Overview

overview

7

Static

static

7

d769663182...AS.exe

windows7-x64

7

d769663182...AS.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7696631822d0fe19a15b7aac2112c68_NEAS.exe

  • Size

    530KB

  • MD5

    d7696631822d0fe19a15b7aac2112c68

  • SHA1

    1bb1ce20e7aa9ac79a73c9b9129d0499e89a6322

  • SHA256

    e37e575ecc2ca7bc2582d63708fa4fe8bc188ab9e0c30d49457bcc937db4b446

  • SHA512

    381da94926c41b38f8dadb12bd3081c6261c4ba68708ccc45f90ee971469647be76dab8a5908217a4b83b5549d23edeb7067c030fe135076704bd9d04177987d

  • SSDEEP

    12288:smm0T8WJeeAyDzNs6kPUEC1KqUOMu5fw6xN:u04LyFsnK5xN

Score
7/10
persistencespywarestealerupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7696631822d0fe19a15b7aac2112c68_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\d7696631822d0fe19a15b7aac2112c68_NEAS.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\EXSx5Wdo0dR2iAd.exe
      C:\Users\Admin\AppData\Local\Temp\EXSx5Wdo0dR2iAd.exe
      2⤵
      • Executes dropped EXE
      PID:408
    • C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
    Filesize

    404KB

    MD5

    37c07c2f65d80d47846b0e961b66cec0

    SHA1

    9fe5d83dfee7160d7a208f463f55930a0ed30419

    SHA256

    5db9acf2ede8d82ef4956c5bf30b5437116a1a769cf6ccf1f87a83294c32b37d

    SHA512

    904d3301648052184094a9c9ba9464e8c9ee0d229456b2633be5b54edc1beb36b076e7d8e547406aa7150ae2f81f95cc1e1ca5d4e6fea4b210dd89a102c58639

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EXSx5Wdo0dR2iAd.exe
    Filesize

    447KB

    MD5

    3f461ca3e3d9da036cf1a4a06ddf4fb4

    SHA1

    15395e4b656cee3a708bc50c1094e3fa0c46802e

    SHA256

    cd8e84c1f8d1ee3a7014343e3fb236329d2b67c1ec233ea4b208d99e3f95105b

    SHA512

    d0cb3f56db648c9ee151990260a864cdcd0d508a1dafcd741d8b2ccd8f73ba29607f384a4e2752502419cfd4a41d2288d7c3ffec93925be85fc39dad9c01e7f5

    Download Submit

  • C:\Windows\CTS.exe
    Filesize

    82KB

    MD5

    546ffd2b72777e6a9e350780b79f99d4

    SHA1

    a620be74a2f432656e38e51cd02fbdc3e3b312c2

    SHA256

    c651b378896fad56ddeb1fec2c578a822bbb13269ec881f9420bbf47c9fbfbb5

    SHA512

    57d49f830f9774ef0a4b6d026211360ea4ebcc6b236b72107401284559c7c589733bccc8af10c5a0cee5b97880d24a4e9954beb81887b1b124f8a42cca456fac

    Download Submit

  • memory/1496-0-0x00000000009F0000-0x0000000000A09000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1496-10-0x00000000009F0000-0x0000000000A09000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4612-9-0x00000000008C0000-0x00000000008D9000-memory.dmp

    Filesize

    100KB

    Download