3b24b1c06cdd54a9f8912e9eb0b8482503e7174596a97dd535f3ad7965799fbc

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b016230067411a11d2a2dcf179072330.exe
Size

196KB
MD5

b016230067411a11d2a2dcf179072330
SHA1

ef613a6e62d7bfd59e8700f6d0fca7108ab7b46f
SHA256

3b24b1c06cdd54a9f8912e9eb0b8482503e7174596a97dd535f3ad7965799fbc
SHA512

37e1228075cbb1321680d56a2d35398504fc351092664fab5838446d94d44968dc41c498cc0547b3f771a9478cd2b6dd6a2cb2c018b8103b9a514585d02e4ecb
SSDEEP

3072:ZOgUXoutNHxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoShRARoYlld9n2Qpmx

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.b016230067411a11d2a2dcf179072330.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
4404	xk.exe
1088	IExplorer.exe
4180	xk.exe
1052	IExplorer.exe
548	WINLOGON.EXE
1448	CSRSS.EXE
3592	SERVICES.EXE
2596	LSASS.EXE
3340	SMSS.EXE
4056	WINLOGON.EXE
4864	CSRSS.EXE
1044	SERVICES.EXE
3872	LSASS.EXE
5032	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3964-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231d6-8.dat	upx
behavioral2/files/0x00060000000231da-106.dat	upx
behavioral2/files/0x00060000000231da-107.dat	upx
behavioral2/files/0x00060000000231de-113.dat	upx
behavioral2/files/0x00060000000231de-112.dat	upx
behavioral2/memory/4404-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1088-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1088-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3964-135-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231da-172.dat	upx
behavioral2/memory/4180-178-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231de-177.dat	upx
behavioral2/memory/1052-181-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e0-183.dat	upx
behavioral2/files/0x00060000000231e0-184.dat	upx
behavioral2/memory/548-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e1-189.dat	upx
behavioral2/files/0x00060000000231e1-190.dat	upx
behavioral2/memory/1448-193-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e2-196.dat	upx
behavioral2/files/0x00060000000231e2-195.dat	upx
behavioral2/memory/3592-197-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3592-200-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e3-202.dat	upx
behavioral2/files/0x00060000000231e3-203.dat	upx
behavioral2/memory/2596-206-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e4-208.dat	upx
behavioral2/files/0x00060000000231e4-209.dat	upx
behavioral2/memory/3340-212-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3964-238-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e0-240.dat	upx
behavioral2/memory/4056-244-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e1-274.dat	upx
behavioral2/memory/4864-277-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e2-278.dat	upx
behavioral2/memory/1044-281-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e3-311.dat	upx
behavioral2/memory/3872-315-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00060000000231e4-316.dat	upx
behavioral2/memory/5032-319-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3964-320-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened for modification	F:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	F:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\E:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\U:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\X:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\L:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\O:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\G:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\H:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\I:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\J:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\M:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\P:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\Q:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\R:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\S:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\W:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\Z:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\K:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\N:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\T:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\V:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\Y:	NEAS.b016230067411a11d2a2dcf179072330.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.b016230067411a11d2a2dcf179072330.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\xk.exe	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3964	NEAS.b016230067411a11d2a2dcf179072330.exe
3964	NEAS.b016230067411a11d2a2dcf179072330.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3964	NEAS.b016230067411a11d2a2dcf179072330.exe
4404	xk.exe
1088	IExplorer.exe
4180	xk.exe
1052	IExplorer.exe
548	WINLOGON.EXE
1448	CSRSS.EXE
3592	SERVICES.EXE
2596	LSASS.EXE
3340	SMSS.EXE
4056	WINLOGON.EXE
4864	CSRSS.EXE
1044	SERVICES.EXE
3872	LSASS.EXE
5032	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4404	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	90
PID 3964 wrote to memory of 4404	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	90
PID 3964 wrote to memory of 4404	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	90
PID 3964 wrote to memory of 1088	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	91
PID 3964 wrote to memory of 1088	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	91
PID 3964 wrote to memory of 1088	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	91
PID 3964 wrote to memory of 4180	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	93
PID 3964 wrote to memory of 4180	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	93
PID 3964 wrote to memory of 4180	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	93
PID 3964 wrote to memory of 1052	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	95
PID 3964 wrote to memory of 1052	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	95
PID 3964 wrote to memory of 1052	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	95
PID 3964 wrote to memory of 548	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	97
PID 3964 wrote to memory of 548	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	97
PID 3964 wrote to memory of 548	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	97
PID 3964 wrote to memory of 1448	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	98
PID 3964 wrote to memory of 1448	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	98
PID 3964 wrote to memory of 1448	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	98
PID 3964 wrote to memory of 3592	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	99
PID 3964 wrote to memory of 3592	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	99
PID 3964 wrote to memory of 3592	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	99
PID 3964 wrote to memory of 2596	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	100
PID 3964 wrote to memory of 2596	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	100
PID 3964 wrote to memory of 2596	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	100
PID 3964 wrote to memory of 3340	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	101
PID 3964 wrote to memory of 3340	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	101
PID 3964 wrote to memory of 3340	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	101
PID 3964 wrote to memory of 4056	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	104
PID 3964 wrote to memory of 4056	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	104
PID 3964 wrote to memory of 4056	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	104
PID 3964 wrote to memory of 4864	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	109
PID 3964 wrote to memory of 4864	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	109
PID 3964 wrote to memory of 4864	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	109
PID 3964 wrote to memory of 1044	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	110
PID 3964 wrote to memory of 1044	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	110
PID 3964 wrote to memory of 1044	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	110
PID 3964 wrote to memory of 3872	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	113
PID 3964 wrote to memory of 3872	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	113
PID 3964 wrote to memory of 3872	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	113
PID 3964 wrote to memory of 5032	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	114
PID 3964 wrote to memory of 5032	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	114
PID 3964 wrote to memory of 5032	3964	NEAS.b016230067411a11d2a2dcf179072330.exe	114

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.b016230067411a11d2a2dcf179072330.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b016230067411a11d2a2dcf179072330.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3964
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4180
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1448
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3592
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3340
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4056
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1044
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
5e61fadc4f9ea55c67f090f995b191dd

SHA1
04984d5bc83d84cf43f3b74ac52741e0e5521ebf

SHA256
f3c63b4bcf1856137438ab5b66e8f43cb5a20013a0dc4f3b1172d22ce6255a84

SHA512
745c04d09b97665cf87ecc16c3507e924e6c228deedaec4ebeeab2458533962a2b0467d25b22e1dd7c75983f6a8ab80050b438db52b11870fc39def38e7640b3

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
5e61fadc4f9ea55c67f090f995b191dd

SHA1
04984d5bc83d84cf43f3b74ac52741e0e5521ebf

SHA256
f3c63b4bcf1856137438ab5b66e8f43cb5a20013a0dc4f3b1172d22ce6255a84

SHA512
745c04d09b97665cf87ecc16c3507e924e6c228deedaec4ebeeab2458533962a2b0467d25b22e1dd7c75983f6a8ab80050b438db52b11870fc39def38e7640b3

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
de12233a479d1879abc637f84435d4fa

SHA1
5dbc5866c553a831c902f0809fe70f52706ccc2b

SHA256
579aa50fd947a90701f5e912155e12004b383ce59cf35041c7e8ced21787396c

SHA512
a33cd96409b7ee7405151578a39f22192604b7c3524172cf55b1541382442d378cdce860bc3bb541b6b638e32a4edfff3ab22b84155d2e8a584f0d680f6faae9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
de12233a479d1879abc637f84435d4fa

SHA1
5dbc5866c553a831c902f0809fe70f52706ccc2b

SHA256
579aa50fd947a90701f5e912155e12004b383ce59cf35041c7e8ced21787396c

SHA512
a33cd96409b7ee7405151578a39f22192604b7c3524172cf55b1541382442d378cdce860bc3bb541b6b638e32a4edfff3ab22b84155d2e8a584f0d680f6faae9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
386b3404873c3b39e57398e71def85e9

SHA1
3e13446d3d16d9c173afe56da2e820bd568631f2

SHA256
ff26ede2d47039ea2fab59f9f175818053bd3b6ba1546f2c132e55c9b0c17010

SHA512
d01dfcf03df9d16a61bca95ba84aecc5509b824ade47443ad3a78b0b88bf335da80fb5af972d23cd4a2171e7b377b6b7d667d8bad969de9765e75130e9c1ef76

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
386b3404873c3b39e57398e71def85e9

SHA1
3e13446d3d16d9c173afe56da2e820bd568631f2

SHA256
ff26ede2d47039ea2fab59f9f175818053bd3b6ba1546f2c132e55c9b0c17010

SHA512
d01dfcf03df9d16a61bca95ba84aecc5509b824ade47443ad3a78b0b88bf335da80fb5af972d23cd4a2171e7b377b6b7d667d8bad969de9765e75130e9c1ef76

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
58ab837f649c6223a2b85ec73a1bbea4

SHA1
f28e8bf2df3c039fe25a1a8ec573d2464dc2033e

SHA256
61332a89004a42e067a10d63471575147f77fd2457c75a33a826e375e3f7472a

SHA512
77b5637d29430d284b675e3da921166962a89b80a3eba2ab6cbb9162c78e30bc5896ee3e8ef5cecf63e9e4d69d284e3b780dfead5bd5c6604593d203d9de5066

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
58ab837f649c6223a2b85ec73a1bbea4

SHA1
f28e8bf2df3c039fe25a1a8ec573d2464dc2033e

SHA256
61332a89004a42e067a10d63471575147f77fd2457c75a33a826e375e3f7472a

SHA512
77b5637d29430d284b675e3da921166962a89b80a3eba2ab6cbb9162c78e30bc5896ee3e8ef5cecf63e9e4d69d284e3b780dfead5bd5c6604593d203d9de5066

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
9003d5aeb3f44ecb414fbf0ae905657a

SHA1
f7a76a3356620af80351b2c0249d1510bec8d589

SHA256
37097b90031815c7b5b9cea6aa087d375a15ee85a21302b75392d5d67fbfe4ad

SHA512
0ac398057105b8f151601ab5883637597d9bedbfacd8062a39aa905c5ed69c940ca3ebd42dd51b6428a91c3509839efb4fb7dae15790346408d4b254a1a8c734

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
9003d5aeb3f44ecb414fbf0ae905657a

SHA1
f7a76a3356620af80351b2c0249d1510bec8d589

SHA256
37097b90031815c7b5b9cea6aa087d375a15ee85a21302b75392d5d67fbfe4ad

SHA512
0ac398057105b8f151601ab5883637597d9bedbfacd8062a39aa905c5ed69c940ca3ebd42dd51b6428a91c3509839efb4fb7dae15790346408d4b254a1a8c734

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
b016230067411a11d2a2dcf179072330

SHA1
ef613a6e62d7bfd59e8700f6d0fca7108ab7b46f

SHA256
3b24b1c06cdd54a9f8912e9eb0b8482503e7174596a97dd535f3ad7965799fbc

SHA512
37e1228075cbb1321680d56a2d35398504fc351092664fab5838446d94d44968dc41c498cc0547b3f771a9478cd2b6dd6a2cb2c018b8103b9a514585d02e4ecb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
5e61fadc4f9ea55c67f090f995b191dd

SHA1
04984d5bc83d84cf43f3b74ac52741e0e5521ebf

SHA256
f3c63b4bcf1856137438ab5b66e8f43cb5a20013a0dc4f3b1172d22ce6255a84

SHA512
745c04d09b97665cf87ecc16c3507e924e6c228deedaec4ebeeab2458533962a2b0467d25b22e1dd7c75983f6a8ab80050b438db52b11870fc39def38e7640b3

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
de12233a479d1879abc637f84435d4fa

SHA1
5dbc5866c553a831c902f0809fe70f52706ccc2b

SHA256
579aa50fd947a90701f5e912155e12004b383ce59cf35041c7e8ced21787396c

SHA512
a33cd96409b7ee7405151578a39f22192604b7c3524172cf55b1541382442d378cdce860bc3bb541b6b638e32a4edfff3ab22b84155d2e8a584f0d680f6faae9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
386b3404873c3b39e57398e71def85e9

