45adf5ec60fc488c46bea8d719c14e8f7c12d343c2288bae8608d4db5a71faef

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
Size

135KB
MD5

4ea1a42d62bbcce91284af6179e470a0
SHA1

15bc5f47c736f13996b603c4c48803cf8dcc0c19
SHA256

45adf5ec60fc488c46bea8d719c14e8f7c12d343c2288bae8608d4db5a71faef
SHA512

176debb9aba1561ca8b067e25bfff3e83b984d0c53ab96b37e704d83f7c5e89c6c51e57cf3aabda290c620fc246ede86d532acad25bb329dd0701eb1ac172d86
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBXf:UVqoCl/YgjxEufVU0TbTyDDalnf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2376	explorer.exe
2636	spoolsv.exe
2660	svchost.exe
2904	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2376	explorer.exe
2636	spoolsv.exe
2660	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2620	schtasks.exe
3032	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2376	explorer.exe
2660	svchost.exe
2660	svchost.exe
2376	explorer.exe
2660	svchost.exe
2376	explorer.exe
2660	svchost.exe
2376	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2376	explorer.exe
2660	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
2376	explorer.exe
2376	explorer.exe
2636	spoolsv.exe
2636	spoolsv.exe
2660	svchost.exe
2660	svchost.exe
2904	spoolsv.exe
2904	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2376	2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe	29
PID 2180 wrote to memory of 2376	2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe	29
PID 2180 wrote to memory of 2376	2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe	29
PID 2180 wrote to memory of 2376	2180	NEAS.4ea1a42d62bbcce91284af6179e470a0.exe	29
PID 2376 wrote to memory of 2636	2376	explorer.exe	30
PID 2376 wrote to memory of 2636	2376	explorer.exe	30
PID 2376 wrote to memory of 2636	2376	explorer.exe	30
PID 2376 wrote to memory of 2636	2376	explorer.exe	30
PID 2636 wrote to memory of 2660	2636	spoolsv.exe	31
PID 2636 wrote to memory of 2660	2636	spoolsv.exe	31
PID 2636 wrote to memory of 2660	2636	spoolsv.exe	31
PID 2636 wrote to memory of 2660	2636	spoolsv.exe	31
PID 2660 wrote to memory of 2904	2660	svchost.exe	32
PID 2660 wrote to memory of 2904	2660	svchost.exe	32
PID 2660 wrote to memory of 2904	2660	svchost.exe	32
PID 2660 wrote to memory of 2904	2660	svchost.exe	32
PID 2376 wrote to memory of 2544	2376	explorer.exe	33
PID 2376 wrote to memory of 2544	2376	explorer.exe	33
PID 2376 wrote to memory of 2544	2376	explorer.exe	33
PID 2376 wrote to memory of 2544	2376	explorer.exe	33
PID 2660 wrote to memory of 2620	2660	svchost.exe	34
PID 2660 wrote to memory of 2620	2660	svchost.exe	34
PID 2660 wrote to memory of 2620	2660	svchost.exe	34
PID 2660 wrote to memory of 2620	2660	svchost.exe	34
PID 2660 wrote to memory of 3032	2660	svchost.exe	39
PID 2660 wrote to memory of 3032	2660	svchost.exe	39
PID 2660 wrote to memory of 3032	2660	svchost.exe	39
PID 2660 wrote to memory of 3032	2660	svchost.exe	39
PID 2660 wrote to memory of 1028	2660	svchost.exe	41
PID 2660 wrote to memory of 1028	2660	svchost.exe	41
PID 2660 wrote to memory of 1028	2660	svchost.exe	41
PID 2660 wrote to memory of 1028	2660	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\NEAS.4ea1a42d62bbcce91284af6179e470a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4ea1a42d62bbcce91284af6179e470a0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2660
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:11 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:12 /f
        5⤵
        Creates scheduled task(s)
        
        PID:3032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:13 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1028
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
abcd8a1f81303fc11e9e5f535235f85d

SHA1
0321743f153c511f1f79a3230fc93ef5389ad69f

SHA256
beae3ae4f5fb563da3ad5f256bdf9b2b9321c16d66ff8700596529a448cb3d7b

SHA512
a2340df570a2eab61ff75325fc48a2c3283378ef6ee05e77c851da412b26ae528a3fe7677c356a4c1901833742ed6be6379b2a9f92cdbdc788e66ac756ba8653

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
602473bf6464f2fafa542bdca61005b1

SHA1
8f0f6dc3cb25181010f53f90429269317b9a4b40

SHA256
030918e129c720bafd2e93e31c4d4d872759b0986605cb0619856353746506cb

SHA512
caa05a6eb4f5873656a92ce6c7622810bacc533e7ec97238a0d28151b238d06dce4d25a18587cf6f104521d42f0fd48ad35f9f52ee971aead580bb07d3ecbd73

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
602473bf6464f2fafa542bdca61005b1

SHA1
8f0f6dc3cb25181010f53f90429269317b9a4b40

SHA256
030918e129c720bafd2e93e31c4d4d872759b0986605cb0619856353746506cb

SHA512
caa05a6eb4f5873656a92ce6c7622810bacc533e7ec97238a0d28151b238d06dce4d25a18587cf6f104521d42f0fd48ad35f9f52ee971aead580bb07d3ecbd73

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
602473bf6464f2fafa542bdca61005b1

SHA1
8f0f6dc3cb25181010f53f90429269317b9a4b40

SHA256
030918e129c720bafd2e93e31c4d4d872759b0986605cb0619856353746506cb

SHA512
caa05a6eb4f5873656a92ce6c7622810bacc533e7ec97238a0d28151b238d06dce4d25a18587cf6f104521d42f0fd48ad35f9f52ee971aead580bb07d3ecbd73

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
1e095be29e82439208f039140c7b1ea7

SHA1
f38f71fb91779669a934e2548fcfc641bf1c7c51

SHA256
e9d1ae553bb9dc43af2615c258aca6f68df754f3c582d79a4ad649c7020dc82b

SHA512
bad76311549c01c126fcc3cd85812aeb560ffd8f576d5e146fe81cf54d375890825b0559b25c82dddec788d98244187dfb348f0a675cb8b6f955c364d47e60e5

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
602473bf6464f2fafa542bdca61005b1

SHA1
8f0f6dc3cb25181010f53f90429269317b9a4b40

SHA256
030918e129c720bafd2e93e31c4d4d872759b0986605cb0619856353746506cb

SHA512
caa05a6eb4f5873656a92ce6c7622810bacc533e7ec97238a0d28151b238d06dce4d25a18587cf6f104521d42f0fd48ad35f9f52ee971aead580bb07d3ecbd73

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
1e095be29e82439208f039140c7b1ea7

SHA1
f38f71fb91779669a934e2548fcfc641bf1c7c51

SHA256
e9d1ae553bb9dc43af2615c258aca6f68df754f3c582d79a4ad649c7020dc82b

SHA512
bad76311549c01c126fcc3cd85812aeb560ffd8f576d5e146fe81cf54d375890825b0559b25c82dddec788d98244187dfb348f0a675cb8b6f955c364d47e60e5

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
abcd8a1f81303fc11e9e5f535235f85d

SHA1
0321743f153c511f1f79a3230fc93ef5389ad69f

SHA256
beae3ae4f5fb563da3ad5f256bdf9b2b9321c16d66ff8700596529a448cb3d7b

SHA512
a2340df570a2eab61ff75325fc48a2c3283378ef6ee05e77c851da412b26ae528a3fe7677c356a4c1901833742ed6be6379b2a9f92cdbdc788e66ac756ba8653

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
abcd8a1f81303fc11e9e5f535235f85d

SHA1
0321743f153c511f1f79a3230fc93ef5389ad69f

SHA256
beae3ae4f5fb563da3ad5f256bdf9b2b9321c16d66ff8700596529a448cb3d7b

SHA512
a2340df570a2eab61ff75325fc48a2c3283378ef6ee05e77c851da412b26ae528a3fe7677c356a4c1901833742ed6be6379b2a9f92cdbdc788e66ac756ba8653

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
602473bf6464f2fafa542bdca61005b1

SHA1
8f0f6dc3cb25181010f53f90429269317b9a4b40

SHA256
030918e129c720bafd2e93e31c4d4d872759b0986605cb0619856353746506cb

SHA512
caa05a6eb4f5873656a92ce6c7622810bacc533e7ec97238a0d28151b238d06dce4d25a18587cf6f104521d42f0fd48ad35f9f52ee971aead580bb07d3ecbd73

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
602473bf6464f2fafa542bdca61005b1

SHA1
8f0f6dc3cb25181010f53f90429269317b9a4b40

SHA256
030918e129c720bafd2e93e31c4d4d872759b0986605cb0619856353746506cb

SHA512
caa05a6eb4f5873656a92ce6c7622810bacc533e7ec97238a0d28151b238d06dce4d25a18587cf6f104521d42f0fd48ad35f9f52ee971aead580bb07d3ecbd73

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
1e095be29e82439208f039140c7b1ea7

SHA1
f38f71fb91779669a934e2548fcfc641bf1c7c51

SHA256
e9d1ae553bb9dc43af2615c258aca6f68df754f3c582d79a4ad649c7020dc82b

SHA512
bad76311549c01c126fcc3cd85812aeb560ffd8f576d5e146fe81cf54d375890825b0559b25c82dddec788d98244187dfb348f0a675cb8b6f955c364d47e60e5

Download Submit
memory/2180-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-28-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2636-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-45-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2904-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download