0239576a5442f3ef88c8c6d962df0ae5d2e5d04d8a2bd74aaf420c1072dd5619

Analysis

max time kernel
161s
max time network
139s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.45e261592af630d896b8e50a90154890.exe
Size

204KB
MD5

45e261592af630d896b8e50a90154890
SHA1

87e285f26e70e4c205a9df54873e6b2ebf543bd0
SHA256

0239576a5442f3ef88c8c6d962df0ae5d2e5d04d8a2bd74aaf420c1072dd5619
SHA512

0b1d8518fe9439ed561dca6fc2871902f5d02df36230e62dede3c7a87ce9b1a5677fb821a1bb6a1e05e1cc1687d40c0415e22d4fec4ea692179ace65f1511107
SSDEEP

3072:WmnW8pxS0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWLn:xWixS4QxL7B9W0c1RCzR/fSmlK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.45e261592af630d896b8e50a90154890.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	naaifo.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	naaifo.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	NEAS.45e261592af630d896b8e50a90154890.exe
2260	NEAS.45e261592af630d896b8e50a90154890.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /n"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /g"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /e"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /j"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /c"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /u"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /m"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /o"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /f"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /q"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /i"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /p"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /v"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /z"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /b"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /r"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /y"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /s"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /y"	NEAS.45e261592af630d896b8e50a90154890.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /d"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /w"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /t"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /h"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /k"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /l"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /x"	naaifo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\naaifo = "C:\\Users\\Admin\\naaifo.exe /a"	naaifo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	NEAS.45e261592af630d896b8e50a90154890.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe
2616	naaifo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2260	NEAS.45e261592af630d896b8e50a90154890.exe
2616	naaifo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2616	2260	NEAS.45e261592af630d896b8e50a90154890.exe	29
PID 2260 wrote to memory of 2616	2260	NEAS.45e261592af630d896b8e50a90154890.exe	29
PID 2260 wrote to memory of 2616	2260	NEAS.45e261592af630d896b8e50a90154890.exe	29
PID 2260 wrote to memory of 2616	2260	NEAS.45e261592af630d896b8e50a90154890.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.45e261592af630d896b8e50a90154890.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.45e261592af630d896b8e50a90154890.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\naaifo.exe
  "C:\Users\Admin\naaifo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\naaifo.exe

Filesize
204KB

MD5
3f5c8e3c6dd26b4ca72408a03369cdbb

SHA1
8526604f15dfd7be3dfbe26d7da2567ccb2155a2

SHA256
3dcb8c41a632d54e55595129d3a18e1307b42590745edf0fdd618ce06149874a

SHA512
da2afd1f8241beecc58bccd50dbe7ae30199d5af729835e99c43b934c21738cfa58ad1971b50361cc856a805f42d4a0116cd8847294b98da3033cfba7d4515e8

Download Submit
C:\Users\Admin\naaifo.exe

Filesize
204KB

MD5
3f5c8e3c6dd26b4ca72408a03369cdbb

SHA1
8526604f15dfd7be3dfbe26d7da2567ccb2155a2

SHA256
3dcb8c41a632d54e55595129d3a18e1307b42590745edf0fdd618ce06149874a

SHA512
da2afd1f8241beecc58bccd50dbe7ae30199d5af729835e99c43b934c21738cfa58ad1971b50361cc856a805f42d4a0116cd8847294b98da3033cfba7d4515e8

Download Submit
C:\Users\Admin\naaifo.exe

Filesize
204KB

MD5
3f5c8e3c6dd26b4ca72408a03369cdbb

SHA1
8526604f15dfd7be3dfbe26d7da2567ccb2155a2

SHA256
3dcb8c41a632d54e55595129d3a18e1307b42590745edf0fdd618ce06149874a

SHA512
da2afd1f8241beecc58bccd50dbe7ae30199d5af729835e99c43b934c21738cfa58ad1971b50361cc856a805f42d4a0116cd8847294b98da3033cfba7d4515e8

Download Submit
\Users\Admin\naaifo.exe

Filesize
204KB

MD5
3f5c8e3c6dd26b4ca72408a03369cdbb

SHA1
8526604f15dfd7be3dfbe26d7da2567ccb2155a2

SHA256
3dcb8c41a632d54e55595129d3a18e1307b42590745edf0fdd618ce06149874a

SHA512
da2afd1f8241beecc58bccd50dbe7ae30199d5af729835e99c43b934c21738cfa58ad1971b50361cc856a805f42d4a0116cd8847294b98da3033cfba7d4515e8

Download Submit
\Users\Admin\naaifo.exe

Filesize
204KB

MD5
3f5c8e3c6dd26b4ca72408a03369cdbb

SHA1
8526604f15dfd7be3dfbe26d7da2567ccb2155a2

SHA256
3dcb8c41a632d54e55595129d3a18e1307b42590745edf0fdd618ce06149874a

SHA512
da2afd1f8241beecc58bccd50dbe7ae30199d5af729835e99c43b934c21738cfa58ad1971b50361cc856a805f42d4a0116cd8847294b98da3033cfba7d4515e8

Download Submit