f12bf1acd8cc8f9c4397be6836104bcea66e5f9f9caaf3d3a0b63e5751aa7b99

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\neas.f1d8af84a0692c2b41a3f1781accf580.exe = "c:\\users\\admin\\appdata\\local\\temp\\neas.f1d8af84a0692c2b41a3f1781accf580.exe:*:Enabled:SMPN"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\v:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\u:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\t:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\q:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\h:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\e:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\y:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\w:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\r:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\l:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\i:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\g:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\s:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\p:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\n:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\m:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\z:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\o:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\k:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened (read-only)	\??\j:	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	\??\c:\windows\wdfmgr.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened for modification	\??\c:\windows\wdfmgr.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File created	\??\c:\windows\regedit2.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened for modification	\??\c:\windows\mui\rctfd.sys	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened for modification	\??\c:\windows\msrpc.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File created	\??\c:\windows\lsassv.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened for modification	\??\c:\windows\lsassv.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File created	\??\c:\windows\msrpc.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File created	\??\c:\windows\calc.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened for modification	\??\c:\windows\calc.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
File opened for modification	\??\c:\windows\regedit2.exe	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\neas.f1d8af84a0692c2b41a3f1781accf580.exe"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "157"	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	NEAS.f1d8af84a0692c2b41a3f1781accf580.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f1d8af84a0692c2b41a3f1781accf580.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f1d8af84a0692c2b41a3f1781accf580.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

4

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery