b990e7f5247dc5b00282bb866c170787c104bd69012551bff180149d6fa01428

General

Target

8f8122f5288bd45291a93922a079e0e0_NEAS.exe
Size

225KB
MD5

8f8122f5288bd45291a93922a079e0e0
SHA1

53460f94b4c0608a0b2aef119785605ec4dc8d1c
SHA256

b990e7f5247dc5b00282bb866c170787c104bd69012551bff180149d6fa01428
SHA512

e01a54ac249ca8a4fb5993e87b1d9c9216e61d9b84348a63dc224ec47078ba11d6aa98a87cce2427a3e57b97cb8661e90e17da9181746c6d1c618d667a798835
SSDEEP

3072:Xjr87S7Gnz55Eocq0g1eUfMJceuUiv20VCGomDv3V/7f1M8kmvmMCEz5:sZl2lqJxMJ3up+eCGDNDtR5CEz5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4284	dYy4sSlEZg9JIit.exe
1732	CTS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1240-0-0x0000000000AB0000-0x0000000000AC9000-memory.dmp	upx
behavioral2/files/0x000d000000023bac-6.dat	upx
behavioral2/memory/1732-7-0x00000000004B0000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/1240-8-0x0000000000AB0000-0x0000000000AC9000-memory.dmp	upx
behavioral2/files/0x0003000000022967-12.dat	upx
behavioral2/memory/1732-37-0x00000000004B0000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	8f8122f5288bd45291a93922a079e0e0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	8f8122f5288bd45291a93922a079e0e0_NEAS.exe
File created	C:\Windows\CTS.exe	CTS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	8f8122f5288bd45291a93922a079e0e0_NEAS.exe
Token: SeDebugPrivilege	1732	CTS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 4284	1240	8f8122f5288bd45291a93922a079e0e0_NEAS.exe	83
PID 1240 wrote to memory of 4284	1240	8f8122f5288bd45291a93922a079e0e0_NEAS.exe	83
PID 1240 wrote to memory of 1732	1240	8f8122f5288bd45291a93922a079e0e0_NEAS.exe	84
PID 1240 wrote to memory of 1732	1240	8f8122f5288bd45291a93922a079e0e0_NEAS.exe	84
PID 1240 wrote to memory of 1732	1240	8f8122f5288bd45291a93922a079e0e0_NEAS.exe	84

C:\Users\Admin\AppData\Local\Temp\8f8122f5288bd45291a93922a079e0e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\8f8122f5288bd45291a93922a079e0e0_NEAS.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\dYy4sSlEZg9JIit.exe
  C:\Users\Admin\AppData\Local\Temp\dYy4sSlEZg9JIit.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
404KB

MD5
71b35d815353c0187104f380098e23ab

SHA1
befdd3298f3e4038f37be0f4878174ce818b812b

SHA256
82cacf211b4d076a47a70dd3c67ff1c54dfa5c40e0c858d0489382811d60f26a

SHA512
6044c70e80bec072b62db04edac0a37c71cdea237d10ed018014bd4083f0f003ad1d86f731883d189286131d5b9e08de9161ec03d78c8992ef7bcae2b8329a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYy4sSlEZg9JIit.exe

Filesize
143KB

MD5
b27ea830fb39bc056e65f9a2260ae216

SHA1
b69e40ee5cabe0721d2d1e9fbdd4088fd87592d6

SHA256
fb7fab836f744d669451dcd38aa7d2a9c74c6af893c258d079439b58abce70d8

SHA512
22cad79d90a949174828ee5e3ce621113591c7c991c55c1a6a44a4555002adeb3bcbd9bab6cfbbfdefd663b76ac2dae96d70a01c527b312c7e8d223334a30219

Download Submit
C:\Windows\CTS.exe

Filesize
82KB

MD5
546ffd2b72777e6a9e350780b79f99d4

SHA1
a620be74a2f432656e38e51cd02fbdc3e3b312c2

SHA256
c651b378896fad56ddeb1fec2c578a822bbb13269ec881f9420bbf47c9fbfbb5

SHA512
57d49f830f9774ef0a4b6d026211360ea4ebcc6b236b72107401284559c7c589733bccc8af10c5a0cee5b97880d24a4e9954beb81887b1b124f8a42cca456fac

Download Submit
memory/1240-0-0x0000000000AB0000-0x0000000000AC9000-memory.dmp

Filesize
100KB

Download
memory/1240-8-0x0000000000AB0000-0x0000000000AC9000-memory.dmp

Filesize
100KB

Download
memory/1732-7-0x00000000004B0000-0x00000000004C9000-memory.dmp

Filesize
100KB

Download
memory/1732-37-0x00000000004B0000-0x00000000004C9000-memory.dmp

Filesize
100KB

Download
memory/4284-15-0x00007FFE2A423000-0x00007FFE2A425000-memory.dmp

Filesize
8KB

Download
memory/4284-19-0x0000000000980000-0x00000000009A8000-memory.dmp

Filesize
160KB

Download
memory/4284-26-0x00007FFE2A420000-0x00007FFE2AEE1000-memory.dmp

Filesize
10.8MB

Download
memory/4284-38-0x00007FFE2A420000-0x00007FFE2AEE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads