e7329824dad59cbd0ed4c52986c53cb7b7305421522abdea588d767355510879

Analysis

max time kernel
201s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.275e5c59d314445561b521b78413a590.exe
Size

196KB
MD5

275e5c59d314445561b521b78413a590
SHA1

31b10a1edbe359ad20d79669616cd205646ea53f
SHA256

e7329824dad59cbd0ed4c52986c53cb7b7305421522abdea588d767355510879
SHA512

2f8387aa45322bf6562c7acb7ce63184e4479385cf751cb83a079c50660bf1d37964a81deb53fce50d032a8d254c4a1546f049d13d5c7242219f61fb77f445a9
SSDEEP

3072:ZOgUXoutNnkxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoS2RARoYlld9n2Qpmx

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.275e5c59d314445561b521b78413a590.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.275e5c59d314445561b521b78413a590.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.275e5c59d314445561b521b78413a590.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.275e5c59d314445561b521b78413a590.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 11 IoCs

pid	Process
2276	xk.exe
1064	IExplorer.exe
4068	WINLOGON.EXE
4448	CSRSS.EXE
3328	SERVICES.EXE
1216	LSASS.EXE
488	SMSS.EXE
3732	xk.exe
4380	IExplorer.exe
1808	WINLOGON.EXE
4580	CSRSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3260-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231ce-8.dat	upx
behavioral2/memory/3260-29-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231d2-64.dat	upx
behavioral2/files/0x00060000000231d2-65.dat	upx
behavioral2/files/0x00060000000231d8-69.dat	upx
behavioral2/memory/2276-70-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231d8-71.dat	upx
behavioral2/memory/1064-74-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231dc-76.dat	upx
behavioral2/files/0x00060000000231dc-77.dat	upx
behavioral2/memory/4068-80-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231dd-82.dat	upx
behavioral2/files/0x00060000000231dd-84.dat	upx
behavioral2/memory/4448-87-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231de-89.dat	upx
behavioral2/files/0x00060000000231de-90.dat	upx
behavioral2/memory/3328-93-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231df-95.dat	upx
behavioral2/files/0x00060000000231df-97.dat	upx
behavioral2/memory/1216-99-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e0-103.dat	upx
behavioral2/memory/1216-101-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/488-105-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e0-104.dat	upx
behavioral2/memory/488-108-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3260-134-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231d2-228.dat	upx
behavioral2/memory/3732-231-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231d8-233.dat	upx
behavioral2/memory/4380-264-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231dc-269.dat	upx
behavioral2/memory/1808-273-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231dd-304.dat	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.275e5c59d314445561b521b78413a590.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.275e5c59d314445561b521b78413a590.exe
File created	C:\desktop.ini	NEAS.275e5c59d314445561b521b78413a590.exe
File opened for modification	F:\desktop.ini	NEAS.275e5c59d314445561b521b78413a590.exe
File created	F:\desktop.ini	NEAS.275e5c59d314445561b521b78413a590.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\Q:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\R:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\U:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\E:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\H:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\L:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\M:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\N:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\X:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\Y:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\B:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\I:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\J:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\P:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\T:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\Z:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\V:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\W:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\G:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\K:	NEAS.275e5c59d314445561b521b78413a590.exe
File opened (read-only)	\??\S:	NEAS.275e5c59d314445561b521b78413a590.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.275e5c59d314445561b521b78413a590.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.275e5c59d314445561b521b78413a590.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.275e5c59d314445561b521b78413a590.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.275e5c59d314445561b521b78413a590.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.275e5c59d314445561b521b78413a590.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.275e5c59d314445561b521b78413a590.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.275e5c59d314445561b521b78413a590.exe
File created	C:\Windows\xk.exe	NEAS.275e5c59d314445561b521b78413a590.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.275e5c59d314445561b521b78413a590.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.275e5c59d314445561b521b78413a590.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3260	NEAS.275e5c59d314445561b521b78413a590.exe
3260	NEAS.275e5c59d314445561b521b78413a590.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3260	NEAS.275e5c59d314445561b521b78413a590.exe
2276	xk.exe
1064	IExplorer.exe
4068	WINLOGON.EXE
4448	CSRSS.EXE
3328	SERVICES.EXE
1216	LSASS.EXE
488	SMSS.EXE
3732	xk.exe
4380	IExplorer.exe
1808	WINLOGON.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2276	3260	NEAS.275e5c59d314445561b521b78413a590.exe	85
PID 3260 wrote to memory of 2276	3260	NEAS.275e5c59d314445561b521b78413a590.exe	85
PID 3260 wrote to memory of 2276	3260	NEAS.275e5c59d314445561b521b78413a590.exe	85
PID 3260 wrote to memory of 1064	3260	NEAS.275e5c59d314445561b521b78413a590.exe	86
PID 3260 wrote to memory of 1064	3260	NEAS.275e5c59d314445561b521b78413a590.exe	86
PID 3260 wrote to memory of 1064	3260	NEAS.275e5c59d314445561b521b78413a590.exe	86
PID 3260 wrote to memory of 4068	3260	NEAS.275e5c59d314445561b521b78413a590.exe	87
PID 3260 wrote to memory of 4068	3260	NEAS.275e5c59d314445561b521b78413a590.exe	87
PID 3260 wrote to memory of 4068	3260	NEAS.275e5c59d314445561b521b78413a590.exe	87
PID 3260 wrote to memory of 4448	3260	NEAS.275e5c59d314445561b521b78413a590.exe	89
PID 3260 wrote to memory of 4448	3260	NEAS.275e5c59d314445561b521b78413a590.exe	89
PID 3260 wrote to memory of 4448	3260	NEAS.275e5c59d314445561b521b78413a590.exe	89
PID 3260 wrote to memory of 3328	3260	NEAS.275e5c59d314445561b521b78413a590.exe	90
PID 3260 wrote to memory of 3328	3260	NEAS.275e5c59d314445561b521b78413a590.exe	90
PID 3260 wrote to memory of 3328	3260	NEAS.275e5c59d314445561b521b78413a590.exe	90
PID 3260 wrote to memory of 1216	3260	NEAS.275e5c59d314445561b521b78413a590.exe	91
PID 3260 wrote to memory of 1216	3260	NEAS.275e5c59d314445561b521b78413a590.exe	91
PID 3260 wrote to memory of 1216	3260	NEAS.275e5c59d314445561b521b78413a590.exe	91
PID 3260 wrote to memory of 488	3260	NEAS.275e5c59d314445561b521b78413a590.exe	92
PID 3260 wrote to memory of 488	3260	NEAS.275e5c59d314445561b521b78413a590.exe	92
PID 3260 wrote to memory of 488	3260	NEAS.275e5c59d314445561b521b78413a590.exe	92
PID 3260 wrote to memory of 3732	3260	NEAS.275e5c59d314445561b521b78413a590.exe	97
PID 3260 wrote to memory of 3732	3260	NEAS.275e5c59d314445561b521b78413a590.exe	97
PID 3260 wrote to memory of 3732	3260	NEAS.275e5c59d314445561b521b78413a590.exe	97
PID 3260 wrote to memory of 4380	3260	NEAS.275e5c59d314445561b521b78413a590.exe	99
PID 3260 wrote to memory of 4380	3260	NEAS.275e5c59d314445561b521b78413a590.exe	99
PID 3260 wrote to memory of 4380	3260	NEAS.275e5c59d314445561b521b78413a590.exe	99
PID 3260 wrote to memory of 1808	3260	NEAS.275e5c59d314445561b521b78413a590.exe	100
PID 3260 wrote to memory of 1808	3260	NEAS.275e5c59d314445561b521b78413a590.exe	100
PID 3260 wrote to memory of 1808	3260	NEAS.275e5c59d314445561b521b78413a590.exe	100
PID 3260 wrote to memory of 4580	3260	NEAS.275e5c59d314445561b521b78413a590.exe	105
PID 3260 wrote to memory of 4580	3260	NEAS.275e5c59d314445561b521b78413a590.exe	105
PID 3260 wrote to memory of 4580	3260	NEAS.275e5c59d314445561b521b78413a590.exe	105

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.275e5c59d314445561b521b78413a590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.275e5c59d314445561b521b78413a590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.275e5c59d314445561b521b78413a590.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.275e5c59d314445561b521b78413a590.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.275e5c59d314445561b521b78413a590.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3260
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2276
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4448
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3328
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:488
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3732
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4380
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
ee6e09297d4b6fbc7853a003fabb9dc4

SHA1
8bdbbd1b5a9e9514015dff01bfa35e01130af7c1

SHA256
33611f71abf97ede231d828338202d97cc0bf79a9d3cedd0abf0f00ba743c12e

SHA512
2a7a03796bc0b40ec0655953164b3b1469f2f3810663e9a2f48f14ae4139a3950a3677b027de5a32356302127a8957618233a955488e2094f28d56e8e0d27988

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
c37c7c0b77e659c3db6f04ad7bb1a26a

SHA1
b2d39652716b0c30e35b48b1ff587c458baacd0c

SHA256
535407aea4278a41a9565883fd709c2757929f10942c6cdea7ca0bea0104e82b

SHA512
2b01bedaf020b89ac8374e60490a2e34a2dcbe72d2eed368edb239363616273311b74d005fb23b192a89109c7a04927c06ae21ae977b45e4988f09e38f6cf915

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
afe014eb7dec2e38cb8fdb55294617e0

SHA1
a8bd3119764217732c121a3aa4c83622a2f73824

SHA256
b0fedda813c0df6e29badd24db2abfb8e890416543b11d2e01ed0cb5f4b1a6eb

SHA512
ff9c9bc2eb2d78037bf0369a5bde77b75a02811d23ba94ed70e1e25ee14418907d13658e9a603d7371d978ca2ba157e26b9e381180306a4eaf8eeaba8631dedb

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
6e611396401c281bdc4b5107945c977e

SHA1
50b4424074d2e8ba36759d1a6638d5675fa57c32

SHA256
c682bbd3eb9f1c99a4c3d9264a73e0f03d7b0951d2596a6069e5d436a54e8ce3

SHA512
50509749a5726f650e92d9377e8fccf77b3ee1c9b73c7425df6613753ec0d65f29b1e5d5c7c379f4ec65b8102766cd2b4d382ad5b80452f902cf9c3c48d07218

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
0a68566dbb5131af2b5d2b934cffaafe

SHA1
5e15f63bb3483bc6573a1b5887e7b36ba6ebac75

SHA256
fc2d271c00ad11a83d6bbc9dec4df81ff6859ae659f6138edea087616f789c0c

SHA512
b81d11674a41532befe5f9a51805911095b9fbcdd0f5973a4ad723cf18fbe47f35f7b43591f514f3513f2e186517c2d166793821e86c153bd7c709557700bf8e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f47daebcf76c2aee75321b50f2c751ef

SHA1
8b4f493e3f68b5047d5ebaf82f778976565aae30

SHA256
4db5c1b929f9abc6d399ad41e01cf0118ca413965753146356b09b1d50adfaec

SHA512
a9ff899e9a0c99b96e9b2313be22accd7239a20dcb65bc95aec16bfa2700c16b5c8c082d5272c879dcd82661d1f31bb6f3ec1426e25b20780f4bc64305b13853

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f329af6032b2daf4d3a95ef13006da7d

SHA1
d050291cef55cb4b01e0c80b16e7bbaa68a268e2

SHA256
9fcf508e6922efeb465b4bf457deeb9a60207521bd9c6b9a3150fdaa64214854

SHA512
eb8a7d17254fd70b22bdd4d407d2b950189d34567ddc030a1ab630ac4023590fcccb446e2d49a3156b76014ab2ad3e8ec837670477ecc65bf10187922e2cf144

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
275e5c59d314445561b521b78413a590

SHA1
31b10a1edbe359ad20d79669616cd205646ea53f

SHA256
e7329824dad59cbd0ed4c52986c53cb7b7305421522abdea588d767355510879

SHA512
2f8387aa45322bf6562c7acb7ce63184e4479385cf751cb83a079c50660bf1d37964a81deb53fce50d032a8d254c4a1546f049d13d5c7242219f61fb77f445a9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
c37c7c0b77e659c3db6f04ad7bb1a26a

SHA1
b2d39652716b0c30e35b48b1ff587c458baacd0c

SHA256
535407aea4278a41a9565883fd709c2757929f10942c6cdea7ca0bea0104e82b

SHA512
2b01bedaf020b89ac8374e60490a2e34a2dcbe72d2eed368edb239363616273311b74d005fb23b192a89109c7a04927c06ae21ae977b45e4988f09e38f6cf915

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
afe014eb7dec2e38cb8fdb55294617e0

SHA1
a8bd3119764217732c121a3aa4c83622a2f73824

SHA256
b0fedda813c0df6e29badd24db2abfb8e890416543b11d2e01ed0cb5f4b1a6eb

SHA512
ff9c9bc2eb2d78037bf0369a5bde77b75a02811d23ba94ed70e1e25ee14418907d13658e9a603d7371d978ca2ba157e26b9e381180306a4eaf8eeaba8631dedb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
6e611396401c281bdc4b5107945c977e

SHA1
50b4424074d2e8ba36759d1a6638d5675fa57c32

SHA256
c682bbd3eb9f1c99a4c3d9264a73e0f03d7b0951d2596a6069e5d436a54e8ce3

SHA512
50509749a5726f650e92d9377e8fccf77b3ee1c9b73c7425df6613753ec0d65f29b1e5d5c7c379f4ec65b8102766cd2b4d382ad5b80452f902cf9c3c48d07218

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
0a68566dbb5131af2b5d2b934cffaafe

SHA1
5e15f63bb3483bc6573a1b5887e7b36ba6ebac75

SHA256
fc2d271c00ad11a83d6bbc9dec4df81ff6859ae659f6138edea087616f789c0c

SHA512
b81d11674a41532befe5f9a51805911095b9fbcdd0f5973a4ad723cf18fbe47f35f7b43591f514f3513f2e186517c2d166793821e86c153bd7c709557700bf8e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f329af6032b2daf4d3a95ef13006da7d

SHA1
d050291cef55cb4b01e0c80b16e7bbaa68a268e2

SHA256
9fcf508e6922efeb465b4bf457deeb9a60207521bd9c6b9a3150fdaa64214854

SHA512
eb8a7d17254fd70b22bdd4d407d2b950189d34567ddc030a1ab630ac4023590fcccb446e2d49a3156b76014ab2ad3e8ec837670477ecc65bf10187922e2cf144

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
df4409393458fc17c8ef898939ce511a

SHA1
ddfb96c3aa264fdb3119a8c72dcecdefd1ea2c6c

SHA256
f4a8bdb855918933a3e77a95efbc0b3ca9cf8ca775cbc98447d5c5f07b5300b4

SHA512
f12dc4fde0b7facfc9f43288723d7def2926d45d806392e9ee4b47769217a19b041169abe834a3183bc3ea784655131e4b6bb7af7c20336f9614b7abc03b4bc4

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
f58178aef6be9bfdf36b4c920f80c65e

SHA1
adbe745b8f57f10e8724d945e3463ca97c9f7d83

SHA256
d97ad4f73152d3e97fd8cef08051417d1af756161332cd6e1b24810c026081e3

SHA512
1cdbf41af06399a28e165723640a1429fc7252c09b0a3d0d63d3ca37ee420000875d5501a949942a9da66ae4188fcfd1e08b0fccc7cf0ec18eb631666cb5c395

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
f58178aef6be9bfdf36b4c920f80c65e

SHA1
adbe745b8f57f10e8724d945e3463ca97c9f7d83

SHA256
d97ad4f73152d3e97fd8cef08051417d1af756161332cd6e1b24810c026081e3

SHA512
1cdbf41af06399a28e165723640a1429fc7252c09b0a3d0d63d3ca37ee420000875d5501a949942a9da66ae4188fcfd1e08b0fccc7cf0ec18eb631666cb5c395

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
b3d3ef7021357ad6e2089aa5da7b8724

SHA1
5ad6c9f6f3939a3aed2a5dbcbc1734452f8c88c9

SHA256
4b96c7e3cf746b0bbe267484961345fb5bd16985840cdf65190259e1ef549232

SHA512
b8834f33dc44ae539bdfe9f38faba962f286a62473c9f9b80b2e2013d3e26aca72a4810b49759d3fea6dc72b951a44ce8c8674f422a9ec63b824950e9ff9c387

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
e4f24a4f4e1c0b854e17b31c0197225c

SHA1
52b29421584e48ec8c7d8ea03273a8f69c0258be

SHA256
d0881ca039eaa1294b0a7d7b6a5e158bf4d9489961cbec424d1d545b03f895b5

SHA512
a08472b659a72f76013e704784c9e9bfbe80e62e1fa40e9260581b1753766d8b40db465b310b8940557ab709127225d34ff9934e80ca02f21f3159bac5e37c76

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
e4f24a4f4e1c0b854e17b31c0197225c

SHA1
52b29421584e48ec8c7d8ea03273a8f69c0258be

SHA256
d0881ca039eaa1294b0a7d7b6a5e158bf4d9489961cbec424d1d545b03f895b5

SHA512
a08472b659a72f76013e704784c9e9bfbe80e62e1fa40e9260581b1753766d8b40db465b310b8940557ab709127225d34ff9934e80ca02f21f3159bac5e37c76

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/488-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/488-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1808-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download