3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 04:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
Size

152KB
MD5

5a51318d3b0a872098dcbbc5e4a41950
SHA1

894fa17145550f5bffee2941bf7481e6a33d7971
SHA256

3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe
SHA512

4389057cd2450b1d3d00d1e5daf8734b966adb573f3165a119b468416d3498d1d7209c132c1e17cd705fd6754a2f452cc877387a71c895decb3c73720c2e989f
SSDEEP

3072:T3D8IpK9xKA9w2p4QZisLaazNiIIkyyqN4oQZiENIx2r:T3DrpKxY+1isuazgfklcWMxq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	neaar.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	neaar.exe

Loads dropped DLL 2 IoCs

pid	Process
1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /f"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /X"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /I"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /H"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /e"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /Y"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /n"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /t"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /P"	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /b"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /M"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /r"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /y"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /R"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /G"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /z"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /S"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /V"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /T"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /h"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /a"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /K"	neaar.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /v"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /W"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /J"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /m"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /j"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /B"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /w"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /o"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /i"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /x"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /O"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /q"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /A"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /c"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /L"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /s"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /P"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /d"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /D"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /k"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /u"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /E"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /N"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /p"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /C"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /Q"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /F"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /l"	neaar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\neaar = "C:\\Users\\Admin\\neaar.exe /U"	neaar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe
1396	neaar.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
1396	neaar.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1396	1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe	27
PID 1652 wrote to memory of 1396	1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe	27
PID 1652 wrote to memory of 1396	1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe	27
PID 1652 wrote to memory of 1396	1652	3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe	27

C:\Users\Admin\AppData\Local\Temp\3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe
"C:\Users\Admin\AppData\Local\Temp\3e807ea0646c72d0ada49a2d03d668ea6d7a00956369cd8fb6be931f9704bcfe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\neaar.exe
  "C:\Users\Admin\neaar.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\neaar.exe

Filesize
152KB

MD5
3c15af9d3d98226a116f83bbe95a7b8a

SHA1
f7c5fd50f3ff2717267466ec464db5178a0410c1

SHA256
f436dcd53849e4f4f21aca4f3b5de05e16679ac1a103e14874250d396b13b3ba

SHA512
6ba7f399574eb62c26a484f07d09ce2ff2140a0ed3a38b114983730456df15a50e23826316a6521801a7a7475189e59108562e79573c0518bd3b5eaf20216418

Download Submit
C:\Users\Admin\neaar.exe

Filesize
152KB

MD5
3c15af9d3d98226a116f83bbe95a7b8a

SHA1
f7c5fd50f3ff2717267466ec464db5178a0410c1

SHA256
f436dcd53849e4f4f21aca4f3b5de05e16679ac1a103e14874250d396b13b3ba

SHA512
6ba7f399574eb62c26a484f07d09ce2ff2140a0ed3a38b114983730456df15a50e23826316a6521801a7a7475189e59108562e79573c0518bd3b5eaf20216418

Download Submit
\Users\Admin\neaar.exe

Filesize
152KB

MD5
3c15af9d3d98226a116f83bbe95a7b8a

SHA1
f7c5fd50f3ff2717267466ec464db5178a0410c1

SHA256
f436dcd53849e4f4f21aca4f3b5de05e16679ac1a103e14874250d396b13b3ba

SHA512
6ba7f399574eb62c26a484f07d09ce2ff2140a0ed3a38b114983730456df15a50e23826316a6521801a7a7475189e59108562e79573c0518bd3b5eaf20216418

Download Submit
\Users\Admin\neaar.exe

Filesize
152KB

MD5
3c15af9d3d98226a116f83bbe95a7b8a

SHA1
f7c5fd50f3ff2717267466ec464db5178a0410c1

SHA256
f436dcd53849e4f4f21aca4f3b5de05e16679ac1a103e14874250d396b13b3ba

SHA512
6ba7f399574eb62c26a484f07d09ce2ff2140a0ed3a38b114983730456df15a50e23826316a6521801a7a7475189e59108562e79573c0518bd3b5eaf20216418

Download Submit
memory/1652-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download