9d1ab932d12048aa0f7eacd17e4ac3e1860de547fe86d42a7a37fb6abf7ab435

Analysis

max time kernel
161s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4420866fc8e82febdc06e58f97e73950.exe
Size

29KB
MD5

4420866fc8e82febdc06e58f97e73950
SHA1

aa474397a639db634976b630cad2a3f178bc7161
SHA256

9d1ab932d12048aa0f7eacd17e4ac3e1860de547fe86d42a7a37fb6abf7ab435
SHA512

0316d660185ccc20ef836b5f72a509e66a65f00ad800afe64505a1c90623b0654fb3e955ba5f92e061ab7e6503587528e10735637e9e8f6ed607880c14c58cd0
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/C:AEwVs+0jNDY1qi/q6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1844	services.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/380-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0006000000022ccb-4.dat	upx
behavioral2/files/0x0006000000022ccb-7.dat	upx
behavioral2/memory/1844-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1844-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-40-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000a000000022bbd-50.dat	upx
behavioral2/memory/1844-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-64-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-86-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-100-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-167-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-196-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-219-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-238-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-266-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-281-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-299-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1844-317-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/380-366-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	NEAS.4420866fc8e82febdc06e58f97e73950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	NEAS.4420866fc8e82febdc06e58f97e73950.exe
File created	C:\Windows\services.exe	NEAS.4420866fc8e82febdc06e58f97e73950.exe
File opened for modification	C:\Windows\java.exe	NEAS.4420866fc8e82febdc06e58f97e73950.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 1844	380	NEAS.4420866fc8e82febdc06e58f97e73950.exe	90
PID 380 wrote to memory of 1844	380	NEAS.4420866fc8e82febdc06e58f97e73950.exe	90
PID 380 wrote to memory of 1844	380	NEAS.4420866fc8e82febdc06e58f97e73950.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.4420866fc8e82febdc06e58f97e73950.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4420866fc8e82febdc06e58f97e73950.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\default[2].htm

Filesize
303B

MD5
6a0f569150af2b9f0db7444703c27a68

SHA1
69591c4c6e85d710d5bf89c4b6330d813bf24eb9

SHA256
4dd9d1b48bef8fbd32a979c93141c60683c30da136fc0a58c69970ca78dd9878

SHA512
e1c71ab22237b98603a57b3949329b242663c6d369c7ea1a2f17b05b673eb991b1890474a131fc424b921dfb26dc06acfff5df7400186d2491785c6ac420d05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\default[3].htm

Filesize
304B

MD5
8251fff4df202c8d6dd6aaf34f4838ea

SHA1
fa88f08dfdeaff6b86873d447fd26cb7d83a694d

SHA256
a17db628f6bdbf4cdc6fe029542404867306406510dbbdb57a047a75ac294962

SHA512
e9c0fe2a920377777bdda16a8744cf80d15e1d1b3c94b704f8a4c4cf54d2529ede4aea8a2d6d38f4e3c4d02f602edfed659db6613ac7c374e5214a201f16a3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\default[4].htm

Filesize
303B

MD5
25e0754dcf2733a057e63f7bafe55c67

SHA1
f1e3396366d69691dd1cd0630db30f48cc0b8a15

SHA256
5a387f2fc2e3ae43f2f620004d5bb079c7a629a9aa6c9f9d49ca3fab126c6819

SHA512
f7cbb1575ef938c202a2f721e0e6991c3da7f9298779b59194633b5e126de428a4e8fa416eae13e8bc9bb7083f8412e922e75ebb2514434c642a0da56a892e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E51EX1F6\default[5].htm

Filesize
304B

MD5
605de1f61d0446f81e63c25750e99301

SHA1
0eaf9121f9dc1338807a511f92ea0b30dc2982a5

SHA256
049f75dee036da00f8c8366d29ee14268239df75b8be53aa104aec22b84560f0

SHA512
a6a2505b8b89a895922ad6dc06d2ce620cb51cc6582c1b7e498a9f1ee1e4e47c53ebc4f92f8aa37532d558667225e30574732c9fe7187153a262c933893e4285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\default[1].htm

Filesize
303B

MD5
6a62ed00d5950a7aa3df6d446d0beb92

SHA1
608da2a7b63e92b731a7beb2d990405d7a6e9611

SHA256
7aaaf31ea9c2999c775008a4b769336c91d87dc8f6dc0a1015bb45c61bc39fdb

SHA512
10a77d30bd2a5a930233e79830ac6e0a695bcfacb4e33fe9a67a7dc4b4c0ffaf3ca6ce458bf2a6714b9c590997ff816f207bee87536516a2c8e711c3c161773d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\default[7].htm

Filesize
304B

MD5
8fc460e5c1851dae2ede898b85804b31

SHA1
c2887be287c1ea86cd250c38fb4e55518f764abe

SHA256
7b5f9fe5a9244d0bd4888e5b70912a35d01fceed4c899585c39543682e43e1a3

SHA512
7d454c1d92dd448dc9c5e00a2773bd141816aefeb0ae4ac509872db998d16889773b28753d0b02f7375631202f1d5986a18e3a67350d34741dcfc6f6c58a8775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\default[8].htm

Filesize
305B

MD5
2c4ce699b73ce3278646321d836aca40

SHA1
72ead77fbd91cfadae8914cbb4c023a618bf0bd1

SHA256
e7391b33aeb3be8afbe1b180430c606c5d3368baf7f458254cef5db9eef966e3

SHA512
89ec604cd4a4ad37c5392da0bb28bd9072d731a3efdd38707eeb7b1caf7626e6917da687529bf9426d8eb89fab23175399032d545d96ab93ffd19dd54c02c075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\search[6].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ39371N\default[1].htm

Filesize
304B

MD5
4d1a10f22e8332513741877c47ac8970

SHA1
f68ecc13b7a71e948c6d137be985138586deb726

SHA256
a0dbc1b7d129cfa07a5d324fb03e41717fbdd17be3903e7e3fd7f21878dfbba4

SHA512
4f1e447c41f5b694bf2bff7f21a73f2bce00dfc844d3c7722ade44249d5ac4b50cf0319630b7f3fdb890bbd76528b6d0ed6b5ad98867d09cd90dcfbfd8b96860

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CCE.tmp

Filesize
29KB

MD5
bad0e6b85daec24f036c678ed1eaa207

SHA1
c72373bd90597f0f7f73ec96c500e0424cfabb63

SHA256
ed2fcffc4426d1218fbb59f16aa42b813739d9d4efda3ad050a260e9849d96e4

SHA512
fbf2e6bd529bbd84f574a35c249fe4f304ac04d9245a2e0f4c5c8137c48fc37d81e097d1d0bd858f894aed37fb515097b16002be51878160856784282658441a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgSPzybm.log

Filesize
256B

MD5
fa0ef16a6df8fafc1fc22625af53e339

SHA1
e53acffb7c9cdfe070b7bd7c3a3f39248cf092e2

SHA256
5d3c0217817249ba9eb3e3ca2bbb28207bd3d51a3477295f9f9f59a007a84c9e

SHA512
0c620874faa19dae6f1ef3038d680e202590e92695ce2b98ebaca99a7a04a4903fa10f6867068e8b84fd9d9256e53a3709c4a544b45d9c9c75e3eed928432525

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
a62f14ef9e0c05519f79bb61854eedf3

SHA1
dd7ca555fad2a25cb8d9afd2c2a95c6c36e8c743

SHA256
6a4d0f90792f9cbbe8dd37d0aedbe5d4a8cffbe109bf422bd4198f862ccf6cdb

SHA512
2118f61ea56f61aa21e526468e7137a2507f3e24424f91b104f94c12cf26ac8d7826e33bdacc9d55b9c698903fcf99612417f9d1f1d6f36f3b42235150586896

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
96c947980f11a9c3269ce9305015b76e

SHA1
2c5105956f50feadaeac8b25b1463f10d04bcbf4

SHA256
8eb1eb9a18d13e8664731751133ef424d20c3e4fbc551aee5dd22984c8bf60bd

SHA512
a0631cd7b5d115d123a7386067d1627ae2613fd86075465c2ca15417520ac93da3ce9687a7909f7cd45a56ceeea7eb18cacb55c6804ecf98232aba9344c047ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
19bbf398b96c7def377d719ae6dd10d8

SHA1
61ffad42060dab560491ed87eaf3287007b088be

SHA256
a0ff6467b7c86be064602f50bbaece39d70e159a0aa04c0fc0d8c08efbec62e3

SHA512
a135cf7c608766526490d524e6e5b2106ba614a5f2fce6f7bfcd350a4f2622735e2396c1cc195c6276e4e3ec5d117ffbb7e2528547ef48ac2da317599db3ebb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
bd595e318b350d19d813fed4e90851e0

SHA1
bc52063c995a676c02245c51121491ba7346ef89

SHA256
81552034ba5698b9bc89c5f866b4da0c583c6e3e7d40ef84ad0cb65ba2d2602c

SHA512
66b6bd39fbba68ca79d1738d8003fc24c8281c0b89670397001abb80be31238419150ad6448da42f0937d182499dfbad1837557f214f882660ecd739eb0b40ba

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/380-64-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-40-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-266-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-167-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-366-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-100-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-299-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/380-219-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1844-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-86-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-238-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-281-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-317-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1844-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads