a8bdf441f66ae68cb29a3bf532fbdd55d7b308cc1f2f6c87f1f038799d4f8f79

Analysis

max time kernel
168s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d4e8c93192040cf4021befba7c91fc40.exe
Size

2.6MB
MD5

d4e8c93192040cf4021befba7c91fc40
SHA1

10561adeed976e76a9ce078e65f5cd972b4316e8
SHA256

a8bdf441f66ae68cb29a3bf532fbdd55d7b308cc1f2f6c87f1f038799d4f8f79
SHA512

cb61405b7da55e979dc038918fe843151dedbce2035f5f9a107392e9a8135fdac9c5e36f59b40158eab96033cae644d47bec6ae85071e00f596c898d181dba12
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/z:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/z

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2828	explorer.exe
412	spoolsv.exe
1752	svchost.exe
2384	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
2828	explorer.exe
2828	explorer.exe
412	spoolsv.exe
1752	svchost.exe
2384	spoolsv.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe
1752	svchost.exe
2828	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.d4e8c93192040cf4021befba7c91fc40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2828	explorer.exe
1752	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe
2828	explorer.exe
2828	explorer.exe
2828	explorer.exe
412	spoolsv.exe
412	spoolsv.exe
412	spoolsv.exe
1752	svchost.exe
1752	svchost.exe
1752	svchost.exe
2384	spoolsv.exe
2384	spoolsv.exe
2384	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2828	5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe	86
PID 5044 wrote to memory of 2828	5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe	86
PID 5044 wrote to memory of 2828	5044	NEAS.d4e8c93192040cf4021befba7c91fc40.exe	86
PID 2828 wrote to memory of 412	2828	explorer.exe	87
PID 2828 wrote to memory of 412	2828	explorer.exe	87
PID 2828 wrote to memory of 412	2828	explorer.exe	87
PID 412 wrote to memory of 1752	412	spoolsv.exe	88
PID 412 wrote to memory of 1752	412	spoolsv.exe	88
PID 412 wrote to memory of 1752	412	spoolsv.exe	88
PID 1752 wrote to memory of 2384	1752	svchost.exe	89
PID 1752 wrote to memory of 2384	1752	svchost.exe	89
PID 1752 wrote to memory of 2384	1752	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.d4e8c93192040cf4021befba7c91fc40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d4e8c93192040cf4021befba7c91fc40.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:412
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1752
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
04ec19642c0e97315a510bc82d16816c

SHA1
36a00d9b8eb061e25d38ad455c83fd2bb3f859e7

SHA256
cfea0d792ff2f864bacc7161cf7ae81d734d15e503271cd3f99be20620bca7eb

SHA512
e4238a3eb287895aa43a16a1c74aee30379a68c6a6045604bb08f73f638506f50b5f0a4a65a7c83137e1a12d2d056c264ded1727bcb15df6f553f6746f6e7384

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
e80ba8496fa1249f8112d4e9ab7b2c09

SHA1
2340dd07453237aec4c98819c3e8276f8c438535

SHA256
f8f2a140d4d51e8638d674e159e1c81a212567374f0392b2c83ad93a0b0630cd

SHA512
896b876812c86e04a514e92346acb9ca057c40b334d56f61c34fdcb74bfa5c0455d1b4d496fe61f81e0deeb52893f01219cb041563464f0cd86ff172aaf33642

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
e80ba8496fa1249f8112d4e9ab7b2c09

SHA1
2340dd07453237aec4c98819c3e8276f8c438535

SHA256
f8f2a140d4d51e8638d674e159e1c81a212567374f0392b2c83ad93a0b0630cd

SHA512
896b876812c86e04a514e92346acb9ca057c40b334d56f61c34fdcb74bfa5c0455d1b4d496fe61f81e0deeb52893f01219cb041563464f0cd86ff172aaf33642

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
e80ba8496fa1249f8112d4e9ab7b2c09

SHA1
2340dd07453237aec4c98819c3e8276f8c438535

SHA256
f8f2a140d4d51e8638d674e159e1c81a212567374f0392b2c83ad93a0b0630cd

SHA512
896b876812c86e04a514e92346acb9ca057c40b334d56f61c34fdcb74bfa5c0455d1b4d496fe61f81e0deeb52893f01219cb041563464f0cd86ff172aaf33642

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
f4d6eeb5b942086a54d9e64c8a93d876

SHA1
c21565b28ce8dc2e3600a0ee171959fd0ad027ca

SHA256
aab35905b4c9a160c539f1213ac6d14e38aaac8f1384b715acf4480e291db3db

SHA512
d586fd3e959f7ee69457359f14e00709451a000e6f899db02b7a1def283edc84263912684740f9624eac23813b8b3869a87de6d4f78f465ef7b80431944c461a

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
2.6MB

MD5
e80ba8496fa1249f8112d4e9ab7b2c09

SHA1
2340dd07453237aec4c98819c3e8276f8c438535

SHA256
f8f2a140d4d51e8638d674e159e1c81a212567374f0392b2c83ad93a0b0630cd

SHA512
896b876812c86e04a514e92346acb9ca057c40b334d56f61c34fdcb74bfa5c0455d1b4d496fe61f81e0deeb52893f01219cb041563464f0cd86ff172aaf33642

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.6MB

MD5
f4d6eeb5b942086a54d9e64c8a93d876

SHA1
c21565b28ce8dc2e3600a0ee171959fd0ad027ca

SHA256
aab35905b4c9a160c539f1213ac6d14e38aaac8f1384b715acf4480e291db3db

SHA512
d586fd3e959f7ee69457359f14e00709451a000e6f899db02b7a1def283edc84263912684740f9624eac23813b8b3869a87de6d4f78f465ef7b80431944c461a

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
2.6MB

MD5
04ec19642c0e97315a510bc82d16816c

SHA1
36a00d9b8eb061e25d38ad455c83fd2bb3f859e7

SHA256
cfea0d792ff2f864bacc7161cf7ae81d734d15e503271cd3f99be20620bca7eb

SHA512
e4238a3eb287895aa43a16a1c74aee30379a68c6a6045604bb08f73f638506f50b5f0a4a65a7c83137e1a12d2d056c264ded1727bcb15df6f553f6746f6e7384

Download Submit
memory/412-42-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/412-40-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/412-19-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/412-20-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1752-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-49-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1752-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-46-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1752-29-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1752-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2384-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2384-37-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2384-34-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-45-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2828-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-44-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-10-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/2828-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2828-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5044-41-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5044-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/5044-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/5044-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download