d23000846f70f83a4bf3361f8e60117d1c07a0d24c456306bab2d26c508d2319

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Size

29KB
MD5

57b7e0645c9eae8d7f5ce04ffbe23e96
SHA1

9ca53157da93503d0809e4627fa8f77d27b50411
SHA256

d23000846f70f83a4bf3361f8e60117d1c07a0d24c456306bab2d26c508d2319
SHA512

63bbbdd8c33b37aa4a15755dc5f1191b3e0b89b75bc2a84899ee38438a173b26179d438e484ebdc4062e74c1d90a6cb1f78f89129eced6585a7589d2995cc990
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Np:AEwVs+0jNDY1qi/qr

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	services.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2060-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0009000000012275-7.dat	upx
behavioral1/files/0x0009000000012275-9.dat	upx
behavioral1/memory/1708-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1708-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1708-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000600000000f661-41.dat	upx
behavioral1/memory/2060-408-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-410-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-840-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-841-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-845-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-846-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-847-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-848-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-861-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-862-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-876-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-877-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-884-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-885-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-888-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-889-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-913-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-914-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2060-923-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1708-924-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1708-928-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
File opened for modification	C:\Windows\java.exe	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
File created	C:\Windows\java.exe	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1708	2060	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe	28
PID 2060 wrote to memory of 1708	2060	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe	28
PID 2060 wrote to memory of 1708	2060	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe	28
PID 2060 wrote to memory of 1708	2060	NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.57b7e0645c9eae8d7f5ce04ffbe23e96.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbe83fd39c5b1e2136148edfc2b0ee68

SHA1
e8bb52cd201d27cb4f302be9a9c0ed0cd0db78e9

SHA256
747af9decfdd6556a2d57be3e277197b851e25a7f98e7a77848fdc99cc702517

SHA512
d3941e2c247900b2c765ba8fb7bf3c79e708bda2044e043e7aed865d8ecc0ddacf4126a7b370b0c1f96fdd472699ba8c6dbfc1b1f90e24b7e391319b3781bad3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7236323e5937f8ae2245c0fec554efea

SHA1
9505ef7b0fcacbfe05c98b4d5e24ceb973abf729

SHA256
5f2b34a415c4ee2c41798d593562a7ae51889eac2f92cf030c3faceb931f6ef1

SHA512
4590b474e6f32e24752387d23a7127c496382a0231872672ebba2c38934e2f8125e8c4323c69df02ee98fd7ee74625fce86f10b4837376b4ed9dcea085e23575

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bc18e78267f38979301c0d5d4ff5f92

SHA1
bdc9893548987813e2d26a2a2e05028c63e7e2a4

SHA256
ac622e0f975a0997bc6a89642ac69bfe09d5a8867e417086531abda72f19a842

SHA512
2a6118bea1b78b94f0293104518b4a302400880b99af3d98f92f58aeafa516c8ad5c43961fc06de8ac1469f60937708a9bdf02b2c023b2ec6967b8c56f1e45a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bc18e78267f38979301c0d5d4ff5f92

SHA1
bdc9893548987813e2d26a2a2e05028c63e7e2a4

SHA256
ac622e0f975a0997bc6a89642ac69bfe09d5a8867e417086531abda72f19a842

SHA512
2a6118bea1b78b94f0293104518b4a302400880b99af3d98f92f58aeafa516c8ad5c43961fc06de8ac1469f60937708a9bdf02b2c023b2ec6967b8c56f1e45a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5c81ae07bea52a80fcb909d1de9a936

SHA1
52bcd7a29f20de39d55707868cf83e70bd0350d6

SHA256
b30f708bfc050abf832d8b67993ce30b02984b15306a433db4ef3d60d9ae89a7

SHA512
eabab5d064e136edff3d4afce78336393330842cefe2aa076fae5d1a6ef342741b9745cda80555ad49bb9f04f336ca50ad54445b7329dda99c3dd4b10869efd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60c1acd0164a3decb639428810796a77

SHA1
88dfa44acd93805b7e8f18c143648fc1c9170a42

SHA256
f46297b97487551d6c2495e9625730e38540034d5dbee02b4cca6736da4ac045

SHA512
6472dd5e9ef580d6039aceb4cf8fe81db0d05085739c42b00975c51583fe21ea211ec7654a9c7fc29dee924632d8312d995ac34eee05f2067373cfef682b7d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c072477eb2f6e2eaa7e814ba82a04009

SHA1
bad771ec0cc8a2f5057a250665ba9e3fd59edfd3

SHA256
96cba81160b1d64de437275f0fb857bccca8140afd7f1eeb37da21aa5ccd8dd5

SHA512
f9125713dead40e2d380d9f8f19cad0047ab294aa3dc4b3e02cc9dd229f77f66f3152da5b5df5a28637a74622a8a469591c6d85f4034e95fd5dcaf1741e35f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebb93b69da5add864cd6ee576d692302

SHA1
a2f23bab6bd09564eda92bdeb3766cb9d840dd93

SHA256
9e630c62457e455790625083fbbf8568708f8f15770cba5123a3cee7fff37785

SHA512
8b34104a0c2f1564753b7108cd455a6217673c180ff70911dadbab91fdbc1ceeb9474880582c7b118dbe61b43b826a01297dc552a4d51ba8b8a3d2b19c34cea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b4c3081159ad07ced69c1149534fe67

SHA1
3878d352781dac24d8efe3f518a224fdd2900976

SHA256
44fd8ee001d5c9eff3aa0ca18f3aaafd6e2d38fcd8d897fb72dc2b941aa6aac2

SHA512
aa6dd348afaf1c0a5b712f697faf3c5163cce083af8ef2d05bc2cc3369dcd084d8b1a49fc4471fff84b181564c4e6ba86fea3b3c72d539eb3bbd3fbca454e196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1e6f3e11bbde0c12cdabb0353f7bdca

SHA1
cbef1b1ebb51d5346ab2a49dfab532b5e8f170ff

SHA256
01f7373a44b4ef1bc682fc3bc43369c53767386d17bc57c257898bb0f193a208

SHA512
db1234d28f67f72efbd15df70e6f928761de9f32a41457ee9b660dc13c74fe42b3a14ac78572ed20bf9f421042fc62139d5ba158158478f2d4ad4953ab599cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3adf063df748c7689e683e8337034b6

SHA1
694b84fd1880236d4602ecb9c0229f590c35d08e

SHA256
482cd56a34565a81fc114f67cc6a53f89c4c0488f988083d104eeb7d9635bc71

SHA512
18f0e92af243ad7b8c8cb299dd5a6e7b85c949db2032b6b995ceaa38b784495bd0259313dee326c1cd893ec2c600917ea9b79db2112ba7f9ffd4a78e20c4d762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IS2BN16O\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EE4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F54.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjFmsfu0.log

Filesize
256B

MD5
ee065a9f95f11a9b74adf68156bf31f9

SHA1
0635576ba59583d2d6b894086f39fd07b5c66133

SHA256
ba749cb52883d2460e0b312f4be93cd54795ce531ccbf15ed0a21a2d5c55c155

SHA512
fb54c6ed6db6000820140fe318b51d2a471012cf4cc39ff02d1b086d9198be8a4ec901be5212038f040313d44a96371516103b4d224e6d4de154bbfd9614e7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EE7.tmp

Filesize
29KB

MD5
7537e798767c821ac71a9b9b9b9f2fd2

SHA1
642737028f9e79c38cb44495b3f4f093195226bb

SHA256
d1c468c06b6740ca3943da6519da54816cad3bcc08f01d566db674457bc2f801

SHA512
570a131b673ca438c68b1bde14d2d44d0659584843243bc4a122aa0653debd397baa002bcbbec78d9cb626b33091713c88a8c4d64881dd8db6769239bb935363

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
6d72e28e391195c44501ad6c9091475d

SHA1
3345f737160ae9967945221ff3863e0e2189264f

SHA256
7dabd1c6effa6d09da0c8b66320802f380d071939437dc7882aba5c21d468822

SHA512
46c15b2a2511c75e6cbe7a5e184ad65a92210473216a225c33a0243abe16281cfbebaa7f5fb456156d81265de0b0d8414a58f04185d911d6dbe1f3021423eb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
99e06e46b5eb9b9e81ec712a585c2d65

SHA1
24d040aa0afe5886ad08a91b697ce20b007e2c02

SHA256
2db60c5322ca2051483842e53383bc07da12847804a68b4b77853d945950479e

SHA512
49f0c25c7e70a943cbd8191c6861d94110ad01e27ecc19ecd809d66b17cc2d04146d99de452a21ab6542d493d0451ddad9ad23c4ff7c666b5904673381b58695

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
c8c9378b5f2432beee408db77656a779

SHA1
ce3058b4f085fdf6c26dddcbc6e33013cd642959

SHA256
fa3a1de0cbf83eba26ea654ad683d80df217995bf9d0da4dc5b155d7788e052d

SHA512
ade80b865297b2cec78dddc3617382daa87f7e9b76242a8e55a9a4cf14759941311ef2a8c4ed781189c5e7775c264a0e5d1987777a8983c6b76ed2c88d18faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
18a69969da0008b4d9ced2bd0232abfb

SHA1
9e64d4d18c67b5714837faaa40a91531a71a2920

SHA256
99ca80bab30aec6a27851909acedb0a546b4d4dbbe59fc9715510bdb73e5b0ee

SHA512
41cf220431f4596d4fc97b78992a095c20d5618e7d7e5cca0926de6d62764573e6ac7fbcf8326492a317c5c69ae4c1c370506c539ed1f8ad3bd73ae86c1e3628

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
c1d36e386fbb05ba3c64b332d5f99277

SHA1
0fb5fe18f7eb5b9361b665eec7ffc697c03b3bd7

SHA256
aed1b5d88e5e1e0a9c757fcab02af767177e978a173801bce0969c28a8d0c07a

SHA512
646cea97554310c6d544a5660343e92048b18538519e223c3aad2caae0a18e85a09fc01702032f46634b5480959a6c5a4c6e4fc3408d25bf5c08eeb5072b780e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
f30277ae06c43d97f5675d0bd6371b32

SHA1
8fe979b377ca242df6ae80541c83e917ee389648

SHA256
8707ce4a1a37313714123480cbfcb06ae73bfaea4b359dcbb735fcbd933953cc

SHA512
9c08e441977872f3d97b76d1931ca2d847887977309b28055213014a1779d8857fd5e2b810315249f079daadbc3ac274d05da2552d3d8a39668a123f1edaedf4

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1708-885-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-410-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-928-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-924-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-841-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-914-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-846-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-848-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-889-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-862-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1708-877-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2060-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2060-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2060-884-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-888-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-408-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-913-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-876-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-861-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-845-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-923-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-840-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-847-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2060-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads