Overview

overview

7

Static

static

7

462b4bc6cc...AS.exe

windows7-x64

7

462b4bc6cc...AS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    462b4bc6cc65b9709ef6b44cec2bf4b0_NEAS.exe

  • Size

    27KB

  • MD5

    462b4bc6cc65b9709ef6b44cec2bf4b0

  • SHA1

    827a5c4b40171cbc63dd574e637362fb5ebe1d41

  • SHA256

    9ed1217db228b656d6fc139429cef0b9708b9224757900218004a59433ee00db

  • SHA512

    a7d3cb5f06a44db584b7f54b47297fb82aa3810804f9467a3a4792965a9e46d94bdc6d381c97d027c07383a7b9e9970ebc2929283b625a598fe81deb4954d26e

  • SSDEEP

    768:X9J/3FzjgfanEGx8V36unjv88tznuRU65Y4gpph1ePVCMN:N5VzcfA/6LrVpL74gfh16nN

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\462b4bc6cc65b9709ef6b44cec2bf4b0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\462b4bc6cc65b9709ef6b44cec2bf4b0_NEAS.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bdTTuz8vR4srWJ1.exe
    Filesize

    27KB

    MD5

    96ddc57a1169a4a38db2ea7a7fc03f51

    SHA1

    e6127ce9debe1423cefc33cc00f18d6f78dd539a

    SHA256

    6a5b40f05bce8f9906f1a2b83cd5d40483e4ac056334f9f2881d3bbd22e0e151

    SHA512

    368d9ce19462312a8151313a518097ad6a6d498bde4af64df8f60022ddcef40aeb6c0e6e4118e9e9a157468342e7986cb45925aa4cfc576a06b2894a7929e889

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    27KB

    MD5

    a6749b968461644db5cc0ecceffb224a

    SHA1

    2795aa37b8586986a34437081351cdd791749a90

    SHA256

    720023737d7ff700818f55612ba069a609a5ddea646bb3509b615ee3523a4ca2

    SHA512

    2a276816290746ed914af9cf6427aef31ce9395b8e9937090e329a8f74fb84c62d15b196e13346caa086842b3f5f549b9eb20cbf422d18c9c1b63e6342ea90b4

    Download Submit

  • memory/1716-0-0x0000000000A40000-0x0000000000A58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1716-10-0x0000000000A40000-0x0000000000A58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2552-11-0x0000000000C60000-0x0000000000C78000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2552-17-0x0000000000C60000-0x0000000000C78000-memory.dmp

    Filesize

    96KB

    Download