342ff25c05649fb9ba1b103aca9e4bcc14bcc0be3406aa64e26e9a7557988197

General

Target

NEAS.d5181b938aba1dd59f7a52597a69a490.exe
Size

9.8MB
MD5

d5181b938aba1dd59f7a52597a69a490
SHA1

ef75310b339c5475390ce10a4c5a6bd4a70578a9
SHA256

342ff25c05649fb9ba1b103aca9e4bcc14bcc0be3406aa64e26e9a7557988197
SHA512

834502d38247bd15f56f11826a7f9971e1ce900bd382c985c6e60658dcc7575085a2c35256a12ab9108c792e6801559a43d172def482282e60a3da82d8394ea0
SSDEEP

196608:a8oIF/chXSyr4Rj+SEu03EnVxlXcC3YparCYxFvIt9:zyXprq+faPXpJvY9

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 3512	2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe	95

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	94	Go-http-client/1.1

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	NEAS.d5181b938aba1dd59f7a52597a69a490.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	NEAS.d5181b938aba1dd59f7a52597a69a490.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe
2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe
3512	more.com
3512	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe
3512	more.com

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3512	2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe	95
PID 2620 wrote to memory of 3512	2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe	95
PID 2620 wrote to memory of 3512	2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe	95
PID 2620 wrote to memory of 3512	2620	NEAS.d5181b938aba1dd59f7a52597a69a490.exe	95
PID 3512 wrote to memory of 1176	3512	more.com	112
PID 3512 wrote to memory of 1176	3512	more.com	112
PID 3512 wrote to memory of 1176	3512	more.com	112
PID 3512 wrote to memory of 1176	3512	more.com	112
PID 3512 wrote to memory of 1176	3512	more.com	112
PID 3512 wrote to memory of 1176	3512	more.com	112

C:\Users\Admin\AppData\Local\Temp\NEAS.d5181b938aba1dd59f7a52597a69a490.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d5181b938aba1dd59f7a52597a69a490.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26201efc

Filesize
8.2MB

MD5
0a9bb9722fbd1cb2f12f9805ea30b02c

SHA1
6658afaea8757023d980f3612f3ac071a727c527

SHA256
baa8e776d702ab6e0fb0e42f1a38615d39c6b7f68b14aa401d111026183807bd

SHA512
78b087c491d42a0cf78640d6c303ff8973ac44bd3099795e1b2f3ea3a85f6b2726e10603ecc419a137fd27d32066fa889a9dcec83bb0f4cde6eb8f430b8c1629

Download Submit
memory/1176-22-0x00000000010C0000-0x00000000018A8000-memory.dmp

Filesize
7.9MB

Download
memory/1176-30-0x00000000010C0000-0x00000000018A8000-memory.dmp

Filesize
7.9MB

Download
memory/1176-29-0x00000000010C0000-0x00000000018A8000-memory.dmp

Filesize
7.9MB

Download
memory/1176-27-0x00000000010C0000-0x00000000018A8000-memory.dmp

Filesize
7.9MB

Download
memory/1176-25-0x00000000010C0000-0x00000000018A8000-memory.dmp

Filesize
7.9MB

Download
memory/1176-24-0x00007FFB4FA90000-0x00007FFB4FC85000-memory.dmp

Filesize
2.0MB

Download
memory/2620-10-0x00007FFB411E0000-0x00007FFB41352000-memory.dmp

Filesize
1.4MB

Download
memory/2620-7-0x0000028E72110000-0x0000028E72118000-memory.dmp

Filesize
32KB

Download
memory/2620-9-0x00007FFB411E0000-0x00007FFB41352000-memory.dmp

Filesize
1.4MB

Download
memory/2620-8-0x00007FFB411E0000-0x00007FFB41352000-memory.dmp

Filesize
1.4MB

Download
memory/3512-20-0x0000000075990000-0x0000000075B0B000-memory.dmp

Filesize
1.5MB

Download
memory/3512-17-0x0000000075990000-0x0000000075B0B000-memory.dmp

Filesize
1.5MB

Download
memory/3512-16-0x0000000075990000-0x0000000075B0B000-memory.dmp

Filesize
1.5MB

Download
memory/3512-13-0x00007FFB4FA90000-0x00007FFB4FC85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing