2ea45528d5b218bead08ce3d72a6fdfab8e8ae64cf3caf33170b28299aec77a9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe
Size

29KB
MD5

1f9fa557b75a40dff4932fe8ce40a160
SHA1

d65a4856da952e3d540237d5049f6b4167d3f00e
SHA256

2ea45528d5b218bead08ce3d72a6fdfab8e8ae64cf3caf33170b28299aec77a9
SHA512

923e0cae27de61542875604d5353acfb53939836c6d580175064b9211dce51ed5ae1f759c1e81f3acc962b708b23893453885edd80a373c3b21f6d583a94e157
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/SO:AEwVs+0jNDY1qi/q1

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3468	services.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000022e44-4.dat	upx
behavioral2/files/0x0008000000022e44-7.dat	upx
behavioral2/memory/3468-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3468-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000500000001ea12-39.dat	upx
behavioral2/memory/4956-55-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-116-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-117-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-164-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-165-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-223-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-224-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-276-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-277-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-316-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-317-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-363-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-364-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-405-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-406-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-439-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-440-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4956-485-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/3468-487-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe
File opened for modification	C:\Windows\java.exe	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe
File created	C:\Windows\java.exe	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3468	4956	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe	86
PID 4956 wrote to memory of 3468	4956	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe	86
PID 4956 wrote to memory of 3468	4956	NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1f9fa557b75a40dff4932fe8ce40a160.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\default[4].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\default[5].htm

Filesize
304B

MD5
57e90e4154b7cd9f1ef8a42a680d4eb6

SHA1
e9e1cdb76f921a0579fe13b55645c58bf2406144

SHA256
5f43170f230ecbe938dae2f5ab36fb2a0fae41195154fe8df32d6016f957fdf3

SHA512
9ce03985f48ab068de1de5d3cb8bd0e2b63280ad4eabc1280ab39d1d1b215291da6c1a7bb3f1b68b7e3ceb571a3cfc1de5b998e2a61100eda530e0e169bf0033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\default[7].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1GRKGEIB\default[8].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default98QKAGD3.htm

Filesize
315B

MD5
e510f9586fd45ddb7f0c00cc01b5bb78

SHA1
0f49be1ea6f9228f7fa5877a74df5913d500f44c

SHA256
06dc56e918b87be102dbef5a82c2b9e572d2e4dd4e778026ab8aa59ec58c454c

SHA512
4a6cd27994a9bab95b152bd6be520dfa186b3b067345a350ced80933757ce875bf53cdaf3413ddf1ed14968adc233f7cb6bb2fcda0fa19c4d68e2e9d86416b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[2].htm

Filesize
304B

MD5
dd5a8e720501372b949fed5e71bd95a8

SHA1
14d768e0f629cb68a129e3284d0be3907f124259

SHA256
babe115ff9d634f8d88972cbcb83da4ef050073bf7285b710f3bf93de0a2de15

SHA512
3bb06bca41e68ecd1ed820e33c9b4fdb38056a6e653901a9ae1ceba385dea777508070cfcdc9b5e4ef4aff295bd9eeb24f926349188b8420e49337d871bdebfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[3].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\default[5].htm

Filesize
304B

MD5
51b7cc4a300128857f3324e025f28951

SHA1
9a13a684ac05af2dca8e14ab5c19c69dbdd40efe

SHA256
8b8aafe8b5d596e939526378123c25dcd77c059eba56f035fca2f3e0c9918290

SHA512
2b2b92fa8d60ad4ad0c4131cbff6b5d6a2c8c049c8aa1b888f2b0f5940a47e15f9f6ae6d119c10efe55c4860deeeae575fdcb9ed6fbdc08323e803f5070b95aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K1QHLR0H\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\default[2].htm

Filesize
304B

MD5
3483bf8f41c9a3b9c4acd2c9be5d8d00

SHA1
fe960cf9b9744217b295ed86f66e80c58c4d6052

SHA256
9b402b64c9cddf2ce4c139df23fd6354b51bb218706076d0b6ed1c128df25535

SHA512
1df7f496dcd70238c3982e595964b552548a7100f3b238a65476cc57fb10e3e1d82c19ffc3f4d61ead29657623665126f3e09561bc0feb39f3aa189f603757db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\default[3].htm

Filesize
302B

MD5
5d9ceb5ca7f66e750f97e324deb4cee5

SHA1
6628b12712c95a147ca0097572adef1b4e0c62ab

SHA256
f8d4d41f2dd1cbd0f05f4b824318668660c1ce3db0a15307d2699f356066632d

SHA512
580109466f31cd0ab3d4f911c34442fb8f2afc82ba1cc60ceefdcbd3c704cf3c7fef6050b181581d3eb7fcfb80f9575063af7269cd2e1c4e67215100cdbc668c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\default[6].htm

Filesize
306B

MD5
550379217493ee8717fc3e3d4fa13cac

SHA1
818a353efc5e626fb3994615e75cf98ed1ed77fe

SHA256
f80e2736a817ca49088e7f671f832dac4566233b1c9c1c75d42308bf6705e56f

SHA512
dc4715dabb40202e454d501430a64f16704200c17d05e8209ac9e331edab4834daff25f572ce18031e4a2ca112d5fa2098b982f870e021ab9d1b3ce6497abe4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5A2S7N8\search[1].htm

Filesize
172KB

MD5
ba7a8c99c6e70fb2055fc94525fad04a

SHA1
059222204007a11b657c1c7ebcc2c07526b9f9e4

SHA256
92266b7f730c82ec2f6b1c771a5f72f49dfb5897b6a12142c8913fda9d172006

SHA512
b0ad52ee61a04ff6c615d6e8ced110fb01d0a5b507d1b3a9e1a11ef8d0ec86c08b125c124af45248b42b54366f1a71cfd60fa7a2afe405e032f10f469383365d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsh2p.log

Filesize
256B

MD5
c057b135e2be8e6517737fe1b551ac0d

SHA1
866ff3ed295a5f4b6e97e5df26a20e3b121275bc

SHA256
c94d6ba9e1108935155ea0236079b5da0512981cc8090665a665f2c5ddb6186e

SHA512
cedb824d13e67e3cc4ef2b4c2b9331baa3c35373e8ca685ab12ddb36f81337b3e2361d02b16441a185d73d5357ac49cb463a4c714f8ab18166f722a6785389aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC5A.tmp

Filesize
29KB

MD5
7791b599efac3b9880b510baca4f1b94

SHA1
c822cd3316908c2e46ac38b67b2948ee0a8fc94c

SHA256
ceb63676ab79ca1aca5b0acff9a183012b16317b264455e05d44acafd76f8954

SHA512
e747e97fd4d9c9ace3c1052b3dc357976cae1d2be0d5ba4735b1e1584ca42d0710d24ea7251aacfb6a8625dd7ae4c0de8e00a8d375d1063afcf927f07c90b54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
32722907f3b3aca2b3ee960d74effac9

SHA1
c01cbedc585bbcfef459640226cb9b8326fc5fbc

SHA256
8c7fce86c60fb69e9e11db685bd6731896b32e478f76a1f88d4d939402b61682

SHA512
db1490cf1343da7207443e60fb38135d1438356037aa4b985e30aa20c52b41407d9c2eea74c07f822bf64c0d98feb6cae2d16a494093b46cb00a2fc811d37d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
86f07141f6cc1c186705e546fff32071

SHA1
0fe7b2b472c93cab18c825f9c7641195ba5bce79

SHA256
42fdabf400bd79b8b54cdc8ee5f6029c768fbbfd749dcbef6daf3c7fea1b880d

SHA512
6d03df0ef81b117961c33940fdeaafac2c8dfb6e4de0f26079aa99b45282a68b5cdfb3a752883e8f7aa628d19d3de3a83e044a4acb2495a0cfefcbab9023de38

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3468-364-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-277-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-487-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-117-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-406-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-317-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-440-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-165-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3468-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4956-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-405-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-55-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-363-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-439-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-116-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-316-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-276-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-485-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-164-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4956-223-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads