9b9d8d9ac13835e2072862b3c274fbd16fd8229410dd91c4ce46b69a4097b827

General

Target

NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
Size

3.2MB
MD5

34d3ee4b213867f883b596e4a238a3e0
SHA1

4a46b9238cab38277425f26fc5b0825bc478ed2f
SHA256

9b9d8d9ac13835e2072862b3c274fbd16fd8229410dd91c4ce46b69a4097b827
SHA512

b6f300ea7093abe0791630cc3ac1933fc4b2984d974fbb11d468443ea414797ddfc5d6dcd824fc8260ad9061ba9e7f2118503bc97a839813c9aab1bc145e98f9
SSDEEP

98304:NXuEMg9sB58cakcg08tVDucXS0CrcakcPMUmCDd2YOAcakcg08tVDucXS0Crcak7:z9sgdlb0XRqdlPMUDSAdlb0XRqdlO

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Loads dropped DLL 1 IoCs

pid	Process
1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1192-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral1/files/0x0009000000012027-11.dat	upx
behavioral1/files/0x0009000000012027-17.dat	upx
behavioral1/memory/1192-16-0x00000000234B0000-0x000000002370C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2120	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2708	1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	29
PID 1192 wrote to memory of 2708	1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	29
PID 1192 wrote to memory of 2708	1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	29
PID 1192 wrote to memory of 2708	1192	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	29
PID 2708 wrote to memory of 2120	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	30
PID 2708 wrote to memory of 2120	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	30
PID 2708 wrote to memory of 2120	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	30
PID 2708 wrote to memory of 2120	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	30
PID 2708 wrote to memory of 2668	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	32
PID 2708 wrote to memory of 2668	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	32
PID 2708 wrote to memory of 2668	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	32
PID 2708 wrote to memory of 2668	2708	NEAS.34d3ee4b213867f883b596e4a238a3e0.exe	32
PID 2668 wrote to memory of 2912	2668	cmd.exe	34
PID 2668 wrote to memory of 2912	2668	cmd.exe	34
PID 2668 wrote to memory of 2912	2668	cmd.exe	34
PID 2668 wrote to memory of 2912	2668	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe" /TN xBNTVgtW2169 /F
    3⤵
    - Creates scheduled task(s)
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN xBNTVgtW2169 > C:\Users\Admin\AppData\Local\Temp\ZrXN5q.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Query /XML /TN xBNTVgtW2169
      4⤵
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Filesize
3.2MB

MD5
800fb544343912cf3be904a310ac7076

SHA1
da1b5be6791289b8ca05f04d66dfabe393e0b805

SHA256
3c2b97a996836866dc8f160eca1e76c2f7a3aef58453ac5314f0141016b2e5da

SHA512
cc3fb2fb4461f4d18fcc42b1452e93b5788c8bd2f15b403a8fbab6beaa147c30fcae6e2c319a3501d47a8d82e8d3734090dfafa324e0a939ae2c90219bf2ba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZrXN5q.xml

Filesize
1KB

MD5
6c16682b8631d1b386a350bef2a2a199

SHA1
7fec5cb5c59b9e1ddd26f569e100d94269c44859

SHA256
e4dc78d0c3e8b5d8a20b48cc51c630b1c797ec5a9109b0b436c4baae5ac72bbb

SHA512
71d67adf5e28723b11f68c9bd4eb3577f8bd967b826101531e518d7051910f22f404460171130b17ac2b7ffcc8f521ac420f4a593dba2dbfbf0ddb071c7e7415

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.34d3ee4b213867f883b596e4a238a3e0.exe

Filesize
3.2MB

MD5
800fb544343912cf3be904a310ac7076

SHA1
da1b5be6791289b8ca05f04d66dfabe393e0b805

SHA256
3c2b97a996836866dc8f160eca1e76c2f7a3aef58453ac5314f0141016b2e5da

SHA512
cc3fb2fb4461f4d18fcc42b1452e93b5788c8bd2f15b403a8fbab6beaa147c30fcae6e2c319a3501d47a8d82e8d3734090dfafa324e0a939ae2c90219bf2ba1d

Download Submit
memory/1192-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1192-2-0x0000000022D90000-0x0000000022E0E000-memory.dmp

Filesize
504KB

Download
memory/1192-16-0x00000000234B0000-0x000000002370C000-memory.dmp

Filesize
2.4MB

Download
memory/1192-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1192-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2708-20-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/2708-22-0x00000000001A0000-0x000000000021E000-memory.dmp

Filesize
504KB

Download
memory/2708-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2708-27-0x00000000002D0000-0x000000000033B000-memory.dmp

Filesize
428KB

Download
memory/2708-54-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads