72f0c072b3648ff01d36046603d2ed2121e7443ecc993845b8776926409bb9e1

Analysis

max time kernel
149s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 09:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.24c4b4811fde53a0e08f4732a2429772.exe
Size

29KB
MD5

24c4b4811fde53a0e08f4732a2429772
SHA1

75c51fbedd8a472bbe7f59d2bb59048dc721260e
SHA256

72f0c072b3648ff01d36046603d2ed2121e7443ecc993845b8776926409bb9e1
SHA512

e8144ca3670f8f2731b27fb1e65ca97937cc8bb8a3296e9d0b86716dad6c8ecb779a95617d638b9fb6c61cb7e654eecd5835e24436b2172ceae84a4d08d93610
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Xdl:AEwVs+0jNDY1qi/qll

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2628	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4468-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000022dd2-4.dat	upx
behavioral2/memory/2628-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000022dd2-6.dat	upx
behavioral2/memory/4468-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2628-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2628-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2628-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2628-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2628-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2628-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-47-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0006000000022e10-49.dat	upx
behavioral2/memory/4468-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-101-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-118-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-171-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-184-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-220-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-253-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-270-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-294-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-312-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-329-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4468-358-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2628-371-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.24c4b4811fde53a0e08f4732a2429772.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.24c4b4811fde53a0e08f4732a2429772.exe
File opened for modification	C:\Windows\java.exe	NEAS.24c4b4811fde53a0e08f4732a2429772.exe
File created	C:\Windows\java.exe	NEAS.24c4b4811fde53a0e08f4732a2429772.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2628	4468	NEAS.24c4b4811fde53a0e08f4732a2429772.exe	86
PID 4468 wrote to memory of 2628	4468	NEAS.24c4b4811fde53a0e08f4732a2429772.exe	86
PID 4468 wrote to memory of 2628	4468	NEAS.24c4b4811fde53a0e08f4732a2429772.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.24c4b4811fde53a0e08f4732a2429772.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.24c4b4811fde53a0e08f4732a2429772.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5CVX12JG\default[3].htm

Filesize
303B

MD5
6a62ed00d5950a7aa3df6d446d0beb92

SHA1
608da2a7b63e92b731a7beb2d990405d7a6e9611

SHA256
7aaaf31ea9c2999c775008a4b769336c91d87dc8f6dc0a1015bb45c61bc39fdb

SHA512
10a77d30bd2a5a930233e79830ac6e0a695bcfacb4e33fe9a67a7dc4b4c0ffaf3ca6ce458bf2a6714b9c590997ff816f207bee87536516a2c8e711c3c161773d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5CVX12JG\default[4].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5CVX12JG\default[6].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5CVX12JG\default[7].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\defaultKZW1S3D5.htm

Filesize
305B

MD5
28d3586cf0fecdada411e6598d0d24b9

SHA1
87f72f1d3f9eb8682c25d9ffc0397064489903ff

SHA256
3f9df02aa51466baf3b4089857c0c9f84b40e8506a4322f3836ce2b995552593

SHA512
41e79f5946cbf77ec84555acb9cffecaeada064855c41a46b56c3102f0fb406a627d84347ac14a74768db87e93e68ca534887a32d4cf220e013ce24bfdfab0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\default[1].htm

Filesize
302B

MD5
485828cfdc2c1efc0c51ff9b74dd34f8

SHA1
6f685134b031e9b2fff0eb8c7212c99bfba3719f

SHA256
615a15f6247f8f979b3a066801c98489018b1d137fd5d9b7bce73824acc70f06

SHA512
69736b9700c2f47feab282d8bf8bd6f02c9f62ecb9c02466b6cf76b1cd4b1becc70803123e73427c871c2aeb2eb64540edf95a342f78d9211ac0571e8fd1f426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\default[4].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\default[7].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OAM0FGD0\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC92.tmp

Filesize
29KB

MD5
3b27e83dc7b812f396fa0215cb99b5b6

SHA1
00801ff76149773030a4953b338fe3c30bb4cff5

SHA256
c4bbd915213b496b6501308e8104f52ae5fb730320b0c83a3d9e4fb32e41f825

SHA512
538cbd4b1115f10625cfadf30dca4505384dc184d8d4d213f7fecccb2a19af7b3b5cdc58265f355caa0140c70e55d8811cb1a34995494f32e32750d5318fc748

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
a40214bfc75678fbafbc8a7dde9e1552

SHA1
2511fc99415cd8e4aa63b6824e58cda735d6b98a

SHA256
51a9b6e2fb46711982f4818568eb44d7e109a5b5619506528c0ac40285ef0dfb

SHA512
eeedce1ad43e460c2b71775ade462c05f5abfc042a52621267cd0912baa19a69f76a95b1f3a2eb4a4edfb4348781006ae709a19a3a903c03e95c819df217a7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
c003d1b457225a0fa796e6a45508573f

SHA1
0ed9ffe4031c1f16395bebc6b267dfa709b045a6

SHA256
663a7cbf7969e1ce9bb016517c4835b0cc56b59aa84f714ffa92b5ba73147107

SHA512
e4c875cce09ade1e92e4a7727c2bcc1aca0978b04ea26f9f3e29974ec2697cf9dcb9257a542f66a101255c34c37243e6d0455a510cffd3e19ff1618b24c9f150

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
3ef630c1025c433aa8fc0244dcade464

SHA1
c61a01a868ddcd6d2dfef0697d44041c94691a01

SHA256
15c380737c7c76865e0220599bff330311dbb16ded85b82d03ee843e81afcf3e

SHA512
fae41742032a93fdea3b83f8083241ac21d6d1114ac792f88d9370df5c1a07210f21a3f40321b460aa7ed34ead0184f115cacad84e157104fe75d24fa4f981eb

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2628-253-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-101-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-371-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-184-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-329-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2628-294-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4468-270-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-312-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-358-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-220-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-171-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-47-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/4468-118-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads