fc1ac05de11ea9c643e812e0e0338df097f0218d6ab52bb10077efc166c9226a

Analysis

max time kernel
135s
max time network
132s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11/11/2023, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fea9b51358edcbdf1faf93d99e929c30.exe
Size

90KB
MD5

fea9b51358edcbdf1faf93d99e929c30
SHA1

92fee6044040f13c91febe331aea31e06e132587
SHA256

fc1ac05de11ea9c643e812e0e0338df097f0218d6ab52bb10077efc166c9226a
SHA512

7996e3b2c205e8e29e0a3801e3bed882058977c6cfaffe4a586d6c82a2b9965569977086d0441d5b0f3c2f4ca5aba1bebd0e6960b7f0afe82b7bd99f8deaa05d
SSDEEP

1536:+fquQsebbn6SxrkLvrW4l9SLvUB7Oh18DQzRcsnk6raTM1HhGlKfbxSqtsk9B:4YHMvK4/SvUxOh1wQzjk6raTMJhVf9So

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C7A6E21-8068-11EE-AF89-CE214F6E9BF9} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405851570"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1360	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1360	3044	NEAS.fea9b51358edcbdf1faf93d99e929c30.exe	28
PID 3044 wrote to memory of 1360	3044	NEAS.fea9b51358edcbdf1faf93d99e929c30.exe	28
PID 3044 wrote to memory of 1360	3044	NEAS.fea9b51358edcbdf1faf93d99e929c30.exe	28
PID 3044 wrote to memory of 1360	3044	NEAS.fea9b51358edcbdf1faf93d99e929c30.exe	28
PID 1360 wrote to memory of 2204	1360	IEXPLORE.EXE	29
PID 1360 wrote to memory of 2204	1360	IEXPLORE.EXE	29
PID 1360 wrote to memory of 2204	1360	IEXPLORE.EXE	29
PID 1360 wrote to memory of 2204	1360	IEXPLORE.EXE	29
PID 3044 wrote to memory of 1360	3044	NEAS.fea9b51358edcbdf1faf93d99e929c30.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.fea9b51358edcbdf1faf93d99e929c30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fea9b51358edcbdf1faf93d99e929c30.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1360 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca154484e5c0cc034087a650bcf6711e

SHA1
f5e43d08b57268d6774dddbad667e174b084582d

SHA256
79232cd6e004385a64be6dc953aaf7db85cf0574a91524b13be2cb069860444f

SHA512
291734d1987d4aefc90f166f7184b962fb01f8931c8e1215fdfbb2525ca062cfa4369e6674dbbeffd6b691908b4fe99d60f24c4cca39ac96da39c31b9e53896b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7110a13cb459c8a710fe3c4c4db00ee3

SHA1
fa3514bc29eddafa4f9d7a38f5954bd050e8f390

SHA256
d4c8c0fa9ba98867f4db411d2496528658a455470e08de5084c7b344ad2c34bd

SHA512
da5d5d74c793dab6ff4cc29d652c3230064097eb739d79d81e887d0c59c06b38e370f9e10c5bf922c88ee6981b4eca1876d7353efe8f7f6d76a4b7c3d61cd6c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
815b26c7ea7b8b6517ffb2f27ad13a77

SHA1
5c979bafed757bc5c3d97a256c2630d0a8d8dd4b

SHA256
57bffbf02f42287254e95ee3fdd1f0ae0b360398d1bed2762c7d70347d7f2819

SHA512
0f3d02acc2d3f79c619f6f6e3a2c4c3796097d9aed963da2be4756c91304aa3a2550c08285f873f4e5d7008d2e10d47dc479a7c2694693da9b28ba8a51ab3108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ec94cfe135bb39df2e820056b77d2f8

SHA1
fe32b3e5f4d09fd376883e68acfcb42b1424f9e6

SHA256
1df09a677c9db4f2d0078c7c629ead6aae17693e5d22d13a9cb129eb43f0d288

SHA512
d75440cdbfedf15acec7732dcdeb9a2130568c91650b0d866867e3925f1b4157b03fca1dcbb277be35334a5c991a16052149df5b7a62677f105d23cc79dd2a1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8a4944e5d526cced18d2b33452c0a9f

SHA1
95b872558c6baf17dae6b97340743fb42577331e

SHA256
94877e4deb40cf5a880d07ffe564f6b61b36313f031f052f13c7d6310b27b040

SHA512
e4a196d265a678898e92836df45928097cef3c6dfe02b53fd7a68cdd15311a8107d13d4ea8a2dcdeda96135cba7b1cda1f339b48de3a87b9decbc81f32ca49e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83f61d8ec50f69047a5c656b9a9d7366

SHA1
31dbe24cb275d17e7089c0cec91c73a84d96361b

SHA256
fd383cead055e0a159ce1e6c967939aabc2bddee9628f662b6cb6a5ea81b094b

SHA512
93d1edf56f885eff484e02d07d114770c02bd35fc9cdb670812019b8e6d8f5a08ddba269b5f8e428a5bf158a51c05fe243bbcccb4448b92148cc7b6434e173ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bc4b6201ce57b76f1855ffd161691e5

