Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 15:26 UTC

General

  • Target

    ca5598376def17dbd0338edd6ad237f0_NEAS.exe

  • Size

    69KB

  • MD5

    ca5598376def17dbd0338edd6ad237f0

  • SHA1

    0208f2287739dc748b6abad1f6bcb7383fc6d09f

  • SHA256

    6b429aa1d0d27695c2dc672c2960151b8e0c8706bcec89332de8491cbf29902b

  • SHA512

    5f931ebf605e628b1c6fc741c283d7ee1c5e86313dacd44de513243e7be00a75dcfc403f34cb2bea5e929010a6ab16edd5c986c2ee2e2d6118164d2de0187820

  • SSDEEP

    1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8Dg:Olg35GTslA5t3/w8Dg

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\ca5598376def17dbd0338edd6ad237f0_NEAS.exe
          "C:\Users\Admin\AppData\Local\Temp\ca5598376def17dbd0338edd6ad237f0_NEAS.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\SysWOW64\igputes.exe
            "C:\Windows\system32\igputes.exe"
            3⤵
            • Windows security bypass
            • Modifies Installed Components in the registry
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Modifies WinLogon
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1628
            • C:\Windows\SysWOW64\igputes.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1836

      Network

      • flag-us
        DNS
        gzygoeqwprw.ph
        igputes.exe
        Remote address:
        8.8.8.8:53
        Request
        gzygoeqwprw.ph
        IN A
        Response
        gzygoeqwprw.ph
        IN A
        45.79.222.138
      • flag-us
        DNS
        igputes.exe
        Remote address:
        45.79.222.138:80
        Response
        HTTP/1.1 400 Bad request
        Content-length: 90
        Cache-Control: no-cache
        Connection: close
        Content-Type: text/html
      • flag-us
        DNS
        utbidet-ugeas.biz
        igputes.exe
        Remote address:
        8.8.8.8:53
        Request
        utbidet-ugeas.biz
        IN A
        Response
        utbidet-ugeas.biz
        IN A
        54.157.24.8
      • flag-us
        GET
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        igputes.exe
        Remote address:
        54.157.24.8:80
        Request
        GET /d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825 HTTP/1.0
        Host: utbidet-ugeas.biz
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
        Response
        HTTP/1.1 302 Moved Temporarily
        Server: openresty
        Date: Tue, 07 May 2024 15:26:35 GMT
        Content-Type: text/html
        Content-Length: 142
        Connection: close
        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
        Location: http://ww99.utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        Cache-Control: no-store, max-age=0
      • flag-us
        DNS
        utbidet-ugeas.biz
        igputes.exe
        Remote address:
        8.8.8.8:53
        Request
        utbidet-ugeas.biz
        IN A
        Response
        utbidet-ugeas.biz
        IN A
        54.157.24.8
      • flag-us
        GET
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        igputes.exe
        Remote address:
        54.157.24.8:80
        Request
        GET /d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825 HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
        Host: utbidet-ugeas.biz
        Cache-Control: no-cache
        Response
        HTTP/1.1 302 Moved Temporarily
        Server: openresty
        Date: Tue, 07 May 2024 15:26:35 GMT
        Content-Type: text/html
        Content-Length: 142
        Connection: keep-alive
        Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
        Location: http://ww99.utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        Cache-Control: no-store, max-age=0
      • 45.79.222.138:80
        gzygoeqwprw.ph
        http
        igputes.exe
        236 B
        339 B
        5
        3

        HTTP Response

        400
      • 54.157.24.8:80
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        http
        igputes.exe
        427 B
        741 B
        5
        4

        HTTP Request

        GET http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825

        HTTP Response

        302
      • 54.157.24.8:80
        http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825
        http
        igputes.exe
        833 B
        1.4kB
        13
        5

        HTTP Request

        GET http://utbidet-ugeas.biz/d/N?02992535D2992535D2AB2519D29925AC84BB075D9498253FAD99F003FCA80B02E4A9141B81FC5743BBFA401582F8465EF2A825

        HTTP Response

        302
      • 8.8.8.8:53
        gzygoeqwprw.ph
        dns
        igputes.exe
        60 B
        76 B
        1
        1

        DNS Request

        gzygoeqwprw.ph

        DNS Response

        45.79.222.138

      • 8.8.8.8:53
        utbidet-ugeas.biz
        dns
        igputes.exe
        63 B
        79 B
        1
        1

        DNS Request

        utbidet-ugeas.biz

        DNS Response

        54.157.24.8

      • 8.8.8.8:53
        utbidet-ugeas.biz
        dns
        igputes.exe
        63 B
        79 B
        1
        1

        DNS Request

        utbidet-ugeas.biz

        DNS Response

        54.157.24.8

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\eafcoanut-otoot.exe

        Filesize

        71KB

        MD5

        26e5f13c09d260093a8e9ad70f76df94

        SHA1

        d94bfc198ba2a6218379820c64c262bd7c06e2f1

        SHA256

        4d99ced231257e3358ddc93eeffb67082a4aae5b6ca9cd57af999bfb6d9afb3d

        SHA512

        a521fed94fd000ed92ae498208ab32ca49782c17bed8a50c9d864e17c78cf5c4c9b4911628cfbc42d214ff421bc7d53fd0f15420ca04b227853f8168b074416e

      • C:\Windows\SysWOW64\oukdoafib-uxac.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\ouploarur.exe

        Filesize

        72KB

        MD5

        8aa623406b54720358d342c044c7d144

        SHA1

        ac3043971f81bb492fd0783895a96aa2b0f4f4e2

        SHA256

        bc19fad5fff5fe0a78338d45960969629888f668d076685b960648f739480007

        SHA512

        cb4d43c5fcb456d4fd2b11c9e007579017f98b5602d484f02699ea881a07b555b4d3df7c35929269ebb2adc58e075b004e7d846e945132a05aa976499e1e5f44

      • \Windows\SysWOW64\igputes.exe

        Filesize

        69KB

        MD5

        ca5598376def17dbd0338edd6ad237f0

        SHA1

        0208f2287739dc748b6abad1f6bcb7383fc6d09f

        SHA256

        6b429aa1d0d27695c2dc672c2960151b8e0c8706bcec89332de8491cbf29902b

        SHA512

        5f931ebf605e628b1c6fc741c283d7ee1c5e86313dacd44de513243e7be00a75dcfc403f34cb2bea5e929010a6ab16edd5c986c2ee2e2d6118164d2de0187820

      • memory/1180-10-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/1628-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/1836-56-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.