b895108aec3fdfc6fd0b69afbca389e4cbae1c752b07ab4a83097ae0e48cfae4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Size

29KB
MD5

398d24c63cc88fdb2524f1e228a99c50
SHA1

b43b02dc1097d6c79c3aebb05ab24e0bc7ce2c1b
SHA256

b895108aec3fdfc6fd0b69afbca389e4cbae1c752b07ab4a83097ae0e48cfae4
SHA512

5fc5ccda25d13e7997d3d87b17f63781e4fc9b221d0e073f19514e7293919b206a073b72c05b5667cbb3b737578642f8ef509161ec3b55a898b42e7d5e166605
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/xc:AEwVs+0jNDY1qi/qu

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	services.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/768-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/768-4-0x0000000000230000-0x0000000000238000-memory.dmp	upx
behavioral1/files/0x000e00000001226b-10.dat	upx
behavioral1/memory/2144-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000e00000001226b-7.dat	upx
behavioral1/memory/768-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-22-0x0000000000230000-0x0000000000238000-memory.dmp	upx
behavioral1/memory/2144-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2144-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2144-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2144-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000600000000f661-47.dat	upx
behavioral1/memory/2144-462-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-445-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/768-605-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-606-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2144-610-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-609-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/768-614-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-615-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-625-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-626-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-640-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-641-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-645-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-646-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-647-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-648-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/768-652-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2144-653-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
File opened for modification	C:\Windows\java.exe	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
File created	C:\Windows\java.exe	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2144	768	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe	28
PID 768 wrote to memory of 2144	768	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe	28
PID 768 wrote to memory of 2144	768	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe	28
PID 768 wrote to memory of 2144	768	NEAS.398d24c63cc88fdb2524f1e228a99c50.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.398d24c63cc88fdb2524f1e228a99c50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.398d24c63cc88fdb2524f1e228a99c50.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23369c31a6bd7cf25420eff0404884e0

SHA1
9eee0714780df660d373a7d9f02c5b7fc89d7165

SHA256
563627ed60dbff318c2a10fa2d02d86ac6ee2822116ae14abe58aa5a18c64b6a

SHA512
265393dc1e6180c26c28624d29ab5fafb20cf1a690a71378712fcb7286e6582f667f8196f7058a52d2e8c38c3848610366b77877c71e4e0624aec5ac210c9d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d206cb0015914d20ddf51fa48d5b064

SHA1
cd9806d37fed2d333c4915e5ee8fe2b1d540e2e6

SHA256
045295abb2c08cd525407d1de41c76945948fdb0b7f1bc11d8242305143dd82b

SHA512
fb19f7330042200fcbf01311b25911b4b74cd579a96113521098a972cb364c6ac190dd209c2e57749539cdeb9709961b3eef51adbd3aa028461cfa37c9d30472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6adae891971407cfac088020fada7eef

SHA1
de62080e405656c3464a021946e19263fe1f41b2

SHA256
1599432c5d00845ef17e0e521361be6d0a48f4be0ff03cad4bb2e4675186e7eb

SHA512
28c0aa88b737f05d6f4214c175a3eb44e90ca4ab182796d3ec21ece5027a0e1ca4407b6711873f26de6ae1ecf2421c9b152e8c0231f83f90030a7c57af978a9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f23e86a712defe1921c8b1bfdb2bb51

SHA1
15e9b81e66f1e5e0198babbe9f0ef5303592d446

SHA256
cce9eb7318d83c3eba17e4a928fb36b1387861d98b5a975877638a2195255913

SHA512
47c731dccd7b19e9c5134f0ef76a0f7b0fa8adb256616763d9cafcf1f7f05d0511ebc552895003b4ee3bb64cd4a29d1591cdc9706679425f866f8162e5352986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d3dacee0c302271f947a4844ce6ed72

SHA1
8464f7311756e1690d39c2f948756a4900eaf304

SHA256
477f2d315515f437c1de46f0f4dc875107ae916624a6cd05267ac14ad8d58034

SHA512
b13bc86c989b47b55b47937833d3f9ca86557506b0d6a9b458b313b48b1309061d6fd5152eaf75eeab0e0d8a0727aa824f3ca2fa6770d698ae0ae287535adb83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae13e180587d48806db0750804780c60

SHA1
dda6a981900e3abe73ab1a83636726d92b616456

SHA256
0567c66f6ce0979c07a0d5df7fe6392d52c847d7869f5192ca951088164fd946

SHA512
5460fcdda7952d6c154f3b5d5ec3863b40c351352e0ab291f53a987b123dd3fa0f7c533cb6442a542eeec33e146fea7632ce047a3a4cb13340e476b9d312f09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B5F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7BD0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjFmsfu0.log

Filesize
256B

MD5
5ed94021b6680e4a73b29b9de622be1f

SHA1
2bc3d74ebc6ed3a8fb66ebabbf66bee886e6cd6e

SHA256
5e0be0d08f5509e3841db58cc146b40a1dbca2359b6f8caff10c1573baa8212e

SHA512
1ac3b5b3769a72c3f34cc277b2a9546251dbf2bdcb5c7534416a7354391e2487036ef1d358bced974ead116a2b46a0a4b5ec09ac2653a4c6e001e87b37d15c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7503.tmp

Filesize
29KB

MD5
f196ff58dc39056f79612d932a18e32d

SHA1
3f1bd6e4ca3322db86851c80c1286d5fa8069b0d

SHA256
4ffa05cc44a3173fc11829ab822e6e4a611cd06062c77572447c8f72f0c37706

SHA512
5263fe9ff2620065f95d95c3a5cb2fde6713552e23e422808597a50face7131a10681753b14b9aacbceb317f9a2b7ea8dd78e7efd9d5cdd3e9334c7668f839d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
7a16191046a9ab5b4067ffd33efdad3d

SHA1
43ffaef82f645c3be3ce3f34808f6f403d121ea6

SHA256
582381d94ddc22754b9bfddffd36bb66b47212e3952cdae44de3b5b56d4845eb

SHA512
0d2ae147946329bae3ab6a255cb26e5b789dc6f25526d518aa6d4f58d24f00c8382e33f0b6a12d7a80041307e5a302ea54b9386a363e33318de30b6232df9d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
9df0b99538a6dc39f202ee0384c0100a

SHA1
b5f03f720c43de9f3398a8d37673cbbdd5e5d984

SHA256
446497d61350a7527ba5f5be261fba7c4eba657689e68a9378b08172d9fbb873

SHA512
6373d76c3a9dbb22576eef99b1d1e41234e5ddfedf9825049d1b2d26506aaf8a939d8859d6e6b887c9118dcb42e5c9fcbdc76192e163497e2f0b35e6a697ace2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
8adb9378f106c2b3c78dee5b56bdc477

SHA1
85139d402de17b3cbbb5baca91343529f44bba0e

SHA256
5bf1ddeb9c2e731e1e2bf1b3100c42cf3f110af709967ebc7e28b3828e9346b3

SHA512
cd874f10698f38cda08aaaf61bef6dd9436ba3b06dcba92a4bf99f50764f947364cdb8ff798109e4bd3db96a1f1ee44e7edaa99baa7b158f25bd70bf963c7135

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
6e03d0d6cd543027fa7d487b15c20746

SHA1
219f5c0aafb279361222145d27c4b9ceafe4a319

SHA256
419036f4dbc060be675d8c4adb8440c8909d9311575aaefd33bb5286c090c7fa

SHA512
d3e23aec0be9cc9646ac6b36c6c0ca2c3bb78a43f311bccea144082fa28ceebcc9c70e062c02f7bfb19ec48b4f577dec07a9648f873aeb007f88f4f12d3c3c26

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/768-614-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-609-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-4-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/768-652-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-647-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-23-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/768-22-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/768-645-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-640-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-445-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-605-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-625-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/768-9-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/768-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2144-462-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-641-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-615-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-606-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-626-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-610-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-646-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-648-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-653-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2144-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads