84cbd761093739803c2cbee30a06a7d0daba6179048f17aaaf5a43bbbef1e6fd

General

Target

NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe
Size

29KB
MD5

2c1f5ed62a1b4df993a0b95503423fd0
SHA1

1513ff1b12e1e18757ea74fffdb9565a0886df26
SHA256

84cbd761093739803c2cbee30a06a7d0daba6179048f17aaaf5a43bbbef1e6fd
SHA512

8ae0ee263e9b5ba7fbcae22a6bdd185beb25e6d6e2eee1da275a69fba6581c2654fb7b8f96d7fc12090eb2db22a262a96b584c6c2d6f60701d0ed8cabce07ec6
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/B7:AEwVs+0jNDY1qi/ql

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/112-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000b000000022bf4-3.dat	upx
behavioral2/files/0x000b000000022bf4-5.dat	upx
behavioral2/memory/112-7-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2788-8-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-15-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-46-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2788-51-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e000000022c13-56.dat	upx
behavioral2/memory/112-99-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2788-106-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/112-147-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2788-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/112-212-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/2788-213-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/112-257-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe
File opened for modification	C:\Windows\java.exe	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe
File created	C:\Windows\java.exe	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 2788	112	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe	91
PID 112 wrote to memory of 2788	112	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe	91
PID 112 wrote to memory of 2788	112	NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2c1f5ed62a1b4df993a0b95503423fd0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\default[2].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ39371N\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE99B.tmp

Filesize
29KB

MD5
039c15125841fdc7e2e59a518ff908bb

SHA1
1d38f6676a9669d45c21d36bfbb641d3dd35767f

SHA256
c301c54dfd397f3caff4f864017d5519af3c9209333995de4ffdd7037dcb1a94

SHA512
549ab79fd0fda6d00d67fc8a86a0df504fd48886b6ce0de9e2d839123dc1f6186741a8a33f4237cca055a8d67ec15d5c13c4b3730243f03b6460034248c6e09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
149370434df681334d927a3b4980a235

SHA1
3dbf136f021392b8ded08003791d3baeaee435e3

SHA256
9f5afc8160518e6afbf257c1ee847356d167571b174d2148fafc75071f69221f

SHA512
339ae42b8ed8692fee7ec5a77508a52604147a27bbdb4a522385d5088e87c8e259476961715cd42b70af118c97301d74d59aef978c4c38ac3d42cb34274a16cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
009ce03b6e7dcc99e0cb473713b9abeb

SHA1
20e7e1a520d568c0072ce72f90ff94e6aba786ef

SHA256
05402bb6c35b1a84d3fa3098caca9ea18c3555cb83c177bc724e94a9249d5724

SHA512
7f623eafaa823cb3b08cc81194c03b353c6607c4d3f5911b3beaa188e4db52c61a9605e9e5002dcee82cb6eb874b1da9a01fdc77568a3e8c0cd1c39c771101f3

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/112-7-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/112-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/112-147-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/112-212-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/112-99-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/112-257-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2788-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-51-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-46-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-106-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-213-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2788-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads