606acd04899cc7a892ebf7a778bb59677d57a47c066f10dfad052c75c6fa5286

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13/11/2023, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Size

29KB
MD5

10aa3d536a04d34bc9c675e6e4590140
SHA1

6355a4f1f50e0442399e87fc7d7bd39ef4ea54fe
SHA256

606acd04899cc7a892ebf7a778bb59677d57a47c066f10dfad052c75c6fa5286
SHA512

c01d3369fe8cd487a5a1cc81ec87217ffc88ec0db0227561f48ffa45b9d7ed4aa50a8aa027d3ac6fc7709e48ad00e6239f26c5670c47ee5cf345be585d6ee72e
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/i7:AEwVs+0jNDY1qi/qs

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1728	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ed-9.dat	upx
behavioral1/files/0x00080000000120ed-7.dat	upx
behavioral1/memory/1696-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/1696-2-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-54-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1728-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed6-69.dat	upx
behavioral1/memory/1696-85-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-1111-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-1112-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-2028-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-2029-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-2977-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1728-2978-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1696-3577-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
File opened for modification	C:\Windows\java.exe	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
File created	C:\Windows\java.exe	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1728	1696	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe	28
PID 1696 wrote to memory of 1728	1696	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe	28
PID 1696 wrote to memory of 1728	1696	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe	28
PID 1696 wrote to memory of 1728	1696	NEAS.10aa3d536a04d34bc9c675e6e4590140.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.10aa3d536a04d34bc9c675e6e4590140.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.10aa3d536a04d34bc9c675e6e4590140.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a691040509ea07a8fd9e608dcbfd3ab4

SHA1
9fa0822a60c9aaf2753ef5af8070a322f7130331

SHA256
5b28c48f3820a020f9d3e274e6b0d197e467c147335e5bb88c162ebcbea72c44

SHA512
2d743616f28fe179d22cb9525a0ad7ff09e597a6569b8fd8f3ab5ee51dc10d495233e3175fd0c8be6b75e0871ea447f5e4fe23a8a4c1bb5890e12f2799527188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f006622d4b4b63c36a7a0a69856763b

SHA1
9e7e3baa446b2527401f7efa4e8921eb8bd5cf64

SHA256
7c4a5829bf80363526aa66563908f4cec1f9b1f68debcc39395d8df8d24a661b

SHA512
d3dccc6f77ff3cf7742b49ded671044ab16b5628af439aecd516a8b7e2c34e4f9bab8d3d88544494bcdbac2cdd0500231d463cd7159cbfbea828d8ee93c91562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01cce395517215e6dc5fff9a272393dd

SHA1
b92c5d593474ae9e69edf980aa69699b890f7eee

SHA256
ba600a2d01e1712f826599c8b2876d331a1c22bad7a87a06967cf67dfabe6eee

SHA512
350621a94409f547d9f6f6df43b1b514314e374437f8b23af0cc4790b3059d0cb0dd558e5de8204c8f0016f46e466e81265646d243259943434e0bdf59b170ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c8303fcd577f5dae315e5a34320bfb8

SHA1
c59849c270a5601eb55d231f98af60fa9aedb07e

SHA256
0dece3a6957b8ee12f6990394631a3b06ff09a33b0cfd33f1c924ca45b1d3264

SHA512
bce7762cd0a2bbe3f70f58a14fa42ec49f2a45dc517a4cea667e5eaa166fbeece523800ac24f605849e6e87aa1d5c157c7bb9d8a6fe5bb2fb8bed988e1c993ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90d87043c585ebcb33928058ba388eff

SHA1
e06a3fb28d4813a011ecefe991e4fd252f24d2f7

SHA256
56e87c50fbd5952e6b4917a4cbf0f8adb5fa73abce62681f961f01bc6f99543b

SHA512
a8cfb36b42a86a9f2283c31c73327eee76db3cb38c64887da5048db769e63b072442823d7a0ce4b9bb24b3251de04050dacf9595e9f1e35cb2dabedd68a863cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66f20c3f5b5699f31538e3966aa446e3

SHA1
589aab1ef3713422eef9a2af80a3f3a8bce7a00e

SHA256
8c6d1162745681df5932829ef757f5edcecd07fcbc73d46c138279e551502580

SHA512
fdf6b3af14aaea79c8098128d09979462cf8d5b954efd125538926d18cd7522b780f9ef281b066b76c8dd7698c6cddd0056e7f6ecc64a21b19319d3c8d3d4b02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa1abddce925b0a01b5896ef79fa22c5

SHA1
f57f658566940f3a2cfa29b3a9620cf3f539b3ec

SHA256
e84c1c9cbecccd07c20ea427866c41e20baa770a7bdc3c660f464693234d649b

SHA512
c7f8ead7c048f9f46da5b77e7d052955aa8dcf6bb939615da4589257e49cbf953c7570267980a1dba1b70f839dc8b145ebdee1c69d370a94b0a2c418b34ee390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bda32e9772afc2e457953388f7c09e5

SHA1
d6aef5fb83018a906066980b88b47a6477d015ec

SHA256
a28802da25fda6e9875993d449f73a2f0d3c721f2acc84821175f47c13db10cc

SHA512
24bac80e5016c02acb302116540f1eb23149e2d06853052264265b86e029e1789f1b139ebbe1e55f7df3602d38c810f4a174246f270aa7ef61efe008296d9f65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2fe76f91f4383d30a00e9a457d96ead

SHA1
9a6069acbb1ebd3c9765dae37a14349c4c221b4f

SHA256
25fa573e17a76ef30034bf694f0763c137d3caf7ee47d7cf37ccc86fa2cdd472

SHA512
314c0b7b780b5dc6d52ff5007d8ddf88626fb64c7bd3ca8be656ddfd129041fce1d5f7089d4889052636bbb4405474ae1e11be2e5a41d30316eeac730b174cc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee417af9564b68d40aa5ee650533d3e6

SHA1
1e3e42eb2149a57eb892fb9d98c7d8072e77cd12

SHA256
9f468bbf2745ba29d81c51a0c49e18f1cf4fdac81ae19ad6291f34b2706bd60f

SHA512
9c5bc7d93a60ed43e0805ad561da887e3024e5721f9aef911ed878dcb5031705e34a51cf80a29be68791b1d04778cd83b8ea5b7fcb1e4daf52132263e64275b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84cb552e0e876c489b44714908bb9cb8

SHA1
d54e5b3544d738a3bdbbbfc6503b0c7da368ea5c

SHA256
e1b9cf2bb664e93dcc3415beceb7c173360a0b2c91623755a25d05814b75ff97

SHA512
ca678a384804de070c95b690b2aae887fb795431240de0bd3f0d2daaf0e9ab111f6cdc41def99c7985ec010299b4231a6f961d29eb3c40d5d46973d75489f291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85d5755ac3dbf7c25a58d9c2a60bcd62

SHA1
a916fb04398cc095401d6e330b84e2f9d424e4a2

SHA256
36be0d042102278a5722dddb12d4b15d670842f4a1241e66ddcb5be29b892c58

SHA512
d0df028790de4748a3f46e5ec3bb62f0bd1db161efc6e7d8312e1659a5dc53460eae25a5367eb229248b7866e0f1476a46a4c536911b42d1e5372fcc3f3399c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97c2c3a2af1325139b7155262a4cdf11

SHA1
c2e9fcca8eca8f4ed80a3d9ff516b82805043f64

SHA256
24ad9ee925d66a68b2a830a6b54a4f1b0994f4b3644b4bdb011665c767341d52

SHA512
a6b37644031a55dcbce1e42ec23d417db79637e7391e7190b508c2a71bbf1983c62a515d69fae9c2a9fa51968cb9c6fe7328b45d1122e453b4c066bda1d2ea05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
016a7d87a59b483a0a5055b1ebde2fed

SHA1
cdfbffad36fbeea368aaf9ca7fec8ba88d0172c5

SHA256
a76d6cc167ea71e6abd1dfe598bcd3cc690794871c9d5bd21fd2b2b53b92be06

SHA512
ccc616265bf197bfcfeefff1ea6eb79ded4fdfe93f871ee2f90eb082feeaa1d746a67a5600f331477d78e5dfcf8af1701c6aa32628ee2e1ecbf7342508b8fa5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6816836ff369a8aa5fb5409665c7e585

SHA1
0240022ec60bd7966a216104bd50c26f60d53f70

SHA256
d46b1533b609976d4df400503e2a9a092fe384bb5d123965c659047bfc70aedd

SHA512
6ec8d2ec3e735ce32444dfa548f1f2be3f5162f48ee6f70291f1163d343026d39033b79a5238fdaf3aada787495c9f358e1caca76fa2c5e15fd1e9cfb8e61b70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0caf6f5f01c8ad2901310b92e621f1a1

SHA1
0b39daa64d3a6d6c740c527a1cc60c0e8137395c

SHA256
e839b7624cb5358e7092478a58b7909abbd8580c565b4cd4184c5bc37065abc3

SHA512
d2b9f677aab69bff969fef95a6bc8e504170a7f5b1225c0dc59ba49edbf01cef6ba034b196374242ec98e4cbd01e5ac065e5d65200828dc0e4cc8505bac81866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d255fefd7e6a1e425deb6afcb564d82

SHA1
15b6de2e43fb99a6f2954c2cacfd53108648351e

SHA256
e7565ae3ea25f9dbdc24d8146627721fc14a03b9f7ed15666160e340bef4383d

SHA512
fa0656c36536500a56179dcd126a2c191d5103ead4bb3208c6262c5182bf3fe9b6c5e487c2f4646a5b5e42fd65531fcfc8c7967c87276e587b364716d6f828a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fbadd6704d323b33df3871a40d66db8

SHA1
d0b2009386d6826bedd5bbc1ea92811b348a2897

SHA256
68f60117d5386364840ee7b5e9561a7d16c2672a23192790b3da6b3eeacbf415

SHA512
babcc6e579905f2ca2f87e3e6650b688a20b9f62ef91855bf7f8844f06281fd98fd38c530d7e2cb5dc229773fc0216426e4b04426cb359676c31a20377e2c21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6663248a959979f307617762f72b7bcb

SHA1
a4432fc0578352baeb6a5f298f1557a44798c544

SHA256
a8760dd139bb80c97c2a1f20c6f782b581b7330f295a80c16c50fbe7a0e65a04

SHA512
2de5bfc881eb2eaecf8e9670a4430c5fc8ed9416f53de39d6c9ca443d8543da4161f59e127c9b8f70ab36591c0bfc5387c6a8baf0d3a8a677f5ec5493d90d7f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d94b51c5ffbb5d52fa01f8005256fa9

SHA1
31803cec1cfc274aaa1f011ef3321c21be8b9ba4

SHA256
62f77c32a3c37898eab99d74eb522d5ec341ab115ab2c558bf51ccf09c440e60

SHA512
2014839ebdcba3ecfeff2e3803673f022dbb8340e5f9717b6d28fc56221f52771c46a541753d8c5268fee1f2f4c46ce925097994830db76ecf82262332904e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5aaebd10acb999dccbed057ebb87f01b

SHA1
eccb452f25c3e4afa34a62bb03223931f9a79c81

SHA256
ed30dfed3b10c52dbe17928d6b43b8fe87586ef233137567c90e02271065fe7d

SHA512
969548f2372227360c1332f736a7299fa86e0775a19b809f547bef951e50077423313b966a7e307a864a6fc124e6b29cf482f9b2222afa0f1d995e650f820eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7fbc98778c9d1969612435b3e9a4305

SHA1
0c83e8944e6fed0daa2f9b06357355c79c0583c6

SHA256
c39db96e4d60ce26435f3651934fc591e8fa788987ff925c288e57cae300b72b

SHA512
7baf8d97afdebc72bfc4f4afaa9a849eeef31af3ed4abe63684287f91953455f28f4f7ca638daac92018feff0b2a3bc72e9fcc899e142a07b132b09bbaf724f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f37dc6a3a3f0919e31a6667a3e45d4f6

SHA1
659fa595ad0789ff27bab537a5296e965d12bf41

SHA256
816a52d57648ce18151f4f5a3e541de8a1bafb454079e1a168c0d7c33246cb2e

SHA512
50c5dbccdf749362d26b3e1e4f367f69855b5278e20fc6022f1b2a549e4b119a04b68531ac13cc09234b2157c517165f12831050753d5b94f6ccc35ef69fa898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f94f5596243a1075778d7e07c60b3986

SHA1
df56c1bbdf28d59fc1e04a0e5976f359458b65fe

SHA256
e257d282a12f1bb1aa6208fdc940cf89023911c49da110bc5d407a631fe986ff

SHA512
d377ea910900a0be252165924b61322419802101d666fb1fd6a09e9e310fb95adf2744f56333d958222829312cf7e725b80df180c9c8b5b5aa9ed7be8a4e5987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27fdb383739f14f855970ad8f024bce1

SHA1
444bc2fc8355e715781f4c6b0732b90e46dce4aa

SHA256
f40ce65c68f4b033a505084c0c38c6f9059dd1be00f01b7cf2e7f269971b16a7

SHA512
a2ce2a134c48ddee2c2bcf27a339fdc1ccbee4f769a004585dc8dee9978edff3ce7765d9fa097ab537a76ef0118512d3d549ca88971b563fb9b8ade467de4fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c04d85e02d3f2d3f84618c33742c5b81

SHA1
575c6b9ba5f2e03c711c8ac9090376ef552fd01a

SHA256
beb12e585fd73ae641f9fc60e70bbd6096c18eaebce7a7bbfd144bd10e04cb3b

SHA512
5fa2e53fb68f5901d6c87e59e4eaedc498f185e2c9896f4d32cfefba48942d3a66f4ae7bf33af89aa3d2470082b5464b0743513c646b2225c822289208f0f040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82dcaab3d3cec2a7a50fb1ee4c89f063

SHA1
d13b83bbd4ac0a6bebca602352e5e28f690c28d1

SHA256
f1f3042214968301c606c03a64ce2ad02bea4bee9f1c3e0a73fdc1e8154ec71e

SHA512
5ae8bef43a93dbadc11a14238d6bd29a894091f94c78fe46e23182aec1de631217f6665c9710c0d9c8fa3c10118e67d436d1f99b15d966ee96cecbc41900ec72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16d976ae3df01ac6c1d2f36cc667457a

SHA1
a3126fd83c1b86ad67c3661326e72be7aaa262c5

SHA256
1d6684dbf6755cc02983ed258507f364ef7b46f8716295dd9a297b0a5eb84da4

SHA512
54077dde6888be908b1ea8cb1587357308d0bcdcee389d15a54bf323aed1b5a8a1f505c5043aa00a59ff1aec3be32db4372faa1c707b1b674f2dbb85cd4df9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbf191f47066722895d50ce2de56e2a1

SHA1
6abd801c3fb9df733b9a4d75569e1dd06079fc7b

SHA256
b0392ab86b1b46594e102a180741fce2dc9164b13e3c9d4f852fa882548d3a32

SHA512
c3ba3c0710ebddc3b53341c5b52652cc235a1a0a662640e37cfa857023f49046b7964654d4e4db955e877b7b134b78fb1b806050027caa3e57b2a52660ab21c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a55f818846d363f1de2f64c464081d1

SHA1
be11acb1993f4f38d27728fe4db5b54e72e73c8e

SHA256
c7d9dc82599ad0f8553005b2867a0f59cd413a5e37845c84ecb3c404cfa290d3

SHA512
5061301c9fa961ad2adc339ec234302bef36d438984dffa2bf2e71d3ac4753554473706dfa5cd1064bad74b25529062324834ad2274f3f07799fee05fda8f7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed497a97d64f3fa8cef993046ad919cc

