c6da1980b6e0076896d8920585bf6b60d5d9da6fdf4139c2db314324c9d1c2e4

Analysis

max time kernel
161s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ef206e773124bd5e3b9af8082b288090.exe
Size

1.2MB
MD5

ef206e773124bd5e3b9af8082b288090
SHA1

a4e88814141f006f41f03285c27bdbe833b478b9
SHA256

c6da1980b6e0076896d8920585bf6b60d5d9da6fdf4139c2db314324c9d1c2e4
SHA512

19f951ea4b08a00cecf34630dc49d32f08ef09867fb6c67535e10b8b6c8bf335ad9cdc2bf474a7f9eb3d9800105fe05a195cfd3292fc43dd030b8844c62324c9
SSDEEP

24576:Tj+cktriK2PVboYTicnT1SBb//wDKULTrhSFkOTu+FMd:+SPVboYTVABjRGtSFruNd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4356	explorer.exe
4008	spoolsv.exe
1916	svchost.exe
3928	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4356	explorer.exe
4356	explorer.exe
4008	spoolsv.exe
1916	svchost.exe
1916	svchost.exe
4008	spoolsv.exe
3928	spoolsv.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe
4356	explorer.exe
1916	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.ef206e773124bd5e3b9af8082b288090.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4356	explorer.exe
1916	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4008	spoolsv.exe
4008	spoolsv.exe
4008	spoolsv.exe
1916	svchost.exe
1916	svchost.exe
1916	svchost.exe
3928	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4356	4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe	89
PID 4064 wrote to memory of 4356	4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe	89
PID 4064 wrote to memory of 4356	4064	NEAS.ef206e773124bd5e3b9af8082b288090.exe	89
PID 4356 wrote to memory of 4008	4356	explorer.exe	90
PID 4356 wrote to memory of 4008	4356	explorer.exe	90
PID 4356 wrote to memory of 4008	4356	explorer.exe	90
PID 4008 wrote to memory of 1916	4008	spoolsv.exe	91
PID 4008 wrote to memory of 1916	4008	spoolsv.exe	91
PID 4008 wrote to memory of 1916	4008	spoolsv.exe	91
PID 1916 wrote to memory of 3928	1916	svchost.exe	92
PID 1916 wrote to memory of 3928	1916	svchost.exe	92
PID 1916 wrote to memory of 3928	1916	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.ef206e773124bd5e3b9af8082b288090.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ef206e773124bd5e3b9af8082b288090.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4356
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1916
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
1.2MB

MD5
bb419ecc85bf5401a57901699cdcbdbb

SHA1
a745fe2f8064248812c8b5ea44c7694a0890bfd3

SHA256
5fdb354dcb449cf4d53980dcf8e778a25e0daad16f30579d5ea79e405ed82fd5

SHA512
192cfc455ceaf2297034307ec259ef3a916a50f096b60017df5883b682a8aeaa97c60debb0d6a83b12e0db51617cd46b4d3840cffa75ae7b327c25cee821d736

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
9641d743154f61dbda44b5ff2e496663

SHA1
bf1873e285ea5f9a3ef1cd0fcaf1bc4e58cd0caa

SHA256
7bf51f5bf0c1609700983e8f1d6524a08b8803e8ddc232f0e3ea698c418a22fa

SHA512
8e77519a85bd91b63826ba7f11e0c81db3ecf4f64e57f1faa906bf7875b6d9c6f118c23370a0f906bc2d4ad80e7df1349d6e0792aaaa63f2a828fb6a7cce69f1

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
9641d743154f61dbda44b5ff2e496663

SHA1
bf1873e285ea5f9a3ef1cd0fcaf1bc4e58cd0caa

SHA256
7bf51f5bf0c1609700983e8f1d6524a08b8803e8ddc232f0e3ea698c418a22fa

SHA512
8e77519a85bd91b63826ba7f11e0c81db3ecf4f64e57f1faa906bf7875b6d9c6f118c23370a0f906bc2d4ad80e7df1349d6e0792aaaa63f2a828fb6a7cce69f1

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
9641d743154f61dbda44b5ff2e496663

SHA1
bf1873e285ea5f9a3ef1cd0fcaf1bc4e58cd0caa

SHA256
7bf51f5bf0c1609700983e8f1d6524a08b8803e8ddc232f0e3ea698c418a22fa

SHA512
8e77519a85bd91b63826ba7f11e0c81db3ecf4f64e57f1faa906bf7875b6d9c6f118c23370a0f906bc2d4ad80e7df1349d6e0792aaaa63f2a828fb6a7cce69f1

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
1.2MB

MD5
df172b419d0bd2a9a472aa6b21a46811

SHA1
cc1fb27dfe7882b12f4511ade8511d92509c16d9

SHA256
cc59a3a3ddf44ee64136faa2e43edd6d589dcc980c47a204a8d99cee45b2c7af

SHA512
e171452e74c23dbe21300ebb92af6b979001c5e03f8d98b97020e3b1290eb7d5566da2637ce2510f23b2deadde1113703b2f55fb5c7efc57b330d5a57e25f6a2

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
1.2MB

MD5
9641d743154f61dbda44b5ff2e496663

SHA1
bf1873e285ea5f9a3ef1cd0fcaf1bc4e58cd0caa

SHA256
7bf51f5bf0c1609700983e8f1d6524a08b8803e8ddc232f0e3ea698c418a22fa

SHA512
8e77519a85bd91b63826ba7f11e0c81db3ecf4f64e57f1faa906bf7875b6d9c6f118c23370a0f906bc2d4ad80e7df1349d6e0792aaaa63f2a828fb6a7cce69f1

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
1.2MB

MD5
df172b419d0bd2a9a472aa6b21a46811

SHA1
cc1fb27dfe7882b12f4511ade8511d92509c16d9

SHA256
cc59a3a3ddf44ee64136faa2e43edd6d589dcc980c47a204a8d99cee45b2c7af

SHA512
e171452e74c23dbe21300ebb92af6b979001c5e03f8d98b97020e3b1290eb7d5566da2637ce2510f23b2deadde1113703b2f55fb5c7efc57b330d5a57e25f6a2

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
1.2MB

MD5
bb419ecc85bf5401a57901699cdcbdbb

SHA1
a745fe2f8064248812c8b5ea44c7694a0890bfd3

SHA256
5fdb354dcb449cf4d53980dcf8e778a25e0daad16f30579d5ea79e405ed82fd5

SHA512
192cfc455ceaf2297034307ec259ef3a916a50f096b60017df5883b682a8aeaa97c60debb0d6a83b12e0db51617cd46b4d3840cffa75ae7b327c25cee821d736

Download Submit
memory/1916-44-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-58-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-64-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-62-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-60-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-56-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-54-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-52-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-40-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-50-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-42-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/1916-46-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3928-36-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4008-37-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4064-38-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4064-4-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4064-34-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4064-15-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4064-0-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-55-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-59-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-51-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-41-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-49-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-57-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-47-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-53-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-35-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-61-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-43-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-63-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-45-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4356-65-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download