Analysis
-
max time kernel
160s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
07/11/2023, 19:37
General
-
Target
NEAS.e70138a1c1b8e6b35a380f95c137fdb0.exe
-
Size
357KB
-
MD5
e70138a1c1b8e6b35a380f95c137fdb0
-
SHA1
6aae6e20040326ba08b67c2c6beda09d56fd15af
-
SHA256
a81927c51edb65b66eeae6cf5510efeeba15303ba497c776fc50589e7d23de97
-
SHA512
c002cfe19ebdb7c2e923f9bd06e51cc901dc7e13f8a0f05a66bdde5ebbd1e9bba7fbb14c4bf52c512fcd5e99d08a0f94750f58779079171ebb8360ca326e0db9
-
SSDEEP
3072:kKiMRrpJENxmzTp6+obibNWdzgHwW0Kq6+oyUKTMHTyFExsARWol4rxM80M6+obT:kJMFLXTc+1nT+1MzyFIQrf0F+1nT+/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e70138a1c1b8e6b35a380f95c137fdb0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e70138a1c1b8e6b35a380f95c137fdb0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Embdofop.exeC:\Windows\system32\Embdofop.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ejhanj32.exeC:\Windows\system32\Ejhanj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fchlhnlo.exeC:\Windows\system32\Fchlhnlo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gjkgkg32.exeC:\Windows\system32\Gjkgkg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hhmdeink.exeC:\Windows\system32\Hhmdeink.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ilpfgg32.exeC:\Windows\system32\Ilpfgg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Inflio32.exeC:\Windows\system32\Inflio32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jahnkl32.exeC:\Windows\system32\Jahnkl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Koeajo32.exeC:\Windows\system32\Koeajo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kdbjbfjl.exeC:\Windows\system32\Kdbjbfjl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mflbjejb.exeC:\Windows\system32\Mflbjejb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Opbcdieb.exeC:\Windows\system32\Opbcdieb.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Obcled32.exeC:\Windows\system32\Obcled32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Obgeqcnn.exeC:\Windows\system32\Obgeqcnn.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qmnbej32.exeC:\Windows\system32\Qmnbej32.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aemqdk32.exeC:\Windows\system32\Aemqdk32.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Cgpcklpd.exeC:\Windows\system32\Cgpcklpd.exe27⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Cfglahbj.exeC:\Windows\system32\Cfglahbj.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ffahnd32.exeC:\Windows\system32\Ffahnd32.exe31⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Fnmjkahi.exeC:\Windows\system32\Fnmjkahi.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fmbflm32.exeC:\Windows\system32\Fmbflm32.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gagebknp.exeC:\Windows\system32\Gagebknp.exe35⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Hhjqec32.exeC:\Windows\system32\Hhjqec32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hnfehm32.exeC:\Windows\system32\Hnfehm32.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ionlhlld.exeC:\Windows\system32\Ionlhlld.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Imgbdh32.exeC:\Windows\system32\Imgbdh32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jkkbnl32.exeC:\Windows\system32\Jkkbnl32.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Jkeedk32.exeC:\Windows\system32\Jkeedk32.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lamjbc32.exeC:\Windows\system32\Lamjbc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Loqjlg32.exeC:\Windows\system32\Loqjlg32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lgqhki32.exeC:\Windows\system32\Lgqhki32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nbbldp32.exeC:\Windows\system32\Nbbldp32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oabiak32.exeC:\Windows\system32\Oabiak32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Oecnmi32.exeC:\Windows\system32\Oecnmi32.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ppmleagi.exeC:\Windows\system32\Ppmleagi.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pneelmjo.exeC:\Windows\system32\Pneelmjo.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Blenhmph.exeC:\Windows\system32\Blenhmph.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Clgkmm32.exeC:\Windows\system32\Clgkmm32.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Chnlbndj.exeC:\Windows\system32\Chnlbndj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cohdoh32.exeC:\Windows\system32\Cohdoh32.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Clldhljp.exeC:\Windows\system32\Clldhljp.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Clnanlhn.exeC:\Windows\system32\Clnanlhn.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dpnfjjla.exeC:\Windows\system32\Dpnfjjla.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Eflhiolf.exeC:\Windows\system32\Eflhiolf.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fckhnaab.exeC:\Windows\system32\Fckhnaab.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gcpaiq32.exeC:\Windows\system32\Gcpaiq32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Gcggjp32.exeC:\Windows\system32\Gcggjp32.exe67⤵
-
C:\Windows\SysWOW64\Hakhcd32.exeC:\Windows\system32\Hakhcd32.exe68⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Hcnnjoam.exeC:\Windows\system32\Hcnnjoam.exe69⤵
-
C:\Windows\SysWOW64\Iaiddajo.exeC:\Windows\system32\Iaiddajo.exe70⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Imbaobmp.exeC:\Windows\system32\Imbaobmp.exe71⤵
-
C:\Windows\SysWOW64\Idljll32.exeC:\Windows\system32\Idljll32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jpgdlm32.exeC:\Windows\system32\Jpgdlm32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Mnjjmmkc.exeC:\Windows\system32\Mnjjmmkc.exe74⤵
-
C:\Windows\SysWOW64\Nqklfe32.exeC:\Windows\system32\Nqklfe32.exe75⤵
-
C:\Windows\SysWOW64\Pbkagfba.exeC:\Windows\system32\Pbkagfba.exe76⤵
-
C:\Windows\SysWOW64\Qbddmejf.exeC:\Windows\system32\Qbddmejf.exe77⤵
-
C:\Windows\SysWOW64\Cacmkn32.exeC:\Windows\system32\Cacmkn32.exe78⤵
-
C:\Windows\SysWOW64\Cefolk32.exeC:\Windows\system32\Cefolk32.exe79⤵
-
C:\Windows\SysWOW64\Dlpgiebo.exeC:\Windows\system32\Dlpgiebo.exe80⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dampal32.exeC:\Windows\system32\Dampal32.exe81⤵
-
C:\Windows\SysWOW64\Dememj32.exeC:\Windows\system32\Dememj32.exe82⤵
-
C:\Windows\SysWOW64\Deoabj32.exeC:\Windows\system32\Deoabj32.exe83⤵
-
C:\Windows\SysWOW64\Dkljka32.exeC:\Windows\system32\Dkljka32.exe84⤵
-
C:\Windows\SysWOW64\Elncjc32.exeC:\Windows\system32\Elncjc32.exe85⤵
-
C:\Windows\SysWOW64\Echkgnnl.exeC:\Windows\system32\Echkgnnl.exe86⤵
-
C:\Windows\SysWOW64\Edihof32.exeC:\Windows\system32\Edihof32.exe87⤵
-
C:\Windows\SysWOW64\Eoollocp.exeC:\Windows\system32\Eoollocp.exe88⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Edkddeag.exeC:\Windows\system32\Edkddeag.exe89⤵
-
C:\Windows\SysWOW64\Eoaianan.exeC:\Windows\system32\Eoaianan.exe90⤵
-
C:\Windows\SysWOW64\Ekhjgoga.exeC:\Windows\system32\Ekhjgoga.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Eaabci32.exeC:\Windows\system32\Eaabci32.exe92⤵
-
C:\Windows\SysWOW64\Fojlhmic.exeC:\Windows\system32\Fojlhmic.exe93⤵
-
C:\Windows\SysWOW64\Fckacknf.exeC:\Windows\system32\Fckacknf.exe94⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Gdlnkc32.exeC:\Windows\system32\Gdlnkc32.exe95⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Gbdgpfni.exeC:\Windows\system32\Gbdgpfni.exe96⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Hbknqeha.exeC:\Windows\system32\Hbknqeha.exe97⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hiefmp32.exeC:\Windows\system32\Hiefmp32.exe98⤵
-
C:\Windows\SysWOW64\Hcpcehko.exeC:\Windows\system32\Hcpcehko.exe99⤵
-
C:\Windows\SysWOW64\Ifplgc32.exeC:\Windows\system32\Ifplgc32.exe100⤵
-
C:\Windows\SysWOW64\Ickcaf32.exeC:\Windows\system32\Ickcaf32.exe101⤵
-
C:\Windows\SysWOW64\Imdgjlgb.exeC:\Windows\system32\Imdgjlgb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jijhom32.exeC:\Windows\system32\Jijhom32.exe103⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Jmpgfjmd.exeC:\Windows\system32\Jmpgfjmd.exe104⤵
-
C:\Windows\SysWOW64\Kblpnall.exeC:\Windows\system32\Kblpnall.exe105⤵
-
C:\Windows\SysWOW64\Kifhkkci.exeC:\Windows\system32\Kifhkkci.exe106⤵
-
C:\Windows\SysWOW64\Kboldq32.exeC:\Windows\system32\Kboldq32.exe107⤵
-
C:\Windows\SysWOW64\Kipkaj32.exeC:\Windows\system32\Kipkaj32.exe108⤵
-
C:\Windows\SysWOW64\Mebkbi32.exeC:\Windows\system32\Mebkbi32.exe109⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mdjapphl.exeC:\Windows\system32\Mdjapphl.exe110⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pggbdgmm.exeC:\Windows\system32\Pggbdgmm.exe111⤵
-
C:\Windows\SysWOW64\Qcppogqo.exeC:\Windows\system32\Qcppogqo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Qqfmnk32.exeC:\Windows\system32\Qqfmnk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ammnclcj.exeC:\Windows\system32\Ammnclcj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Agcbqecp.exeC:\Windows\system32\Agcbqecp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Babmjj32.exeC:\Windows\system32\Babmjj32.exe116⤵
-
C:\Windows\SysWOW64\Bfabhppm.exeC:\Windows\system32\Bfabhppm.exe117⤵
-
C:\Windows\SysWOW64\Cnbmolhd.exeC:\Windows\system32\Cnbmolhd.exe118⤵
-
C:\Windows\SysWOW64\Cmgjpi32.exeC:\Windows\system32\Cmgjpi32.exe119⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Chmnnamb.exeC:\Windows\system32\Chmnnamb.exe120⤵
-
C:\Windows\SysWOW64\Ceqngekl.exeC:\Windows\system32\Ceqngekl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-