SHA1
55e966c7c10ef5ac5ddbf5f7bdf09a803c5cc4ba

SHA256
42cc3a4faab0ec5e8036032d3139685aa68677022cb39dc13bb2109e7adc7ee7

SHA512
79be8493cb0ad5d8cd553ed390c3655f322ba07a1b001fe74e4803c724d80f320bc73879833384761a274653932dbe2f8e1c63ead08f60c0e37f62d795cfac4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3caac5f5ff0891668546b0eee0148b1

SHA1
8cff0d6dc53cbf24022aec57134a6acb45925f4a

SHA256
9cac4784c8faefb4be0d427c981752551ee5930390ee2e2106b6ff896229f020

SHA512
c51984064bd800dd668281a94c55c7489def36f7a1d61e398a7b1509098a1a7ffd44b5ee492090280d7780e1c93266bb0c5a182dee3370d904a7778a72f317ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba61c64bf403bfb3972c5394ec1e656c

SHA1
f055b84939b941b85056a068cbf142f79aadf067

SHA256
570b5985343d8098f450718b0012cfbb0b19b54b02dd2446e429d481d1734cc8

SHA512
b13ea9546b566516f7bfbf3db5ab1923d2153c15571b4edda9de8e13503591770801aa4d1b29eec10ad25a95e372edd121a58fc449aa695411a50dfc7fd200f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf3402186bdaa10efa9e257e6bec7aa1

SHA1
f07dead6d290eef8d62142ae63a57ab48ec22497

SHA256
86c831ccd8d4d2cc6cec622d6d00b1abdf62f14ee97841ff82433fd233c75b42

SHA512
33e6377de9c77fa3582a4e336ab8f68e9608c2c2b2d6da7a742598eaa175788a403ca2c2eb378610b2813d550d6bf75e7f1313c2b449acde4a8af44bd4a1ba5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WGHIKMU\default[1].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EN7EZ85X\default[1].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EN7EZ85X\default[6].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X62LAKSP\default[3].htm

Filesize
305B

MD5
46e42f26c7218d036d9d0608bfc83bbe

SHA1
9d6b068eaed89ceedda9e02e59cffdbdb8eb0207

SHA256
5578c64b4212b92c66773c8a2734fb1bcdc9a97d809417589262a5daefa866ef

SHA512
4fcc58402739d520c04d65b54584c4f0267779d244a73b22a2ed3bc502ae991524a7aaf768e30fdaa7c88803270f8494195ebf7aefec51624eeaab80df47083b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X62LAKSP\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF494.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4F5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE90A.tmp

Filesize
29KB

MD5
4fa846bef3da78f061c3ffb6bbff36e9

SHA1
f020aa4ddeb7d0b19ed910a348cab5c315e78f9b

SHA256
8d4b1e4844ee1975635fbf1c48071203fa69c6dc5602360abaf958088276bc05

SHA512
452784dfa5eab8398234ac21dfa6409cfe554cb3d5375993a7121596beaa9dd2e296f807c18aded65d0db21655cdbd72c287c7983b5ebf315ccfaaf22fa0ec1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
3f96acd46bccafc9d868d911adc2b086

SHA1
d7ffc7b85b3dc4cc15bdfe605408c23ca1ad0382

SHA256
6a1e6ef6a76362f77ff6a100a4837f0ae68c5807fc052864d1fe15e5c26cd7a0

SHA512
4676da2600d7709affc49ec82dd7cd2c7507ba85937dc83267756cccc8abef65897e4f1e8b3a95f4e783c8f190517a289e1bf131b05c8b7a6298e3ff8a5ab171

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
e995e16f31d0feba2d811e6e935610f4

SHA1
585aff050cba73989ea7e9a02a9f94d634ccecec

SHA256
804f4b10799c858b92d24f37247e9b0bb8b30db17c3026ecd11f36e889b4da8e

SHA512
5725aa3d008931c5309c0fe77cb07eac8c520409980c66c44cd312e4bdd94adba6c6d9a9595d9084d983db0ff45c40e2070cb7b7cf24ba788e9c5cf6359b554a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1696-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-21-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1696-3577-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-1111-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-2028-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-2977-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1696-2-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-85-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1696-25-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1728-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-1112-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-2029-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-2978-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads