Overview

overview

10

Static

static

3

NEAS.c5be7...40.exe

windows7-x64

10

NEAS.c5be7...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 20:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.c5be765fb811ba6ee330ce34489c3e40.exe

  • Size

    206KB

  • MD5

    c5be765fb811ba6ee330ce34489c3e40

  • SHA1

    4c98496db0aa5c25bf5f940d449f3faa8e53dcf1

  • SHA256

    38e2284c1ff0b7feb38573a812bca812c278cc93b04f8540a8d6eb8cc7f55db1

  • SHA512

    b136e99cc54cd730b9643d4a407967f598fce2332430f51182e14d05182182aa452b5a4b1ecdb6663e429cf1e171e86bf2c74ce0c3627d0a4eb360296cf7ba74

  • SSDEEP

    3072:lvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un2u:lvEN2U+T6i5LirrllHy4HUcMQY64

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.c5be765fb811ba6ee330ce34489c3e40.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.c5be765fb811ba6ee330ce34489c3e40.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:716
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2892
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4812
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2180
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1444
          • C:\Windows\SysWOW64\at.exe
            at 04:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2004
            • C:\Windows\SysWOW64\at.exe
              at 06:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4212
              • C:\Windows\SysWOW64\at.exe
                at 06:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3672

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                207KB

                MD5

                88fb2e434b819f656a37e90489dcf6b2

                SHA1

                e4b44eb5edc8de83f153a89fd826935e0dd05230

                SHA256

                5d88a6410e61083d9b830df4f8ed282da0f849c07b829c9c7262d5794c25936e

                SHA512

                011d6dcf1e8ec242a0c94a2cffa06074a136d4db4009d5ffc96f5b69a13235ad6a0502dcd0d437aa4fcc0277434ae663ac9753b0ffa4dec58c7b3ce0a6271752

                Download Submit

              • C:\Windows\System\explorer.exe
                Filesize

                206KB

                MD5

                efac96747d8dde6166274d7bb032fb5e

                SHA1

                9ff34a90051d7c713d67d8158f356fed46018179

                SHA256

                f32b02744f1ad777e54ea668005530eb96f2eb7c9ed7f5d62f06aa32de0c1f26

                SHA512

                b581b9f68caef0b63bdbd1cd85baec031e6450952b990ef076dbe0cbd6de4e29cc77d536421abb0668a5722df1f4ce55434b59a8615d68790aba651e72cbaa54

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                206KB

                MD5

                c79155f4f832a65b5e7b182ec7c32242

                SHA1

                94ce2a49a4bb8da3048cffcaa71d0b942083e219

                SHA256

                f99042459f4a0777691249211de881fe3aecdd5ac1f582679ae337660d1b6b8f

                SHA512

                289d9eb0116698dec1243539150da029cc140b484852401813317251a0680ec98616bb4a613586915c057c12cbb9c6c60bfe6df027bbb8725d9d094d667a6b80

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                206KB

                MD5

                c79155f4f832a65b5e7b182ec7c32242

                SHA1

                94ce2a49a4bb8da3048cffcaa71d0b942083e219

                SHA256

                f99042459f4a0777691249211de881fe3aecdd5ac1f582679ae337660d1b6b8f

                SHA512

                289d9eb0116698dec1243539150da029cc140b484852401813317251a0680ec98616bb4a613586915c057c12cbb9c6c60bfe6df027bbb8725d9d094d667a6b80

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                206KB

                MD5

                c79155f4f832a65b5e7b182ec7c32242

                SHA1

                94ce2a49a4bb8da3048cffcaa71d0b942083e219

                SHA256

                f99042459f4a0777691249211de881fe3aecdd5ac1f582679ae337660d1b6b8f

                SHA512

                289d9eb0116698dec1243539150da029cc140b484852401813317251a0680ec98616bb4a613586915c057c12cbb9c6c60bfe6df027bbb8725d9d094d667a6b80

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                206KB

                MD5

                d8f680a25d9fcfcc41bab905cc244f6a

                SHA1

                7024a466783f36dcff949a25836d75a1c155033e

                SHA256

                c046f5a1827d94caf4b32aa1281c272fb92e71787a4390a600f9907fdc0846af

                SHA512

                a6003a67bf9873d9d0036577c832052906717db3caa40ea8d5b7b2e02e4f8a06f607a1ef62e8ebda185dff568886a98c5e207ad67526fadea4c47a86e3d510bb

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                206KB

                MD5

                efac96747d8dde6166274d7bb032fb5e

                SHA1

                9ff34a90051d7c713d67d8158f356fed46018179

                SHA256

                f32b02744f1ad777e54ea668005530eb96f2eb7c9ed7f5d62f06aa32de0c1f26

                SHA512

                b581b9f68caef0b63bdbd1cd85baec031e6450952b990ef076dbe0cbd6de4e29cc77d536421abb0668a5722df1f4ce55434b59a8615d68790aba651e72cbaa54

                Download Submit

              • \??\c:\windows\system\spoolsv.exe
                Filesize

                206KB

                MD5

                c79155f4f832a65b5e7b182ec7c32242

                SHA1

                94ce2a49a4bb8da3048cffcaa71d0b942083e219

                SHA256

                f99042459f4a0777691249211de881fe3aecdd5ac1f582679ae337660d1b6b8f

                SHA512

                289d9eb0116698dec1243539150da029cc140b484852401813317251a0680ec98616bb4a613586915c057c12cbb9c6c60bfe6df027bbb8725d9d094d667a6b80

                Download Submit

              • \??\c:\windows\system\svchost.exe
                Filesize

                206KB

                MD5

                d8f680a25d9fcfcc41bab905cc244f6a

                SHA1

                7024a466783f36dcff949a25836d75a1c155033e

                SHA256

                c046f5a1827d94caf4b32aa1281c272fb92e71787a4390a600f9907fdc0846af

                SHA512

                a6003a67bf9873d9d0036577c832052906717db3caa40ea8d5b7b2e02e4f8a06f607a1ef62e8ebda185dff568886a98c5e207ad67526fadea4c47a86e3d510bb

                Download Submit

              • memory/716-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/716-36-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/1444-32-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2180-39-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2892-38-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/4812-35-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download