1bafc32f60075da3c0d4cf98c849b71594b1f9a6e42f17b16de8324ee067a2f0

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4a12bae3af3913df646d814ab039d950.exe
Size

412KB
MD5

4a12bae3af3913df646d814ab039d950
SHA1

51f62bf74f6adf8ee51f349b130058d606365868
SHA256

1bafc32f60075da3c0d4cf98c849b71594b1f9a6e42f17b16de8324ee067a2f0
SHA512

6b389b110222d42df98a735b4d5b8a7bd63aaf51b7c06774707ec00322424547df7d6591818b2e5143ee7a3045165b87b35a1f50a3f1e20e515e74b18a3e7d7c
SSDEEP

6144:9bpGtfoVtScw2RCgrzItQBfbpGtfoVtScw2RCgrzItQB:TGtAtScw3qEKBlGtAtScw3qEKB

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4200	PQY.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3888-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x00090000000224ad-10.dat	upx
behavioral2/files/0x0007000000022e41-21.dat	upx
behavioral2/memory/4200-23-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x0007000000022e41-22.dat	upx
behavioral2/memory/4200-25-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/3888-26-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TIFZE.EXE = "C:\\Program Files (x86)\\TIFZE.EXE"	NEAS.4a12bae3af3913df646d814ab039d950.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\M:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\N:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\O:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\K:	PQY.EXE
File opened (read-only)	\??\Q:	PQY.EXE
File opened (read-only)	\??\H:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\I:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\I:	PQY.EXE
File opened (read-only)	\??\N:	PQY.EXE
File opened (read-only)	\??\G:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\K:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\U:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\J:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\R:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\T:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\S:	PQY.EXE
File opened (read-only)	\??\U:	PQY.EXE
File opened (read-only)	\??\E:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\S:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\V:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\R:	PQY.EXE
File opened (read-only)	\??\O:	PQY.EXE
File opened (read-only)	\??\V:	PQY.EXE
File opened (read-only)	\??\E:	PQY.EXE
File opened (read-only)	\??\H:	PQY.EXE
File opened (read-only)	\??\M:	PQY.EXE
File opened (read-only)	\??\G:	PQY.EXE
File opened (read-only)	\??\L:	PQY.EXE
File opened (read-only)	\??\J:	PQY.EXE
File opened (read-only)	\??\P:	PQY.EXE
File opened (read-only)	\??\T:	PQY.EXE
File opened (read-only)	\??\P:	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened (read-only)	\??\Q:	NEAS.4a12bae3af3913df646d814ab039d950.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATAPC.EXE	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened for modification	C:\Program Files (x86)\ATAPC.EXE	NEAS.4a12bae3af3913df646d814ab039d950.exe
File created	C:\Program Files (x86)\HFDZMDT.EXE	NEAS.4a12bae3af3913df646d814ab039d950.exe
File created	C:\Program Files (x86)\TIFZE.EXE	NEAS.4a12bae3af3913df646d814ab039d950.exe
File opened for modification	C:\Program Files (x86)\TIFZE.EXE	NEAS.4a12bae3af3913df646d814ab039d950.exe
File created	C:\Program Files\TLULZ.EXE	PQY.EXE

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	NEAS.4a12bae3af3913df646d814ab039d950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "F:\\$RECYCLE.BIN\\HFDZMDT.EXE %1"	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	NEAS.4a12bae3af3913df646d814ab039d950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Program Files (x86)\\ATAPC.EXE %1"	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	NEAS.4a12bae3af3913df646d814ab039d950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\HFDZMDT.EXE \"%1\""	NEAS.4a12bae3af3913df646d814ab039d950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files (x86)\\TIFZE.EXE \"%1\" %*"	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NEAS.4a12bae3af3913df646d814ab039d950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\ATAPC.EXE %1"	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	NEAS.4a12bae3af3913df646d814ab039d950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open	PQY.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	NEAS.4a12bae3af3913df646d814ab039d950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files (x86)\\HFDZMDT.EXE \"%1\""	NEAS.4a12bae3af3913df646d814ab039d950.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4200	3888	NEAS.4a12bae3af3913df646d814ab039d950.exe	88
PID 3888 wrote to memory of 4200	3888	NEAS.4a12bae3af3913df646d814ab039d950.exe	88
PID 3888 wrote to memory of 4200	3888	NEAS.4a12bae3af3913df646d814ab039d950.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.4a12bae3af3913df646d814ab039d950.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4a12bae3af3913df646d814ab039d950.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888
- C:\$Recycle.Bin\PQY.EXE
  C:\$Recycle.Bin\PQY.EXE
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies registry class
  PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\PQY.EXE

Filesize
412KB

MD5
9389fe40d5672615111fb5bc88082cda

SHA1
fa181b4fa0d39cbeebbf7f9d707cf68b4bdbdd98

SHA256
3c7d3e721d9a36d8e9988a16b5bd0e3cf59a24152134513f51894f47762190c8

SHA512
1c22b0a537c9d8c5b383c5ebf474080bbaacf50568021eb5b344aed4fe83c47232567c4ba621612906d8a20e40f0e9bed63d5d67fb323b624f2de463af7adb96

Download Submit
C:\$Recycle.Bin\PQY.EXE

Filesize
412KB

MD5
9389fe40d5672615111fb5bc88082cda

SHA1
fa181b4fa0d39cbeebbf7f9d707cf68b4bdbdd98

SHA256
3c7d3e721d9a36d8e9988a16b5bd0e3cf59a24152134513f51894f47762190c8

SHA512
1c22b0a537c9d8c5b383c5ebf474080bbaacf50568021eb5b344aed4fe83c47232567c4ba621612906d8a20e40f0e9bed63d5d67fb323b624f2de463af7adb96

Download Submit
C:\Program Files (x86)\HFDZMDT.EXE

Filesize
413KB

MD5
eb7b16fb5a23d45b0d572e600bef76a4

SHA1
5f6a66b53a9691747bffffd867812cb6cbf652f1

SHA256
4e1e705e41a167a00da4e14bfbd8ce2faa8cbf046137aaea0f4889ce2b2c2258

SHA512
d9bb25bc1a636993bbb64c4b41b38c9b3e9d1c7fd09c352bde22c6b622cf5a27ddc639c7588f79d9cf0df75afbb0b4122b5363e8f9378edf5d137867f150e440

Download Submit
memory/3888-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3888-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3888-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4200-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4200-24-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/4200-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads