d84ea29fcd4ab5a567304cb1b1652e56598a5c074dcdbc6204c7cd3969162895

Analysis

max time kernel
170s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.637fbd6373e34a549d167895bb0a9a90.exe
Size

4.3MB
MD5

637fbd6373e34a549d167895bb0a9a90
SHA1

11320ecabfdfacc6252c5dad2307e17fe616068e
SHA256

d84ea29fcd4ab5a567304cb1b1652e56598a5c074dcdbc6204c7cd3969162895
SHA512

6267503c6183e60be46bd71613cd37592c1df84b86b1a665bc15bb01eb38370b0edb6acf747ecba813bf4cbdbcede7bc1be2519d841424fd44b509b06f23a485
SSDEEP

98304:rKpNIdVbVHMWmRQFNyeW0MGfiUVSKdujPs:O7IPJHFNN8E7duzs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
400	neas.637fbd6373e34a549d167895bb0a9a90.exe
404	icsys.icn.exe
2064	explorer.exe
496	spoolsv.exe
1708	svchost.exe
3964	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	NEAS.637fbd6373e34a549d167895bb0a9a90.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	neas.637fbd6373e34a549d167895bb0a9a90.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	neas.637fbd6373e34a549d167895bb0a9a90.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	neas.637fbd6373e34a549d167895bb0a9a90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	neas.637fbd6373e34a549d167895bb0a9a90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	neas.637fbd6373e34a549d167895bb0a9a90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	neas.637fbd6373e34a549d167895bb0a9a90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	neas.637fbd6373e34a549d167895bb0a9a90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	neas.637fbd6373e34a549d167895bb0a9a90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	neas.637fbd6373e34a549d167895bb0a9a90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	neas.637fbd6373e34a549d167895bb0a9a90.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe
404	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2064	explorer.exe
1708	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe
404	icsys.icn.exe
404	icsys.icn.exe
2064	explorer.exe
2064	explorer.exe
496	spoolsv.exe
496	spoolsv.exe
1708	svchost.exe
1708	svchost.exe
3964	spoolsv.exe
3964	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 400	4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe	86
PID 4980 wrote to memory of 400	4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe	86
PID 4980 wrote to memory of 400	4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe	86
PID 4980 wrote to memory of 404	4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe	88
PID 4980 wrote to memory of 404	4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe	88
PID 4980 wrote to memory of 404	4980	NEAS.637fbd6373e34a549d167895bb0a9a90.exe	88
PID 404 wrote to memory of 2064	404	icsys.icn.exe	89
PID 404 wrote to memory of 2064	404	icsys.icn.exe	89
PID 404 wrote to memory of 2064	404	icsys.icn.exe	89
PID 2064 wrote to memory of 496	2064	explorer.exe	90
PID 2064 wrote to memory of 496	2064	explorer.exe	90
PID 2064 wrote to memory of 496	2064	explorer.exe	90
PID 496 wrote to memory of 1708	496	spoolsv.exe	91
PID 496 wrote to memory of 1708	496	spoolsv.exe	91
PID 496 wrote to memory of 1708	496	spoolsv.exe	91
PID 1708 wrote to memory of 3964	1708	svchost.exe	92
PID 1708 wrote to memory of 3964	1708	svchost.exe	92
PID 1708 wrote to memory of 3964	1708	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.637fbd6373e34a549d167895bb0a9a90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.637fbd6373e34a549d167895bb0a9a90.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980
- \??\c:\users\admin\appdata\local\temp\neas.637fbd6373e34a549d167895bb0a9a90.exe
  c:\users\admin\appdata\local\temp\neas.637fbd6373e34a549d167895bb0a9a90.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies system certificate store
  PID:400
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:404
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:496
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\neas.637fbd6373e34a549d167895bb0a9a90.exe

Filesize
4.2MB

MD5
3a1f2fffc6257af1f4412be598b49ffa

SHA1
871c682f6ba9221705a4e5617d54fc51f1c63f91

SHA256
984ae3d5b2b05dbde6220ef5ea3d05453fc36322b3dc323241dc9fa2deaddcf9

SHA512
089469d651c2da1d26ab70d1a4b3ec71c62ee8d4da9c3b5073de1bde0e70cf83de6b5caf77657bff9e7b1355455c8fa5b1df5ecf837dd9ed5164340b9ebd3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\tenfoot\resource\images\textinput\drop06.tga_

Filesize
244KB

MD5
c7afc24e396da59a4ef402ddd2ccbceb

SHA1
dafbca40f8420fdf6c426fa6a3f0f6a43fb493d9

SHA256
996cd2d01542cec922c384708dcbfc8aee8773333ebda9a398f0236675f129b1

SHA512
013ff1f14b8c7214c88e42cf5d270324f4bbac6bf6b5eafa7dadf8d658c0eaa97a52f326df62867dab7926e8edbcb5bac89a0e675c57de5558f78b1bce313ef2

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
83b2435766b3f1b77e2ba48b69a8966c

SHA1
c101e2bf0581f51f475864d8d0d7b780077e59ba

SHA256
30f0b77ba16733749533cc9cd66bfc0c10dd963b0f2dbac6a1b9f98a4ac9511e

SHA512
c6d07d620b4012b66fcf23f7e9a4d10566d2c7e4720267dcf42b53042cae5862165a1409adab2ed7842ad63b89770f564aa0d6262bb79e07e1223543216ad608

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
83b2435766b3f1b77e2ba48b69a8966c

SHA1
c101e2bf0581f51f475864d8d0d7b780077e59ba

SHA256
30f0b77ba16733749533cc9cd66bfc0c10dd963b0f2dbac6a1b9f98a4ac9511e

SHA512
c6d07d620b4012b66fcf23f7e9a4d10566d2c7e4720267dcf42b53042cae5862165a1409adab2ed7842ad63b89770f564aa0d6262bb79e07e1223543216ad608

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
87f7626b3622599a05ae809c64f163cb

SHA1
c556bbc549debe2e58c0d7f63a0d0a9cfeb5d4c9

SHA256
d5f3490086d0aa9e75c52faebfbeab0596ed9d9a4223f310fa15ce47e28ae1f2

SHA512
1d1cdee71fd9c102ee2f9db4bf0a3a63ef97e83efcabefe53d7911cde3058caac9c5f1b0ff6e1cd22dfd80a3870e0f76c5b2bf8463ca7217add781645fd37730

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
87f7626b3622599a05ae809c64f163cb

SHA1
c556bbc549debe2e58c0d7f63a0d0a9cfeb5d4c9

SHA256
d5f3490086d0aa9e75c52faebfbeab0596ed9d9a4223f310fa15ce47e28ae1f2

SHA512
1d1cdee71fd9c102ee2f9db4bf0a3a63ef97e83efcabefe53d7911cde3058caac9c5f1b0ff6e1cd22dfd80a3870e0f76c5b2bf8463ca7217add781645fd37730

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d15381bbff5c79d9afee464a8614715b

SHA1
890b075bf8ff1ce597ccde12077fb916f17ed194

SHA256
2ddce495aafda72fdd3caee5d2e437c6d93ffc6fd76116aa4e59f42e2cc3d5c2

SHA512
428872791602470dd591318eb9bca66bc1576f3813998e59b7ee72bdc3f5e9bd57e296d1d4135a74d8896d3c4cb8864a7e68ad47464600ca8889767b02003fe5

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d15381bbff5c79d9afee464a8614715b

SHA1
890b075bf8ff1ce597ccde12077fb916f17ed194

SHA256
2ddce495aafda72fdd3caee5d2e437c6d93ffc6fd76116aa4e59f42e2cc3d5c2

SHA512
428872791602470dd591318eb9bca66bc1576f3813998e59b7ee72bdc3f5e9bd57e296d1d4135a74d8896d3c4cb8864a7e68ad47464600ca8889767b02003fe5

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
5669342f2532587f90a90bf17823d61f

SHA1
7ea1f2344992042fb2c5eb0e7582544909644f7e

SHA256
70216049ff2ff312684e2dee62378aaed062892372565211c2638cb1237303a5

SHA512
6f5e49c6d74e98bb25e22832ec137d848f69480cf68a4d25e53d4e181879a21e247f2d04a0b3c160e8bf5b2c43a6c84d3b1ada992d92ff1e15e66a9a9d05a67d

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
d15381bbff5c79d9afee464a8614715b

SHA1
890b075bf8ff1ce597ccde12077fb916f17ed194

SHA256
2ddce495aafda72fdd3caee5d2e437c6d93ffc6fd76116aa4e59f42e2cc3d5c2

SHA512
428872791602470dd591318eb9bca66bc1576f3813998e59b7ee72bdc3f5e9bd57e296d1d4135a74d8896d3c4cb8864a7e68ad47464600ca8889767b02003fe5

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
5669342f2532587f90a90bf17823d61f

SHA1
7ea1f2344992042fb2c5eb0e7582544909644f7e

SHA256
70216049ff2ff312684e2dee62378aaed062892372565211c2638cb1237303a5

SHA512
6f5e49c6d74e98bb25e22832ec137d848f69480cf68a4d25e53d4e181879a21e247f2d04a0b3c160e8bf5b2c43a6c84d3b1ada992d92ff1e15e66a9a9d05a67d

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
83b2435766b3f1b77e2ba48b69a8966c

SHA1
c101e2bf0581f51f475864d8d0d7b780077e59ba

SHA256
30f0b77ba16733749533cc9cd66bfc0c10dd963b0f2dbac6a1b9f98a4ac9511e

SHA512
c6d07d620b4012b66fcf23f7e9a4d10566d2c7e4720267dcf42b53042cae5862165a1409adab2ed7842ad63b89770f564aa0d6262bb79e07e1223543216ad608

Download Submit
memory/404-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/496-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-5139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2064-4529-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3964-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download