b153394e2e0ab68cf1f39f258a344cff6b596bfbbc2e88fe128bcdf737ee8482

General

Target

ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
Size

4.9MB
MD5

ad5acf8c9da1c70ee5a6f8336d76ada0
SHA1

51b96f9d3199157ef1615c59ba44c6d670d01ad3
SHA256

b153394e2e0ab68cf1f39f258a344cff6b596bfbbc2e88fe128bcdf737ee8482
SHA512

e8c2110f6883c2fe515dfa43baa73e53b332a2bc9f55239a8826e92b3ffc797d3b5a5ebcee1bd7e975acaf2cb904f633a331ca8489f0d78cdae91dfe6463de70
SSDEEP

98304:3fzwPVqFgqMvt/cps8TgXyN4e/kcLsaHfXdyV024bMQtR2B2+kQUa7h44eJV80f9:PzwPt/AfuizHfXMV0ZLgB4a8380WP+

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2288-0-0x0000000000400000-0x0000000000B53000-memory.dmp	upx
behavioral1/memory/2288-7784-0x0000000000400000-0x0000000000B53000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.2345.com/?28879"	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.2345.com/?28879"	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?28879"	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
2288	ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe

C:\Users\Admin\AppData\Local\Temp\ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ad5acf8c9da1c70ee5a6f8336d76ada0_NEAS.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-562-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-560-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-558-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-556-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-554-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-552-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-550-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-548-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-546-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-544-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-542-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-540-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-536-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-534-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-532-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-530-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-528-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-564-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-538-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-526-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-524-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-522-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-518-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-516-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-514-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-512-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-510-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-508-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-506-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-504-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-520-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-503-0x00000000029A0000-0x0000000002AB1000-memory.dmp

Filesize
1.1MB

Download
memory/2288-1-0x0000000075860000-0x00000000758A7000-memory.dmp

Filesize
284KB

Download
memory/2288-0-0x0000000000400000-0x0000000000B53000-memory.dmp

Filesize
7.3MB

Download
memory/2288-7784-0x0000000000400000-0x0000000000B53000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads