b24871aea30a4abd8828ff4201cbc655681d21bec634b54bf7d03a9efe0e311c

General

Target

NEAS.ada63bea8832d17f199a0bd651fff230.exe
Size

3.7MB
MD5

ada63bea8832d17f199a0bd651fff230
SHA1

93e9767bda2c8db60f31130a0e15a769e483d9d3
SHA256

b24871aea30a4abd8828ff4201cbc655681d21bec634b54bf7d03a9efe0e311c
SHA512

74e57e01a1651978cb933d9889bceff704d6386326cbbcf053d3850cd560c99e759eaa2e9764209224d6414d91645443153d1404342dedaa4f7a78d0ca0ecf2f
SSDEEP

98304:z8qvE2eJX+0ngCSSL6PmFmYrWrUj+ZtPDXU2he0psU:z8uedZgFSv1rFjQDXU2XpsU

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00060000000120e5-1.dat	acprotect
behavioral1/files/0x00060000000120e5-24.dat	acprotect
behavioral1/files/0x00060000000120e5-23.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe
2604	NEAS.ada63bea8832d17f199a0bd651fff230.exe
2604	NEAS.ada63bea8832d17f199a0bd651fff230.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2572-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x00060000000120e5-1.dat	upx
behavioral1/files/0x00060000000120e5-24.dat	upx
behavioral1/files/0x00060000000120e5-23.dat	upx
behavioral1/memory/2604-25-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2604-31-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2572-49-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	NEAS.ada63bea8832d17f199a0bd651fff230.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	NEAS.ada63bea8832d17f199a0bd651fff230.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe
Token: SeDebugPrivilege	2604	NEAS.ada63bea8832d17f199a0bd651fff230.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2604	2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe	28
PID 2572 wrote to memory of 2604	2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe	28
PID 2572 wrote to memory of 2604	2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe	28
PID 2572 wrote to memory of 2604	2572	NEAS.ada63bea8832d17f199a0bd651fff230.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.ada63bea8832d17f199a0bd651fff230.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ada63bea8832d17f199a0bd651fff230.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\NEAS.ada63bea8832d17f199a0bd651fff230.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.ada63bea8832d17f199a0bd651fff230.exe" -sfxwaitall:0 "uTorrent.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\main.ico

Filesize
9KB

MD5
b80acc761c7b6e79f07c025428ae1bba

SHA1
05644594a68db487be3f568737a34f72f6043ac9

SHA256
16084d4d50747faa7fd27d255fc10d6694e451cb57643fed369251930e09f618

SHA512
92c689f2121e59a19873ffb6be5bd96a6d33a0e36af8ee654d5524ea6bc750858c764df70e9c05b3c49f9dfaa5bd3064a24dd6c8adf387e74d2b3917b200d501

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\uTorrent.exe

Filesize
4.5MB

MD5
bfefeac4bc2447bfda3ab718200db2e9

SHA1
49aa1da5becb748d974c71673ec497d8e63ad6b6

SHA256
1f39d582ff6e6ab4af6c377670c9e8c2b1859f0c2484b1cd9c28629c652161dd

SHA512
8b9f30417d78f4c999c63932ea57ad12660dfd59d4fc1d0e323e7af99025761fcf1a072387d3c8b5ce61599a8f94611f8c8831fd180e7d426a3a0d36478b616a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\uTorrent.exe.tmp

Filesize
4.6MB

MD5
4af1b9267cab4ffad2da7ba217b67bec

SHA1
6bf2c6caa24da2877798e619bb183254c3f78c4a

SHA256
d04dc91133545c47cac038556e08bd60e161f8568562e351b649b9d3c5c5b5b9

SHA512
e744f338e3310c039f4a4865b89392200501b3b7fe0c4987a997e0e8f2f0bb724b7b569fbaeed183c5f77aace91cbd30d978c89df1014a8fb5f51b1155eac32f

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\uTorrent.exe.tmp

Filesize
4.6MB

MD5
4af1b9267cab4ffad2da7ba217b67bec

SHA1
6bf2c6caa24da2877798e619bb183254c3f78c4a

SHA256
d04dc91133545c47cac038556e08bd60e161f8568562e351b649b9d3c5c5b5b9

SHA512
e744f338e3310c039f4a4865b89392200501b3b7fe0c4987a997e0e8f2f0bb724b7b569fbaeed183c5f77aace91cbd30d978c89df1014a8fb5f51b1155eac32f

Download Submit
memory/2572-5-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2572-50-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2572-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2572-49-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2604-26-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2604-32-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2604-31-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2604-25-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing