44c0f51238445a49226874169ea0dc8891f2574b535f138f4176ba60cbc2320f

General

Target

NEAS.08c90de8fe931fa196de085ce4e92960.exe
Size

272KB
MD5

08c90de8fe931fa196de085ce4e92960
SHA1

b534e4a16cb62696bcc7f81205b6223b611af41c
SHA256

44c0f51238445a49226874169ea0dc8891f2574b535f138f4176ba60cbc2320f
SHA512

e9effbe14e40f1e9ee03f0020ed0a56ca9ac6eb9883023272173197ac603da12edacfadb9e606db82fde89f26f0011703f4c609ae58e0737b4579cbbbe410d6e
SSDEEP

3072:PtD/aDHJ2V6e8Q4/6idYJB+H94ul40j+6OHacSwgvxdWF/n9yZHJ+vp:hyDpVIfPg+6OHa7MF/9w+v

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	NEAS.08c90de8fe931fa196de085ce4e92960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\copy.pif	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File created	C:\Windows\SysWOW64\_default.pif	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File created	C:\Windows\SysWOW64\surif.bin	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File created	C:\Windows\SysWOW64\Oeminfo.ini	NEAS.08c90de8fe931fa196de085ce4e92960.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File created	C:\Windows\win32.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\win32.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File created	C:\Windows\ActiveX.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\ActiveX.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe
File opened for modification	C:\Windows\system\lsass.exe	NEAS.08c90de8fe931fa196de085ce4e92960.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2292	2068	WerFault.exe	10

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	NEAS.08c90de8fe931fa196de085ce4e92960.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2292	2068	NEAS.08c90de8fe931fa196de085ce4e92960.exe	28
PID 2068 wrote to memory of 2292	2068	NEAS.08c90de8fe931fa196de085ce4e92960.exe	28
PID 2068 wrote to memory of 2292	2068	NEAS.08c90de8fe931fa196de085ce4e92960.exe	28
PID 2068 wrote to memory of 2292	2068	NEAS.08c90de8fe931fa196de085ce4e92960.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.08c90de8fe931fa196de085ce4e92960.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08c90de8fe931fa196de085ce4e92960.exe"
1⤵
- Sets file execution options in registry
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 360
  2⤵
  - Program crash
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win32.exe

Filesize
272KB

MD5
8fda7d5da26b8553e21ce5394e1c857b

SHA1
9a16f2ce5f624273c080a2aa79739282635dded9

SHA256
75bd781b3a73c06a559b8f82b2638dc5b1dccf51126c7d437ec1e4d49f330f89

SHA512
bb8a7a02101f4142e72445759a3423273b90a8890974e16409f85a4449edd07b6d0c10d1bb51201f3bc923341f0100e63589d5c6ea74eb0059c145e545a92b12

Download Submit
memory/2068-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads