20eb6022d2556eb2bd6cee3744b64b5af1474aff0f794468f92838370e9f461e

Analysis

max time kernel
124s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
Size

454KB
MD5

bbe1fa94d5d20d40dc4378eca559ad90
SHA1

f07995f479754f1c85d02c94d6bcda38072c40d0
SHA256

20eb6022d2556eb2bd6cee3744b64b5af1474aff0f794468f92838370e9f461e
SHA512

29fbe4e4330ebf0a0aed53158b70e60249d4481915b2568821b8353ae035f3734fea76831728e077e05e05c2046a370d3db55bca7fb00282ad70ed7230ae14d9
SSDEEP

12288:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq4aan6Wq4aaE6Kp:1thEVaPqLBthFthEB

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	svhost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2712-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/files/0x000700000002324b-3.dat	upx
behavioral2/files/0x000700000002324b-4.dat	upx
behavioral2/memory/4140-5-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/files/0x0002000000022616-104.dat	upx
behavioral2/memory/2712-441-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/4140-895-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2712-441-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe
behavioral2/memory/4140-895-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4140	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe
4140	svhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4140	2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe	83
PID 2712 wrote to memory of 4140	2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe	83
PID 2712 wrote to memory of 4140	2712	NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe	83

C:\Users\Admin\AppData\Local\Temp\NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bbe1fa94d5d20d40dc4378eca559ad90.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
454KB

MD5
b6264e2fe4e46c626d9183ad500454cf

SHA1
179658e43d6384b5ee8699862071a34d7e709688

SHA256
5d6fafd1bb17856c642e3ba1531ab3f6d00ec45721ae7541d6c56cf2e025c431

SHA512
33dfaced07b23b94bc6ef07e5121e2803ad276969125ce87ba89f526c369dd231484c1a76260fefc665cfc12d3bc3c4f2d518065c4ef3b27d98a98181f297797

Download Submit
C:\Windows\svhost.exe

Filesize
454KB

MD5
b6264e2fe4e46c626d9183ad500454cf

SHA1
179658e43d6384b5ee8699862071a34d7e709688

SHA256
5d6fafd1bb17856c642e3ba1531ab3f6d00ec45721ae7541d6c56cf2e025c431

SHA512
33dfaced07b23b94bc6ef07e5121e2803ad276969125ce87ba89f526c369dd231484c1a76260fefc665cfc12d3bc3c4f2d518065c4ef3b27d98a98181f297797

Download Submit
C:\odt.exe

Filesize
454KB

MD5
1f6d4d8f6ae1acf04274cac87a696898

SHA1
1c40ebcc155439f23ea65cfc7fff6faf7e76ce47

SHA256
25ac273479bee604e1a336a1e818b558504956210bcb6e5f78b5182a9a2502f3

SHA512
534d1851372e143ccc23d74d2fb29d165614ad76c1708c40100c3360a8396d5fd6b10b984706c0ce171529a9c110754c184a95352a0a92c29a6ea1d42ffdd19c

Download Submit
memory/2712-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2712-441-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4140-5-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4140-895-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download