Overview

overview

8

Static

static

7

NEAS.296d3...70.exe

windows7-x64

8

NEAS.296d3...70.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.296d390d5729be1bf51c361c1968e570.exe

  • Size

    2.4MB

  • MD5

    296d390d5729be1bf51c361c1968e570

  • SHA1

    ba71371c700c51d3cb19fa9f398120b6870ac818

  • SHA256

    b20b0a6814a33cf37e3be53c99c1bfb40092545ef6cabf6b75cfd13e43aa172e

  • SHA512

    7e7fc6ea660fbc8608888cf91f2b9e0d5adf1bb3faf06b092f2d48475d3dcadad94d8e5c01e389e8c55b1f426698d359059fe0a02778574e74059c1397c6d4c6

  • SSDEEP

    49152:ZE13D8c4GG/jfKCfGgY1zpjG6xiYfFzKeAxk:8Ho/OKG91zpC6xiYfFWe7

Score
8/10
persistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies registry class 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.296d390d5729be1bf51c361c1968e570.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.296d390d5729be1bf51c361c1968e570.exe"
    1⤵
      PID:2468
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2432-1-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-3-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-7-0x0000000002690000-0x00000000026A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2468-0-0x00000000002E0000-0x000000000048D000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2468-2-0x00000000002E0000-0x000000000048D000-memory.dmp

      Filesize

      1.7MB

      Download