c7175aed2feaeeb42b98203bf5084a6a6afc816f1aa19a01a6f1f87124f367c4

Analysis

max time kernel
72s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29fb10583109a119fc1e0f1d9891527f.exe
Size

185KB
MD5

29fb10583109a119fc1e0f1d9891527f
SHA1

a4c06d46dc888f29a0c821956299ea13b9dc5c02
SHA256

c7175aed2feaeeb42b98203bf5084a6a6afc816f1aa19a01a6f1f87124f367c4
SHA512

58859730a4a635c2cda8d85d57fc3f44d69db69952c237a8d372cfef905ddf2d7db6311d37a274adcd915d1a90e1b5a6248b9cc8fd9dd564c0b7dd01b8242176
SSDEEP

3072:NaV0gOak9RH7gMjZ/IE5cTyU+s4/ocETNWpoK7/KjTA2CGmSpBMNTPXBMOhpG/ta:MV08MjZgE5c94/o/TNWpP/KHfPB6NTPk

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	neup.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	29fb10583109a119fc1e0f1d9891527f.exe
3012	29fb10583109a119fc1e0f1d9891527f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000015658-6.dat	upx
behavioral1/memory/3012-12-0x0000000000400000-0x000000000279A000-memory.dmp	upx
behavioral1/files/0x000c000000015658-9.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\{99FD42C8-CEFB-AD4E-9644-6D1A8CD24E07} = "C:\\Users\\Admin\\AppData\\Roaming\\Kyirud\\neup.exe"	neup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy	29fb10583109a119fc1e0f1d9891527f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	29fb10583109a119fc1e0f1d9891527f.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe
3016	neup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3012	29fb10583109a119fc1e0f1d9891527f.exe
Token: SeSecurityPrivilege	3012	29fb10583109a119fc1e0f1d9891527f.exe
Token: SeSecurityPrivilege	3012	29fb10583109a119fc1e0f1d9891527f.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3016	3012	29fb10583109a119fc1e0f1d9891527f.exe	19
PID 3012 wrote to memory of 3016	3012	29fb10583109a119fc1e0f1d9891527f.exe	19
PID 3012 wrote to memory of 3016	3012	29fb10583109a119fc1e0f1d9891527f.exe	19
PID 3012 wrote to memory of 3016	3012	29fb10583109a119fc1e0f1d9891527f.exe	19
PID 3016 wrote to memory of 1052	3016	neup.exe	11
PID 3016 wrote to memory of 1052	3016	neup.exe	11
PID 3016 wrote to memory of 1052	3016	neup.exe	11
PID 3016 wrote to memory of 1052	3016	neup.exe	11
PID 3016 wrote to memory of 1052	3016	neup.exe	11
PID 3016 wrote to memory of 1068	3016	neup.exe	10
PID 3016 wrote to memory of 1068	3016	neup.exe	10
PID 3016 wrote to memory of 1068	3016	neup.exe	10
PID 3016 wrote to memory of 1068	3016	neup.exe	10
PID 3016 wrote to memory of 1068	3016	neup.exe	10
PID 3016 wrote to memory of 1136	3016	neup.exe	2
PID 3016 wrote to memory of 1136	3016	neup.exe	2
PID 3016 wrote to memory of 1136	3016	neup.exe	2
PID 3016 wrote to memory of 1136	3016	neup.exe	2
PID 3016 wrote to memory of 1136	3016	neup.exe	2
PID 3016 wrote to memory of 2188	3016	neup.exe	6
PID 3016 wrote to memory of 2188	3016	neup.exe	6
PID 3016 wrote to memory of 2188	3016	neup.exe	6
PID 3016 wrote to memory of 2188	3016	neup.exe	6
PID 3016 wrote to memory of 2188	3016	neup.exe	6
PID 3016 wrote to memory of 3012	3016	neup.exe	15
PID 3016 wrote to memory of 3012	3016	neup.exe	15
PID 3016 wrote to memory of 3012	3016	neup.exe	15
PID 3016 wrote to memory of 3012	3016	neup.exe	15
PID 3016 wrote to memory of 3012	3016	neup.exe	15
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17
PID 3012 wrote to memory of 628	3012	29fb10583109a119fc1e0f1d9891527f.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\29fb10583109a119fc1e0f1d9891527f.exe
  "C:\Users\Admin\AppData\Local\Temp\29fb10583109a119fc1e0f1d9891527f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd3f1cb3b.bat"
    3⤵
    - Deletes itself
    PID:628
- - C:\Users\Admin\AppData\Roaming\Kyirud\neup.exe
    "C:\Users\Admin\AppData\Roaming\Kyirud\neup.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1068

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Kyirud\neup.exe

Filesize
185KB

MD5
27c67997bc3e7aaf0fa44dda84407346

SHA1
77ffe00ff2ec31040c3904b3b4a84bee53ec7b1d

SHA256
06848957a888da40940c5bf513540ebe936848e13cd335c9c0d77c7d650fce33

SHA512
a2404d2ad3e16ab7ab74fa5b7447d4fc8fa6a94da9272f100447f43a9dda8d3a60cdf8c00031b7d3506bb1aaf7cc6509a2ae607e26e0b88ab9d8e07c01ff5934

Download Submit
memory/628-265-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/628-170-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/628-267-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/628-164-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/628-166-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/1052-21-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/1052-19-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/1052-16-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/1052-13-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/1052-10-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/1068-27-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/1068-29-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/1068-31-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/1068-28-0x0000000000210000-0x0000000000245000-memory.dmp

Filesize
212KB

Download
memory/1136-33-0x0000000002D20000-0x0000000002D55000-memory.dmp

Filesize
212KB

Download
memory/1136-34-0x0000000002D20000-0x0000000002D55000-memory.dmp

Filesize
212KB

Download
memory/1136-35-0x0000000002D20000-0x0000000002D55000-memory.dmp

Filesize
212KB

Download
memory/1136-36-0x0000000002D20000-0x0000000002D55000-memory.dmp

Filesize
212KB

Download
memory/2188-43-0x0000000000480000-0x00000000004B5000-memory.dmp

Filesize
212KB

Download
memory/2188-45-0x0000000000480000-0x00000000004B5000-memory.dmp

Filesize
212KB

Download
memory/2188-41-0x0000000000480000-0x00000000004B5000-memory.dmp

Filesize
212KB

Download
memory/2188-39-0x0000000000480000-0x00000000004B5000-memory.dmp

Filesize
212KB

Download
memory/3012-169-0x0000000000400000-0x000000000279A000-memory.dmp

Filesize
35.6MB

Download
memory/3012-56-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-80-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-174-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-78-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-76-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-72-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-74-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/3012-73-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-64-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-62-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-60-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-58-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-152-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-54-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-53-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-52-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-51-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-50-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-49-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/3012-68-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3012-26-0x00000000097D0000-0x000000000BB6A000-memory.dmp

Filesize
35.6MB

Download
memory/3012-22-0x00000000097D0000-0x000000000BB6A000-memory.dmp

Filesize
35.6MB

Download
memory/3012-18-0x0000000000400000-0x000000000279A000-memory.dmp

Filesize
35.6MB

Download
memory/3012-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3012-12-0x0000000000400000-0x000000000279A000-memory.dmp

Filesize
35.6MB

Download
memory/3016-30-0x0000000000400000-0x000000000279A000-memory.dmp

Filesize
35.6MB

Download
memory/3016-268-0x0000000000400000-0x000000000279A000-memory.dmp

Filesize
35.6MB

Download