69f2adfafcb8e0a93ca793ff28df7b49100113ff2d7f92c7a2af4073a8db33ff

General

Target

NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Size

9.4MB
MD5

23806a8e7334a1ffd8120fafb989b440
SHA1

fa2e0fd59d4ec8cf63c9003aa60cbeb729884b86
SHA256

69f2adfafcb8e0a93ca793ff28df7b49100113ff2d7f92c7a2af4073a8db33ff
SHA512

f2f8588ef3af44a5d855f0f6d82c08fae2abe71c565c5009b69a74e77dd5571e1b650152f7281fc1da29a9191220f145f81f1dfbb60d21bf42e6ed1a01bcfdfa
SSDEEP

98304:yI9BsiUtk8XI8XxK8XI8XBUqk8XI8X+Utk8XI8XxJ8XfUqk8XI8X+Utk8XI8XC:yI9hU/h5hRUkhOU/h0vUkhOU/hy

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\yyzzbc.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\yyzzbc.sys"	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\hh.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hh.sys"	oopq.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	oopq.exe

Loads dropped DLL 2 IoCs

pid	Process
2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	oopq.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
2668	oopq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Token: SeLoadDriverPrivilege	2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe
Token: SeDebugPrivilege	2668	oopq.exe
Token: SeLoadDriverPrivilege	2668	oopq.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2668	oopq.exe
2668	oopq.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2668	oopq.exe
2668	oopq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	oopq.exe
2668	oopq.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2668	2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	29
PID 2340 wrote to memory of 2668	2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	29
PID 2340 wrote to memory of 2668	2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	29
PID 2340 wrote to memory of 2668	2340	NEAS.23806a8e7334a1ffd8120fafb989b440.exe	29
PID 2668 wrote to memory of 2104	2668	oopq.exe	31
PID 2668 wrote to memory of 2104	2668	oopq.exe	31
PID 2668 wrote to memory of 2104	2668	oopq.exe	31
PID 2668 wrote to memory of 2104	2668	oopq.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.23806a8e7334a1ffd8120fafb989b440.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.23806a8e7334a1ffd8120fafb989b440.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\oopq.exe
  C:\Users\Admin\AppData\Local\Temp\oopq.exe -run C:\Users\Admin\AppData\Local\Temp\NEAS.23806a8e7334a1ffd8120fafb989b440.exe
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\oopq.bat" "
    3⤵
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oopq.bat

Filesize
135B

MD5
fc62e221c5d1a1eea4c93622829ead41

SHA1
db3f092b961a5807c85fa3c0f20ba4a8f83d40d4

SHA256
7eb74f6a57d3f8c824e3566346eb8377218d67e64b49eb97ff9453286871153a

SHA512
4726addf9575425acb410f8af435210ce5d3066f1a549abe5697017adb6d74f1d2c8593e43e74a2c7f9ee8f43f27f685603722d1daeb6f95756264b20ef95a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\oopq.bat

Filesize
135B

MD5
fc62e221c5d1a1eea4c93622829ead41

SHA1
db3f092b961a5807c85fa3c0f20ba4a8f83d40d4

SHA256
7eb74f6a57d3f8c824e3566346eb8377218d67e64b49eb97ff9453286871153a

SHA512
4726addf9575425acb410f8af435210ce5d3066f1a549abe5697017adb6d74f1d2c8593e43e74a2c7f9ee8f43f27f685603722d1daeb6f95756264b20ef95a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\oopq.exe

Filesize
13.5MB

MD5
9bddfad5b8b2432f4e8456da1361593a

SHA1
03ff3184760b1ba552ee4f6b6ae19be9a07bdc96

SHA256
2f1c86c84819836ec81b369836000fe87cb1921cf637e4c03993955175eb88f5

SHA512
9e89a66818febfad92958debe9db207541acc99c337c13145236303c5b3bd69962a87e8aae3836a3b8dc679774759c33b32c2523f02ea58548cc69cb0150c7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oopq.exe

Filesize
13.5MB

MD5
9bddfad5b8b2432f4e8456da1361593a

SHA1
03ff3184760b1ba552ee4f6b6ae19be9a07bdc96

SHA256
2f1c86c84819836ec81b369836000fe87cb1921cf637e4c03993955175eb88f5

SHA512
9e89a66818febfad92958debe9db207541acc99c337c13145236303c5b3bd69962a87e8aae3836a3b8dc679774759c33b32c2523f02ea58548cc69cb0150c7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oopq.exe

Filesize
13.5MB

MD5
9bddfad5b8b2432f4e8456da1361593a

SHA1
03ff3184760b1ba552ee4f6b6ae19be9a07bdc96

SHA256
2f1c86c84819836ec81b369836000fe87cb1921cf637e4c03993955175eb88f5

SHA512
9e89a66818febfad92958debe9db207541acc99c337c13145236303c5b3bd69962a87e8aae3836a3b8dc679774759c33b32c2523f02ea58548cc69cb0150c7f0

Download Submit
\Users\Admin\AppData\Local\Temp\oopq.exe

Filesize
13.5MB

MD5
9bddfad5b8b2432f4e8456da1361593a

SHA1
03ff3184760b1ba552ee4f6b6ae19be9a07bdc96

SHA256
2f1c86c84819836ec81b369836000fe87cb1921cf637e4c03993955175eb88f5

SHA512
9e89a66818febfad92958debe9db207541acc99c337c13145236303c5b3bd69962a87e8aae3836a3b8dc679774759c33b32c2523f02ea58548cc69cb0150c7f0

Download Submit
\Users\Admin\AppData\Local\Temp\oopq.exe

Filesize
13.5MB

MD5
9bddfad5b8b2432f4e8456da1361593a

SHA1
03ff3184760b1ba552ee4f6b6ae19be9a07bdc96

SHA256
2f1c86c84819836ec81b369836000fe87cb1921cf637e4c03993955175eb88f5

SHA512
9e89a66818febfad92958debe9db207541acc99c337c13145236303c5b3bd69962a87e8aae3836a3b8dc679774759c33b32c2523f02ea58548cc69cb0150c7f0

Download Submit
memory/2340-10-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2668-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2668-15-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2668-29-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads