e44405e0fc3bcbb552e83ccb07a08bb5c1858ae472bcb04f6bbdd06fa925fd11

Analysis

max time kernel
269s
max time network
307s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5de1cd17cf67218937493497a57b7390.exe
Size

384KB
MD5

5de1cd17cf67218937493497a57b7390
SHA1

70bd59bcfffc71166df5186a9d2d35e31f8d8e38
SHA256

e44405e0fc3bcbb552e83ccb07a08bb5c1858ae472bcb04f6bbdd06fa925fd11
SHA512

eb34d8bf1a4a81579b220fb820009b936e6a7396d9e629c463ee61c03b9cb30e5a2ac8ed62cd6fefdafb8f637f1364ebb867900856cf3cdd8a32eb9c3ae5f215
SSDEEP

12288:0v+0xB+UDBdIA6h/Tz7+nLyB/sZHfLscbvkivkCwJ3HS:0vaP/sBL2S

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.5de1cd17cf67218937493497a57b7390.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	luaele.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	luaele.exe

Loads dropped DLL 2 IoCs

pid	Process
2148	NEAS.5de1cd17cf67218937493497a57b7390.exe
2148	NEAS.5de1cd17cf67218937493497a57b7390.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /u"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /l"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /k"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /q"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /g"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /a"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /f"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /p"	NEAS.5de1cd17cf67218937493497a57b7390.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /n"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /t"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /b"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /s"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /y"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /d"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /n"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /c"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /f"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /r"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /c"	NEAS.5de1cd17cf67218937493497a57b7390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /p"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /e"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /v"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /h"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /e"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /u"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /l"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /d"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /o"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /o"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /w"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /i"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /y"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /b"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /i"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /j"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /t"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /h"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /m"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /q"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /x"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /a"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /j"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /m"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /z"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /k"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /x"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /r"	luaele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /v"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /c"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /p"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /g"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /s"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /w"	luaele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Windows\CurrentVersion\Run\luaele = "C:\\Users\\Admin\\luaele.exe /z"	luaele.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	NEAS.5de1cd17cf67218937493497a57b7390.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe
2816	luaele.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	NEAS.5de1cd17cf67218937493497a57b7390.exe
2816	luaele.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2816	2148	NEAS.5de1cd17cf67218937493497a57b7390.exe	27
PID 2148 wrote to memory of 2816	2148	NEAS.5de1cd17cf67218937493497a57b7390.exe	27
PID 2148 wrote to memory of 2816	2148	NEAS.5de1cd17cf67218937493497a57b7390.exe	27
PID 2148 wrote to memory of 2816	2148	NEAS.5de1cd17cf67218937493497a57b7390.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.5de1cd17cf67218937493497a57b7390.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5de1cd17cf67218937493497a57b7390.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\luaele.exe
  "C:\Users\Admin\luaele.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\luaele.exe

Filesize
384KB

MD5
4e9335a45e806f1d4b47b4d8b437932b

SHA1
07012dfde7879f032d4da55370d9906f94bd4e7e

SHA256
7d03965fac81368bd9d7ca7566779ddd2ca04761897e72cc92512edaf1e96965

SHA512
75bbce9fac8816bbfb42852ead1ebcb647f873d0ae73aef14e39c6339fb7e26714e63dfa2b98ff13a9c69dc8b46e1ffe373456f882e3d2dad2eb71c4ac8f75e0

Download Submit
C:\Users\Admin\luaele.exe

Filesize
384KB

MD5
4e9335a45e806f1d4b47b4d8b437932b

SHA1
07012dfde7879f032d4da55370d9906f94bd4e7e

SHA256
7d03965fac81368bd9d7ca7566779ddd2ca04761897e72cc92512edaf1e96965

SHA512
75bbce9fac8816bbfb42852ead1ebcb647f873d0ae73aef14e39c6339fb7e26714e63dfa2b98ff13a9c69dc8b46e1ffe373456f882e3d2dad2eb71c4ac8f75e0

Download Submit
C:\Users\Admin\luaele.exe

Filesize
384KB

MD5
4e9335a45e806f1d4b47b4d8b437932b

SHA1
07012dfde7879f032d4da55370d9906f94bd4e7e

SHA256
7d03965fac81368bd9d7ca7566779ddd2ca04761897e72cc92512edaf1e96965

SHA512
75bbce9fac8816bbfb42852ead1ebcb647f873d0ae73aef14e39c6339fb7e26714e63dfa2b98ff13a9c69dc8b46e1ffe373456f882e3d2dad2eb71c4ac8f75e0

Download Submit
\Users\Admin\luaele.exe

Filesize
384KB

MD5
4e9335a45e806f1d4b47b4d8b437932b

SHA1
07012dfde7879f032d4da55370d9906f94bd4e7e

SHA256
7d03965fac81368bd9d7ca7566779ddd2ca04761897e72cc92512edaf1e96965

SHA512
75bbce9fac8816bbfb42852ead1ebcb647f873d0ae73aef14e39c6339fb7e26714e63dfa2b98ff13a9c69dc8b46e1ffe373456f882e3d2dad2eb71c4ac8f75e0

Download Submit
\Users\Admin\luaele.exe

Filesize
384KB

MD5
4e9335a45e806f1d4b47b4d8b437932b

SHA1
07012dfde7879f032d4da55370d9906f94bd4e7e

SHA256
7d03965fac81368bd9d7ca7566779ddd2ca04761897e72cc92512edaf1e96965

SHA512
75bbce9fac8816bbfb42852ead1ebcb647f873d0ae73aef14e39c6339fb7e26714e63dfa2b98ff13a9c69dc8b46e1ffe373456f882e3d2dad2eb71c4ac8f75e0

Download Submit