SHA1
abbe18fd9a4e0ebbe8ef6fa72163093e8bbc9d37

SHA256
7e779ef0b9a73c7185e0643b49f5d52597096f30163c5ba71632f156147441f2

SHA512
c812afdff3810691f4537ce9a33ea9b3d1817514b9ac1e16515e8ad9896510cb5536559e0a31365479ba5e5752af8ca191d119f99d31975d54512a9cee870809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b53a48cf3e0ff2912f5be4fabfec9acc

SHA1
a3bcc52155e6de5d1d86dd62a0e3573ca2ece0c5

SHA256
de422fc091b7934ac5e20f88174ab504d3c97039159affc4215322697cd0f6b9

SHA512
0e760c716212ea90604a52503c567f47173aa17484bc740a9fbdce95097700f9681921ef6c92223dd7880e4970810296148806de4e84c4a8d5d488d11fb415d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0726fbebdc375698cf11cc51904c4fb9

SHA1
988dd808284185e105407e7bec386b5a5ef88260

SHA256
7f58811c21b107928ef6668552b666966186cd6669e54bd037c490ade1f7fcb2

SHA512
673fdee4332d3340faf11347a05c10e4032ee0008cbbd024d19f6659e10e5bc9b7143b6a870cd6e07d9ede396811dacd0b1057bc9a7445bf05f2eae9d3a962a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb76ef2d54d8801ff0329d992d44a324

SHA1
291a8164919904be70d2d0e2548b439446b8c1e3

SHA256
0e0470376c26b171da4b808b1c11f6b6b2c0b41ac03d5205d1eb94a6213781b6

SHA512
0047e0c35411cec528f3af8088a6cf149520c8e85d4a57586ec792a98c428f1207c659dcc532b589c57e38db3ffb0fe31ce71584d0be5a52a94e9f35975dcb94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab1a4e2359a515e59b81bcc66124a9d2

SHA1
611cd844251703c86528cd923df7939cfe2cb625

SHA256
22e988470d9d5a2d2763eea27a9fe8ca197d5897a25334cb7e35c41c34a2e59b

SHA512
b6c420acdb37920779045b71c4acd35c80f11b596894cffd894c32b0ddc585b1de7513a2f0738daece43d1ebb9ce154f56beb838e4650a1582aa6c5c90777f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74cda36ac8c47283f95d25f632eef6a9

SHA1
ad17ffb09ae4e1589b49f1b807708eb8560c559f

SHA256
01f7f78cfc38de96b208af9d0898c4e9b52ae06dc27665f392002a0e7ee6860d

SHA512
caaacbd4a9e0d6afbb04d40b186a2d548fe59df23df388d2750dfffbb2b327189dcba71ae7557b2659307d93f0e90cf04a36713d53fc53d9966ee74cfc9817b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10743b506f1be12cb24d518842ee8d8b

SHA1
3203b02b51834bfeb7a7ef44b4c54329541a639d

SHA256
f28d60f985d924fcf67f7ad7bf3d44c7069cc0f4d4133323c8e4cec3678bfbf7

SHA512
dd6cb75600018f488d30af57b2e487b94b77040b1574bc4bd3bcc2eced98d11462788b42ac21d1c2a744b72dc1671e0544d2913bb03adf4ea0f27c5cad939ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3fbdf235a27c7796ab6cc7633a5692f

SHA1
7aa136a6c6b07d76d34bf99d95ba69bd98b0d9c9

SHA256
415ebf60271fe78b3611241cdb2120d8ec82aaf9c1190f61a04dba657ccd05c5

SHA512
15109bad8d33442cbc00192348d4eeeafc95d85d22358a934b118aceb9fd864be3fefbe374f1a50086f1c83e21575be0f6b42240e9413505bdc0e0d396b10114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9f2f7ea38c4db4f0f8d221d85c3cd78

SHA1
caad86f614d99379e9b29b777702d821f41166ae

SHA256
4b0622f7d3da346f82bc475340f5f438504985a75ac1f53b59ba51730ff2e88b

SHA512
7479e3d7f85620c5eae1985efbdfe3b9c5f87d25df301c6fe38499b2798d4c32dd807e17d8127ef83e340a6b25b97865bb47fdf133b89b04e12d82f03aaf29d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5bfbddb330cb61731dcbbf341ee4bdea

SHA1
99e2b3d6b21e08dc3dca7f616259f85be77f36a6

SHA256
026b4b47530060f14cc73bb5c1df0843b37367233772531926ee81f6d12d8fca

SHA512
ffd14b3a3abce45c3ec1750be92727485938110db5d6a08a8e5844ca8a7dc897faf913e587ec236fda5d485fa159e4d550501feffbc4e12f5637c96cced990a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0aba8ebfc9eeaaefc5ce69ee7b864501

SHA1
316bdaf080501f197fe488228696ec5d3f8037dd

SHA256
3a6d58f069de57de2d2adf9f0155c627be12dfdd573b1c0544391fe33a172a8f

SHA512
e2274a46ad8eb302c5c7e347e2e456a350bf6291fd2ee4d59a6aead9a3e53264de10bad3cc1b871490d09403c321e25191a4c1c760738b84f63a004618cda8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4FD6.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5067.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/3044-3-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download