SHA1
3e13446d3d16d9c173afe56da2e820bd568631f2

SHA256
ff26ede2d47039ea2fab59f9f175818053bd3b6ba1546f2c132e55c9b0c17010

SHA512
d01dfcf03df9d16a61bca95ba84aecc5509b824ade47443ad3a78b0b88bf335da80fb5af972d23cd4a2171e7b377b6b7d667d8bad969de9765e75130e9c1ef76

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
58ab837f649c6223a2b85ec73a1bbea4

SHA1
f28e8bf2df3c039fe25a1a8ec573d2464dc2033e

SHA256
61332a89004a42e067a10d63471575147f77fd2457c75a33a826e375e3f7472a

SHA512
77b5637d29430d284b675e3da921166962a89b80a3eba2ab6cbb9162c78e30bc5896ee3e8ef5cecf63e9e4d69d284e3b780dfead5bd5c6604593d203d9de5066

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
9003d5aeb3f44ecb414fbf0ae905657a

SHA1
f7a76a3356620af80351b2c0249d1510bec8d589

SHA256
37097b90031815c7b5b9cea6aa087d375a15ee85a21302b75392d5d67fbfe4ad

SHA512
0ac398057105b8f151601ab5883637597d9bedbfacd8062a39aa905c5ed69c940ca3ebd42dd51b6428a91c3509839efb4fb7dae15790346408d4b254a1a8c734

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
716d8c5ecb81db0777e40f7f9be12971

SHA1
7299943121d87295e3d00d533e468f576a8ccd97

SHA256
3d91ef91084922ba5daaeb91009f79c7d50b734f995e2fdb2253134a0d7534ae

SHA512
19ebfa8b7f147c6ead035ccf4023605bf45dd7451a4ffded2d41c6b2d4eff9c1e9873c7e4872a0c311190640160610de0e9568c37039f9d29e124e0047249832

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
716d8c5ecb81db0777e40f7f9be12971

SHA1
7299943121d87295e3d00d533e468f576a8ccd97

SHA256
3d91ef91084922ba5daaeb91009f79c7d50b734f995e2fdb2253134a0d7534ae

SHA512
19ebfa8b7f147c6ead035ccf4023605bf45dd7451a4ffded2d41c6b2d4eff9c1e9873c7e4872a0c311190640160610de0e9568c37039f9d29e124e0047249832

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
c5617712ab8eacb0cc4e7ca2ceaa59a5

SHA1
62fbfe006d2f161a4273309e6218ff85fb912126

SHA256
43b3d06cfc35cbb867fcba42391fac47810ef26f13d77e3852fdd7035a08ff2e

SHA512
b6af493a1b26dd88fbe3361d7ef632bce18f3d2ad31aea4d161cfbc869dcf40105e2aa271ac601b0c84605bd42734f9db4583c0fa886562cfb7d91bf5b5e279c

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
3c4f0eecbb4f1faa06fccf08b9a56e0e

SHA1
d52475411bea43482dfe77057203fe229578cc43

SHA256
6b97d0c5f67b5e5c1c12f21b1c217c94ca8e970396aa794e0b88d816d9f1686b

SHA512
731cdbc2bc10545a5f3b85b89a2c20a49deef5c840a513def8e79099c65c7dd9742241479601a484720264c672c4fc2a08cec66495f3d4aff3785ff64ef89ce7

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
3c4f0eecbb4f1faa06fccf08b9a56e0e

SHA1
d52475411bea43482dfe77057203fe229578cc43

SHA256
6b97d0c5f67b5e5c1c12f21b1c217c94ca8e970396aa794e0b88d816d9f1686b

SHA512
731cdbc2bc10545a5f3b85b89a2c20a49deef5c840a513def8e79099c65c7dd9742241479601a484720264c672c4fc2a08cec66495f3d4aff3785ff64ef89ce7

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
1c7daa399476160019e32ad4bd7bd0b1

SHA1
f7efab4e09b9d6ee1f1cfee247b6a96c40a9ba94

SHA256
73f189a569ca5b644112659f856585c0ff299daf4e21c9b7ec6292da08e46d77

SHA512
19206aa6ebafaa35c722db73f78311430ddc92df63c809a56ed951137554764a3c332c8ac744fd90502130e5ff00d54113d5390e320115f5098d1f04890fe626

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/548-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download