Overview

overview

10

Static

static

3

NEAS.5a387...00.exe

windows7-x64

1

NEAS.5a387...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2023, 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.5a387559ea6345848e315ab5e27a2300.exe

  • Size

    4.4MB

  • MD5

    5a387559ea6345848e315ab5e27a2300

  • SHA1

    59301325101c0ba83fc3b659759be02e0b31a9c2

  • SHA256

    6e4e941227544101b4c717b4231758f4d6a7589de40a9120a3c72c19eaa6a0f2

  • SHA512

    76dab482642c228784bb0609e0d80613d6d299514d8f315516754748d9f2cea4586d891eb445d159c9f59366ffdd6e139ee4a2753c0f6708c0ba6506b946579c

  • SSDEEP

    1536:9nTwVYlmkpzEcHGtan2KR3dvJ77zZ38Ihp4:pHpZAKzvJNM9

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5a387559ea6345848e315ab5e27a2300.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5a387559ea6345848e315ab5e27a2300.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\NEAS.5a387559ea6345848e315ab5e27a2300.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5a387559ea6345848e315ab5e27a2300.exe
      2⤵
      • UAC bypass
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:876
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c attrib +s +h +r C:\ProgramData\JRE
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h +r C:\ProgramData\JRE
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c attrib +s +h +r C:\ProgramData\WOW64
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h +r C:\ProgramData\WOW64
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4376
      • C:\Windows\SysWOW64\netsh.exe
        "netsh.exe" advfirewall firewall add rule name="WOW64 Emulator" dir=in action=allowdescription="Windows Component" program="C:\ProgramData\WOW64\csrss.exe" enable=yes
        3⤵
        • Modifies Windows Firewall
        PID:1488
      • C:\ProgramData\WOW64\csrss.exe
        "C:\ProgramData\WOW64\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WOW64\csrss.exe
    Filesize

    4.4MB

    MD5

    5a387559ea6345848e315ab5e27a2300

    SHA1

    59301325101c0ba83fc3b659759be02e0b31a9c2

    SHA256

    6e4e941227544101b4c717b4231758f4d6a7589de40a9120a3c72c19eaa6a0f2

    SHA512

    76dab482642c228784bb0609e0d80613d6d299514d8f315516754748d9f2cea4586d891eb445d159c9f59366ffdd6e139ee4a2753c0f6708c0ba6506b946579c

    Download Submit

  • C:\ProgramData\WOW64\csrss.exe
    Filesize

    4.4MB

    MD5

    5a387559ea6345848e315ab5e27a2300

    SHA1

    59301325101c0ba83fc3b659759be02e0b31a9c2

    SHA256

    6e4e941227544101b4c717b4231758f4d6a7589de40a9120a3c72c19eaa6a0f2

    SHA512

    76dab482642c228784bb0609e0d80613d6d299514d8f315516754748d9f2cea4586d891eb445d159c9f59366ffdd6e139ee4a2753c0f6708c0ba6506b946579c

    Download Submit

  • C:\ProgramData\WOW64\csrss.exe
    Filesize

    4.4MB

    MD5

    5a387559ea6345848e315ab5e27a2300

    SHA1

    59301325101c0ba83fc3b659759be02e0b31a9c2

    SHA256

    6e4e941227544101b4c717b4231758f4d6a7589de40a9120a3c72c19eaa6a0f2

    SHA512

    76dab482642c228784bb0609e0d80613d6d299514d8f315516754748d9f2cea4586d891eb445d159c9f59366ffdd6e139ee4a2753c0f6708c0ba6506b946579c

    Download Submit

  • memory/876-5-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/876-7-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/876-4-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/876-18-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/876-20-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3820-19-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3820-21-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3820-22-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3820-23-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4980-0-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4980-6-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4980-2-0x0000000001970000-0x0000000001980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-1-0x0000000075330000-0x00000000758E1000-memory.dmp

    Filesize

    5.7MB

    Download