e44405e0fc3bcbb552e83ccb07a08bb5c1858ae472bcb04f6bbdd06fa925fd11

Analysis

max time kernel
45s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5de1cd17cf67218937493497a57b7390.exe
Size

384KB
MD5

5de1cd17cf67218937493497a57b7390
SHA1

70bd59bcfffc71166df5186a9d2d35e31f8d8e38
SHA256

e44405e0fc3bcbb552e83ccb07a08bb5c1858ae472bcb04f6bbdd06fa925fd11
SHA512

eb34d8bf1a4a81579b220fb820009b936e6a7396d9e629c463ee61c03b9cb30e5a2ac8ed62cd6fefdafb8f637f1364ebb867900856cf3cdd8a32eb9c3ae5f215
SSDEEP

12288:0v+0xB+UDBdIA6h/Tz7+nLyB/sZHfLscbvkivkCwJ3HS:0vaP/sBL2S

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.5de1cd17cf67218937493497a57b7390.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ceoid.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.5de1cd17cf67218937493497a57b7390.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	ceoid.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /l"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /f"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /r"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /h"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /u"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /n"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /w"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /d"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /m"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /j"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /q"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /l"	NEAS.5de1cd17cf67218937493497a57b7390.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /s"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /n"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /o"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /j"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /y"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /y"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /d"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /g"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /b"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /p"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /i"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /b"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /c"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /c"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /t"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /k"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /e"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /r"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /a"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /t"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /x"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /w"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /k"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /l"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /f"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /x"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /g"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /i"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /v"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /h"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /a"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /o"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /l"	NEAS.5de1cd17cf67218937493497a57b7390.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /z"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /e"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /v"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /s"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /u"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /z"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /q"	ceoid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /p"	ceoid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceoid = "C:\\Users\\Admin\\ceoid.exe /m"	ceoid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	NEAS.5de1cd17cf67218937493497a57b7390.exe
2924	NEAS.5de1cd17cf67218937493497a57b7390.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe
5024	ceoid.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	NEAS.5de1cd17cf67218937493497a57b7390.exe
5024	ceoid.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 5024	2924	NEAS.5de1cd17cf67218937493497a57b7390.exe	90
PID 2924 wrote to memory of 5024	2924	NEAS.5de1cd17cf67218937493497a57b7390.exe	90
PID 2924 wrote to memory of 5024	2924	NEAS.5de1cd17cf67218937493497a57b7390.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.5de1cd17cf67218937493497a57b7390.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5de1cd17cf67218937493497a57b7390.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\ceoid.exe
  "C:\Users\Admin\ceoid.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ceoid.exe

Filesize
384KB

MD5
fcab77bf2ec40b431ee4f9d8643af122

SHA1
e4d349c11fbd28314eabd98578ef43858c160dc1

SHA256
e6307c7168349d639dc90a9b2e18741026956bb63940700e605800452cda2a49

SHA512
325ba5c27bd628cffbe68d660b10c7e6e721b68278ad386ae38e41bf7a9e9d75ecd48c5214636e8b7b7967bb60492117d505286c35eeedd7b104cce49c5aab6e

Download Submit
C:\Users\Admin\ceoid.exe

Filesize
384KB

MD5
fcab77bf2ec40b431ee4f9d8643af122

SHA1
e4d349c11fbd28314eabd98578ef43858c160dc1

SHA256
e6307c7168349d639dc90a9b2e18741026956bb63940700e605800452cda2a49

SHA512
325ba5c27bd628cffbe68d660b10c7e6e721b68278ad386ae38e41bf7a9e9d75ecd48c5214636e8b7b7967bb60492117d505286c35eeedd7b104cce49c5aab6e

Download Submit
C:\Users\Admin\ceoid.exe

Filesize
384KB

MD5
fcab77bf2ec40b431ee4f9d8643af122

SHA1
e4d349c11fbd28314eabd98578ef43858c160dc1

SHA256
e6307c7168349d639dc90a9b2e18741026956bb63940700e605800452cda2a49

SHA512
325ba5c27bd628cffbe68d660b10c7e6e721b68278ad386ae38e41bf7a9e9d75ecd48c5214636e8b7b7967bb60492117d505286c35eeedd7b104cce49c5aab6e

Download Submit