Analysis
-
max time kernel
155s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
17/11/2023, 20:05
General
-
Target
NEAS.123482aaf91a3f8edd582ef70f7f65e0.exe
-
Size
95KB
-
MD5
123482aaf91a3f8edd582ef70f7f65e0
-
SHA1
770863fc5ef61464f53684875722c08389695bf4
-
SHA256
b2f0c5644a7296ec8e4dbf640282adad5192f0ff896f616454c9c24a06722d22
-
SHA512
0cb224301a7b9a06e8c0e7ee733770ca0ecce022a15ecdee1ba8a6c7247604057698cceb68c10b19d8cf54d99970861c121df609b9501928d7f06f20d128e804
-
SSDEEP
1536:2l28/y5vD0YHDnAKISIzfFkoPiGOfl6GaRg/OM6bOLXi8PmCofGV:2l28/y5L0gAKITLFkoPiORg/DrLXfzo+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.123482aaf91a3f8edd582ef70f7f65e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.123482aaf91a3f8edd582ef70f7f65e0.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe20⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe38⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe39⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe45⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe51⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe53⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe54⤵
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe55⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe56⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe57⤵
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe58⤵
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe59⤵
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe60⤵
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe61⤵
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe62⤵
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe63⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe65⤵
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe66⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe69⤵
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe70⤵
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe71⤵
-
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe72⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe73⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe74⤵
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe75⤵
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe76⤵
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe77⤵
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe78⤵
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe79⤵
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe81⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe83⤵
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe84⤵
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe85⤵
-
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe86⤵
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe87⤵
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe88⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe89⤵
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe90⤵
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe91⤵
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe92⤵
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe93⤵
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe94⤵
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe95⤵
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe96⤵
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe97⤵
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe98⤵
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe99⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe101⤵
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe102⤵
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe103⤵
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe104⤵
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe105⤵
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe106⤵
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe107⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe108⤵
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe109⤵
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe110⤵
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe111⤵
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe112⤵
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe113⤵
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe114⤵
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe115⤵
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe116⤵
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe118⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe119⤵
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe120⤵
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-