Overview

overview

10

Static

static

3

NEAS.d1976...d0.exe

windows7-x64

10

NEAS.d1976...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 20:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.d1976932d4b0b006ba9e89ccf9de0ed0.exe

  • Size

    206KB

  • MD5

    d1976932d4b0b006ba9e89ccf9de0ed0

  • SHA1

    f87183c597a017076f9215d03a6ee68aa7539b4e

  • SHA256

    342a4030fe6fa8f8d64c2de0a25f4162e241802a283475d1c6758dcb3eede82d

  • SHA512

    68656f747ebee2aaa9d6b98fcf34ca8633f08291c4a7d65664b9db41232aaf879bc440a5d054cca95de3f1baea13b3a3ca295c10ff44401167ad3a86b23e27e2

  • SSDEEP

    3072:NvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unFAU:NvEN2U+T6i5LirrllHy4HUcMQY6NU

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d1976932d4b0b006ba9e89ccf9de0ed0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d1976932d4b0b006ba9e89ccf9de0ed0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3304
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1496
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3064
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5048
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3452
          • C:\Windows\SysWOW64\at.exe
            at 05:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4708
            • C:\Windows\SysWOW64\at.exe
              at 05:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2272
              • C:\Windows\SysWOW64\at.exe
                at 05:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4912

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\mrsys.exe
                Filesize

                206KB

                MD5

                66e654d182fd11727210444d15f6b778

                SHA1

                ba78eca8f9f82f7f82001ce014086e11c6525960

                SHA256

                fbbfac7ee21cf5e93d50b3146a44198cf7d8c5ae5bd47e4e60837aa9ca18468f

                SHA512

                5ee1955a46d484389611f70b9d2bdbea63d952bfb8efc3256a706857199b4855970611064da0b3f0519be8c70ae80f6f1f412fba743cb7500b396cf68e3d3916

                Download Submit

              • C:\Windows\System\explorer.exe
                Filesize

                207KB

                MD5

                3ce5580c65ce9a2517b8ee0da2082cce

                SHA1

                3a5b0b5b1fc4d451c7b8be4d18016f5181360fb5

                SHA256

                e627b321d62f94b86bab29a6fac60755c9ce3751081f86944c62359dda7b3d3a

                SHA512

                e8dbd02821dfb92f2588e052d091c5c5896ca5ea79e10ddd9e6a2df7593c5ddef09c725c551fa60e8c10c157840a5abd2d773728d67cf8cb6f09ad57a3fb8ba1

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                206KB

                MD5

                8bacbf7e82dc04656b5b5afcec6f91f0

                SHA1

                dc72e2328442e4d66836bcf2171e51ad5fe9dfca

                SHA256

                5c680ff60ba071ea225b6e69d2d6082017a206fed499866e6dc9f646e5f2faca

                SHA512

                28ac9a704bcaf75bda535e3865958dcf1768155f3754901b2816c2676adb457ebef90198fd790f052463d16c3aa4ca27d41d4ade5854abe28bc72641701431d0

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                206KB

                MD5

                8bacbf7e82dc04656b5b5afcec6f91f0

                SHA1

                dc72e2328442e4d66836bcf2171e51ad5fe9dfca

                SHA256

                5c680ff60ba071ea225b6e69d2d6082017a206fed499866e6dc9f646e5f2faca

                SHA512

                28ac9a704bcaf75bda535e3865958dcf1768155f3754901b2816c2676adb457ebef90198fd790f052463d16c3aa4ca27d41d4ade5854abe28bc72641701431d0

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                206KB

                MD5

                8bacbf7e82dc04656b5b5afcec6f91f0

                SHA1

                dc72e2328442e4d66836bcf2171e51ad5fe9dfca

                SHA256

                5c680ff60ba071ea225b6e69d2d6082017a206fed499866e6dc9f646e5f2faca

                SHA512

                28ac9a704bcaf75bda535e3865958dcf1768155f3754901b2816c2676adb457ebef90198fd790f052463d16c3aa4ca27d41d4ade5854abe28bc72641701431d0

                Download Submit

              • C:\Windows\System\svchost.exe
                Filesize

                206KB

                MD5

                7354be6aed715928252b528941ba65d9

                SHA1

                ef08cf62b50e5fc1e0c2e8b1cd7de1502a4f2f7a

                SHA256

                923a0436e723db5847c0cd0f15dd7484dfd8acbd78c034fc6387b3a9a454c979

                SHA512

                1ce5359b5381bce1da9e031870039b037ab24b7be143411421e6ba8a8e844a27df5de8ea56c5c44b9507d87d75de22c6b204917846b354bd115dee1f8f353344

                Download Submit

              • \??\c:\windows\system\explorer.exe
                Filesize

                207KB

                MD5

                3ce5580c65ce9a2517b8ee0da2082cce

                SHA1

                3a5b0b5b1fc4d451c7b8be4d18016f5181360fb5

                SHA256

                e627b321d62f94b86bab29a6fac60755c9ce3751081f86944c62359dda7b3d3a

                SHA512

                e8dbd02821dfb92f2588e052d091c5c5896ca5ea79e10ddd9e6a2df7593c5ddef09c725c551fa60e8c10c157840a5abd2d773728d67cf8cb6f09ad57a3fb8ba1

                Download Submit

              • \??\c:\windows\system\spoolsv.exe
                Filesize

                206KB

                MD5

                8bacbf7e82dc04656b5b5afcec6f91f0

                SHA1

                dc72e2328442e4d66836bcf2171e51ad5fe9dfca

                SHA256

                5c680ff60ba071ea225b6e69d2d6082017a206fed499866e6dc9f646e5f2faca

                SHA512

                28ac9a704bcaf75bda535e3865958dcf1768155f3754901b2816c2676adb457ebef90198fd790f052463d16c3aa4ca27d41d4ade5854abe28bc72641701431d0

                Download Submit

              • \??\c:\windows\system\svchost.exe
                Filesize

                206KB

                MD5

                7354be6aed715928252b528941ba65d9

                SHA1

                ef08cf62b50e5fc1e0c2e8b1cd7de1502a4f2f7a

                SHA256

                923a0436e723db5847c0cd0f15dd7484dfd8acbd78c034fc6387b3a9a454c979

                SHA512

                1ce5359b5381bce1da9e031870039b037ab24b7be143411421e6ba8a8e844a27df5de8ea56c5c44b9507d87d75de22c6b204917846b354bd115dee1f8f353344

                Download Submit

              • memory/1496-38-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3064-35-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3304-0-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3304-36-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/3452-32-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download

              • memory/5048-39-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

                Download