/860-216-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/860-253-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/860-144-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/860-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/860-100-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/860-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/860-295-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3200-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-106-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-217-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-296-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads